Second-Order Hyperproperties

Abstract

We introduce Hyper²LTL, a temporal logic for the specification of hyperproperties that allows for second-order quantification over sets of traces. Unlike first-order temporal logics for hyperproperties, such as HyperLTL, Hyper²LTL can express complex epistemic properties like common knowledge, Mazurkiewicz trace theory, and asynchronous hyperproperties. The model checking problem of Hyper²LTL is, in general, undecidable. For the expressive fragment where second-order quantification is restricted to smallest and largest sets, we present an approximate model-checking algorithm that computes increasingly precise under- and overapproximations of the quantified sets, based on fixpoint iteration and automata learning. We report on encouraging experimental results with our model-checking algorithm, which we implemented in the tool HySO.

1 Introduction

About a decade ago, Clarkson and Schneider coined the term hyperproperties [21] for the rich class of system requirements that relate multiple computations. In their definition, hyperproperties generalize trace properties, which are sets of traces, to sets of sets of traces. This covers a wide range of requirements, from information-flow security policies to epistemic properties describing the knowledge of agents in a distributed system. Missing from Clarkson and Schneider’s original theory was, however, a concrete specification language that could express customized hyperproperties for specific applications and serve as the common semantic foundation for different verification methods.

A first milestone towards such a language was the introduction of the temporal logic HyperLTL [20]. HyperLTL extends linear-time temporal logic (LTL) with quantification over traces. Suppose, for example, that an agent i in a distributed system observes only a subset of the system variables. The agent knows that some LTL formula \(\varphi \) is true on some trace \(\pi \) iff \(\varphi \) holds on all traces \(\pi '\) that agent i cannot distinguish from \(\pi \). If we denote the indistinguishability of \(\pi \) and \(\pi '\) by \(\pi \sim _i \pi '\), then the property that there exists a trace \(\pi \) where agent i knows \(\varphi \) can be expressed as the HyperLTL formula

$$\begin{aligned} \exists \pi . \forall \pi '\mathpunct {.}\pi \sim _i \pi ' \rightarrow \varphi (\pi '), \end{aligned}$$

where we write \(\varphi (\pi ')\) to denote that the trace property \(\varphi \) holds on trace \(\pi '\).

While HyperLTL and its variations have found many applications [28, 32, 44], the expressiveness of these logics is limited, leaving many widely used hyperproperties out of reach. A prominent example is common knowledge, which is used in distributed applications to ensure simultaneous action [30, 40]. Common knowledge in a group of agents means that the agents not only know individually that some condition \(\varphi \) is true, but that this knowledge is “common” to the group in the sense that each agent knows that every agent knows that \(\varphi \) is true; on top of that, each agent in the group knows that every agent knows that every agent knows that \(\varphi \) is true; and so on, forming an infinite chain of knowledge.

The fundamental limitation of HyperLTL that makes it impossible to express properties like common knowledge is that the logic is restricted to first-order quantification. HyperLTL, then, cannot reason about sets of traces directly, but must always do so by referring to individual traces that are chosen existentially or universally from the full set of traces. For the specification of an agent’s individual knowledge, where we are only interested in the (non-)existence of a single trace that is indistinguishable and that violates \(\varphi \), this is sufficient; however, expressing an infinite chain, as needed for common knowledge, is impossible.

In this paper, we introduce Hyper²LTL, a temporal logic for hyperproperties with second-order quantification over traces. In Hyper²LTL, the existence of a trace \(\pi \) where the condition \(\varphi \) is common knowledge can be expressed as the following formula (using slightly simplified syntax):

$$\begin{aligned} \exists \pi .\, \exists X \mathpunct {.}\ \pi \in X \wedge \Big ( \forall \pi ' \in X.\, \forall \pi ''.\ \big (\bigvee _{i=1}^n \pi ' \sim _i \pi '' \big ) \rightarrow \pi '' \in X \Big )\, \wedge \, \forall \pi ' \in X\mathpunct {.}\varphi ({\pi '}). \end{aligned}$$

The second-order quantifier \(\exists X\) postulates the existence of a set X of traces that (1) contains \(\pi \); that (2) is closed under the observations of each agent, i.e., for every trace \(\pi '\) already in X, all other traces \(\pi ''\) that some agent i cannot distinguish from \(\pi '\) are also in X; and that (3) only contains traces that satisfy \(\varphi \). The existence of X is a necessary and sufficient condition for \(\varphi \) being common knowledge on \(\pi \). In the paper, we show that Hyper²LTL is an elegant specification language for many hyperproperties of interest that cannot be expressed in HyperLTL, including, in addition to epistemic properties like common knowledge, also Mazurkiewicz trace theory and asynchronous hyperproperties.

The model checking problem for Hyper²LTL is much more difficult than for HyperLTL. A HyperLTL formula can be checked by translating the LTL subformula into an automaton and then applying a series of automata transformations, such as self-composition to generate multiple traces, projection for existential quantification, and complementation for negation [8, 32]. For Hyper²LTL, the model checking problem is, in general, undecidable. We introduce a method that nevertheless obtains sound results by over- and underapproximating the quantified sets of traces. For this purpose, we study Hyper²LTL_fp, a fragment of Hyper²LTL, in which we restrict second-order quantification to the smallest or largest set satisfying some property. For example, to check common knowledge, it suffices to consider the smallest set X that is closed under the observations of all agents. This smallest set X is defined by the (monotone) fixpoint operation that adds, in each step, all traces that are indistinguishable to some trace already in X.

We develop an approximate model checking algorithm for Hyper²LTL_fp that uses bidirectional inference to deduce lower and upper bounds on second-order variables, interposed with first-order model checking in the style of HyperLTL. Our procedure is parametric in an oracle that provides (increasingly precise) lower and upper bounds. In the paper, we realize the oracles with fixpoint iteration for underapproximations of the sets of traces assigned to the second-order variables, and automata learning for overapproximations. We report on encouraging experimental results with our model-checking algorithm, which has been implemented in a tool called HySO.

2 Preliminaries

For \(n \in \mathbb {N}\) we define \([n] := \{1, \ldots , n\}\). We assume that \(\text {AP}\) is a finite set of atomic propositions and define \(\varSigma := 2^\text {AP}\). For \(t \in \varSigma ^\omega \) and \(i \in \mathbb {N}\) define \(t(i) \in \varSigma \) as the ith element in t (starting with the 0th); and \(t[i,\infty ]\) for the infinite suffix starting at position i. For traces \(t_1, \ldots , t_n \in \varSigma ^\omega \) we write \( zip (t_1, \ldots , t_n) \in (\varSigma ^n)^\omega \) for the pointwise zipping of the traces, i.e., \( zip (t_1, \ldots , t_n)(i) := (t_1(i), \ldots , t_n(i))\).

Transition Systems. A transition system is a tuple \(\mathcal {T}= (S, S_0, \kappa , L)\) where S is a set of states, \(S_0 \subseteq S\) is a set of initial states, \(\kappa \subseteq S \times S\) is a transition relation, and \(L : S \rightarrow \varSigma \) is a labeling function. A path in \(\mathcal {T}\) is an infinite state sequence \(s_0s_1s_2 \cdots \in S^\omega \), s.t., \(s_0 \in S_0\), and \((s_i, s_{i+1}) \in \kappa \) for all i. The associated trace is given by \(L(s_0)L(s_1)L(s_2) \cdots \in \varSigma ^\omega \) and \( Traces (\mathcal {T}) \subseteq \varSigma ^\omega \) denotes all traces of \(\mathcal {T}\).

Automata. A non-deterministic Büchi automaton (NBA) [18] is a tuple \(\mathcal {A}= (\varSigma , Q, q_0, \delta , F)\) where \(\varSigma \) is a finite alphabet, Q is a finite set of states, \(Q_0\subseteq Q\) is the set of initial states, \(F\subseteq Q\) is a set of accepting states, and \(\delta : Q\times \varSigma \rightarrow 2^Q\) is the transition function. A run on a word \(u \in \varSigma ^\omega \) is an infinite sequence of states \(q_0q_1q_2 \cdots \in Q^\omega \) such that \(q_0 \in Q_0\) and for every \(i \in \mathbb {N}\), \(q_{i+1} \in \delta (q_i, u(i))\). The run is accepting if it visits states in F infinitely many times, and we define the language of \(\mathcal {A}\), denoted \(\mathcal {L}(\mathcal {A}) \subseteq \varSigma ^\omega \), as all infinite words on which \(\mathcal {A}\) has an accepting run.

HyperLTL. HyperLTL [20] is one of the most studied temporal logics for the specification of hyperproperties. We assume that \(\mathcal {V}\) is a fixed set of trace variables. For the most part, we use variations of \(\pi \) (e.g., \(\pi , \pi ', \pi _1, \ldots \)) to denote trace variables. HyperLTL formulas are then generated by the grammar

where \(a \in \text {AP}\) is an atomic proposition, \(\pi \in \mathcal {V}{}\) is a trace variable, \(\mathbb {Q}\in \{\forall , \exists \}\) is a quantifier, and and are the temporal operators next and until.

The semantics of HyperLTL is given with respect to a trace assignment \(\varPi \), which is a partial mapping \(\varPi : \mathcal {V}\rightharpoonup \varSigma ^\omega \) that maps trace variables to traces. Given \(\pi \in \mathcal {V}\) and \(t \in \varSigma ^\omega \) we define \(\varPi [\pi \mapsto t]\) as the updated assignment that maps \(\pi \) to t. For \(i \in \mathbb {N}\) we define \(\varPi [i, \infty ]\) as the trace assignment defined by \(\varPi [i, \infty ](\pi ) := \varPi (\pi )[i, \infty ]\), i.e., we (synchronously) progress all traces by i steps. For quantifier-free formulas \(\psi \) we follow the LTL semantics and define

The indexed atomic propositions refer to a specific path in \(\varPi \), i.e., \(a_\pi \) holds iff a holds on the trace bound to \(\pi \). Quantifiers range over system traces:

$$\begin{aligned} \varPi \vDash _\mathcal {T}\psi \text { iff } \varPi \vDash \psi \quad \quad \text {and} \quad \quad \varPi \vDash _\mathcal {T}\mathbb {Q}\pi \mathpunct {.}\varphi \text { iff } \mathbb {Q}t \in Traces (\mathcal {T}) \mathpunct {.}\varPi [\pi \mapsto t] \vDash \varphi \, . \end{aligned}$$

We write \(\mathcal {T}\vDash \varphi \) if \(\emptyset \vDash _\mathcal {T}\varphi \) where \(\emptyset \) denotes the empty trace assignment.

HyperQPTL. HyperQPTL [45] adds – on top of the trace quantification of HyperLTL – also propositional quantification (analogous to the propositional quantification that QPTL [46] adds on top of LTL). For example, HyperQPTL can express a promptness property which states that there must exist a bound (which is common among all traces), up to which an event must have happened. We can express this as which states that there exists an evaluation of proposition q such that (1) q holds at least once, and (2) for all traces \(\pi \), a holds on \(\pi \) before the first occurrence of q. See [8] for details.

3 Second-Order HyperLTL

The (first-order) trace quantification in HyperLTL ranges over the set of all system traces; we thus cannot reason about arbitrary sets of traces as required for, e.g., common knowledge. We introduce a second-order extension of HyperLTL by introducing second-order variables (ranging over sets of traces) and allowing quantification over traces from any such set. We present two variants of our logic that differ in the way quantification is resolved. In Hyper²LTL, we quantify over arbitrary sets of traces. While this yields a powerful and intuitive logic, second-order quantification is inherently non-constructive. During model checking, there thus does not exist an efficient way to even approximate possible witnesses for the sets of traces. To solve this quandary, we restrict Hyper²LTL to Hyper²LTL_fp, where we instead quantify over sets of traces that satisfy some minimality or maximality constraint. This allows for large fragments of Hyper²LTL_fp that admit algorithmic approximations to its model checking (by, e.g., using known techniques from fixpoint computations [47, 48]).

3.1 \(\text {Hyper}^2\text {LTL}\)

Alongside the set \(\mathcal {V}{}\) of trace variables, we use a set \(\mathfrak {V}{}\) of second-order variables (which we, for the most part, denote with capital letters X, Y, ...). We assume that there is a special variable \(\mathfrak {S}\in \mathfrak {V}{}\) that refers to the set of traces of the given system at hand, and a variable \(\mathfrak {A}\in \mathfrak {V}{}\) that refers to the set of all traces. We define the Hyper²LTL syntax by the following grammar:

where \(a \in \text {AP}{}\) is an atomic proposition, \(\pi \in \mathcal {V}{}\) is a trace variable, \(X \in \mathfrak {V}{}\) is a second-order variable, and \(\mathbb {Q}\in \{\forall , \exists \}\) is a quantifier. We also consider the usual derived Boolean constants (\( true \), \( false \)) and connectives (\(\vee \), \(\rightarrow \), \(\leftrightarrow \)) as well as the temporal operators eventually ( ) and globally ( ). Given a set of atomic propositions \(P \subseteq \text {AP}\) and two trace variables \(\pi , \pi '\), we abbreviate \(\pi =_P \pi ' := \bigwedge _{a \in P} (a_\pi \leftrightarrow a_{\pi '})\).

Semantics. Apart from a trace assignment \(\varPi \) (as in the semantics of HyperLTL), we maintain a second-order assignment \(\varDelta : \mathfrak {V}{} \rightharpoonup 2^{\varSigma ^\omega }\) mapping second-order variables to sets of traces. Given \(X \in \mathfrak {V}\) and \(A \subseteq \varSigma ^\omega \) we define the updated assignment \(\varDelta [X \mapsto A]\) as expected. Quantifier-free formulas \(\psi \) are then evaluated in a fixed trace assignment as for HyperLTL (cf. Sect. 2). For the quantifier prefix we define:

$$\begin{aligned} \varPi , \varDelta&\vDash \psi&\text {iff} \quad&\varPi \vDash \psi \\ \varPi , \varDelta&\vDash \mathbb {Q}\pi \in X \mathpunct {.}\varphi&\text {iff} \quad&\mathbb {Q}t \in \varDelta (X) \mathpunct {.}\varPi [\pi \mapsto t], \varDelta \vDash \varphi \\ \varPi , \varDelta&\vDash \mathbb {Q}X \mathpunct {.}\varphi&\text {iff} \quad&\mathbb {Q}A \subseteq \varSigma ^\omega \mathpunct {.}\varPi , \varDelta [X \mapsto A] \vDash \varphi \end{aligned}$$

Second-order quantification updates \(\varDelta \) with a set of traces, and first-order quantification updates \(\varPi \) by quantifying over traces within the set defined by \(\varDelta \).

Initially, we evaluate a formula in the empty trace assignment and fix the valuation of the special second-order variable \(\mathfrak {S}\) to be the set of all system traces and \(\mathfrak {A}\) to be the set of all traces. That is, given a system \(\mathcal {T}\) and Hyper²LTL formula \(\varphi \), we say that \(\mathcal {T}\) satisfies \(\varphi \), written \(\mathcal {T}\vDash \varphi \), if \(\emptyset , [\mathfrak {S}\mapsto Traces (\mathcal {T}), \mathfrak {A}\mapsto \varSigma ^\omega ] \vDash \varphi \), where we write \(\emptyset \) for the empty trace assignment. The model-checking problem for Hyper²LTL is checking whether \(\mathcal {T}\vDash \varphi \) holds.

Hyper²LTL naturally generalizes HyperLTL by adding second-order quantification. As sets range over arbitrary traces, Hyper²LTL also subsumes the more powerful logic HyperQPTL. The proof of Lemma 1 is given in the full version of this paper [11].

Lemma 1

Hyper²LTL subsumes HyperQPTL (and thus also HyperLTL).

Syntactic Sugar. In Hyper²LTL, we can quantify over traces within a second-order variable, but we cannot state, within the body of the formula, that some path is a member of some second-order variable. For that, we define \(\pi \triangleright X\) (as an atom within the body) as syntactic sugar for , i.e., \(\pi \) is in X if there exists some trace in X that agrees with \(\pi \) on all propositions. Note that we can only use \(\pi \triangleright X\) outside of the scope of any temporal operators; this ensures that we can bring the resulting formula into a form that conforms to the Hyper²LTL syntax.

3.2 \(\text {Hyper}^2\text {LTL}_{fp}\)

The semantics of Hyper²LTL quantifies over arbitrary sets of traces, making even approximations to its semantics challenging. We propose Hyper²LTL_fp as a restriction that only quantifies over sets that are subject to an additional minimality or maximality constraint. For large classes of formulas, we show that this admits effective model-checking approximations. We define Hyper²LTL_fp by the following grammar:

where \(a \in \text {AP}\), \(\pi \in \mathcal {V}{}\), \(X \in \mathfrak {V}\), \(\mathbb {Q}\in \{\forall , \exists \}\), and determines if we consider smallest (\(\curlyvee \)) or largest (\(\curlywedge \)) sets. For example, the formula \(\exists \, (X, \curlyvee , \varphi _1) \mathpunct {.}\varphi _2\) holds if there exists some set of traces X, that satisfies both \(\varphi _1\) and \(\varphi _2\), and is a smallest set that satisfies \(\varphi _1\). Such minimality and maximality constraints with respect to a (hyper)property arise naturally in many properties. Examples include common knowledge (cf. Sect. 3.3), asynchronous hyperproperties (cf. Sect. 4.2), and causality in reactive systems [22, 23].

Semantics. For path formulas, the semantics of Hyper²LTL_fp is defined analogously to that of Hyper²LTL and HyperLTL. For the quantifier prefix we define:

where denotes all solutions to the minimality/maximality condition given by \(\varphi _1\), which we define by mutual recursion as follows:

A set A satisfies the minimality/maximality constraint if it satisfies \(\varphi \) and is a least (in case ) or greatest (in case ) set that satisfies \(\varphi \).

Note that can contain multiple sets or no set at all, i.e., there may not exists a unique least or greatest set that satisfies \(\varphi \). In Hyper²LTL_fp, we therefore add an additional quantification over the set of all solutions to the minimality/maximality constraint. When discussing our model checking approximation algorithm, we present a (syntactic) restriction on \(\varphi \) which guarantees that contains a unique element (i.e., is a singleton set). Moreover, our restriction allows us to employ fixpoint techniques to find approximations to this unique solution. In case the solution for is unique, we often omit the leading quantifier and simply write instead of .

As we can encode the minimality/maximality constraints of Hyper²LTL_fp in Hyper²LTL (see full version [11]), we have the following:

Proposition 1

Any Hyper²LTL_fp formula \(\varphi \) can be effectively translated into an Hyper²LTL formula \(\varphi '\) such that for all transition systems \(\mathcal {T}\) we have \(\mathcal {T}\vDash \varphi \) iff \(\mathcal {T}\vDash \varphi '\).

Fig. 1.

Left: An example for a multi-agent system with two agents, where agent 1 observes a and d, and agent 2 observes c and d. Right: The iterative construction of the traces to be considered for common knowledge starting with \(a^nd^\omega \).

3.3 Common Knowledge in Multi-agent Systems

To explain common knowledge, we use a variation of an example from [43], and encode it in Hyper²LTL_fp. Fig. 1(left) shows a transition system of a distributed system with two agents, agent 1 and agent 2. Agent 1 observes variables a and d, whereas agent 2 observes c and d. The property of interest is starting from the trace \(\pi = a^n d^\omega \) for some fixed \( n > 1\), is it common knowledge for the two agents that a holds in the second step. It is trivial to see that holds on \(\pi \). However, for common knowledge, we consider the (possibly) infinite chain of observationally equivalent traces. For example, agent 2 cannot distinguish the traces \(a^nd^\omega \) and \(a^{n-1}bd^\omega \). Therefore, agent 2 only knows that holds on \(\pi \) if it also holds on \( \pi ' = a^{n-1}bd^\omega \). For common knowledge, agent 1 also has to know that agent 2 knows , which means that for all traces that are indistinguishable from \(\pi \) or \(\pi '\) for agent 1, has to hold. This adds \(\pi '' = a^{n-1}cd^\omega \) to the set of traces to verify against. This chain of reasoning continues as shown in Fig. 1(right). In the last step we add \(ac^{n-1}d^\omega \) to the set of indistinguishable traces, concluding that is not common knowledge.

The following Hyper²LTL_fp formula specifies the property stated above. The abbreviation denotes that \(\pi _1\) and \(\pi _2\) are observationally equivalent for either agent 1 or agent 2.

For a trace \(\pi \) of the form \(\pi = a^n d^\omega \), the set X represents the common knowledge set on \(\pi \). This set X is the smallest set that (1) contains \(\pi \) (expressed using our syntactic sugar \(\triangleright \)); and (2) is closed under observations by either agent, i.e., if we find some \(\pi _1 \in X\) and some system trace \(\pi _2\) that are observationally equivalent, \(\pi _2\) should also be in X. Note that this set is unique (due to the minimality restriction), so we do not quantify it explicitly. Lastly, we require that all traces in X satisfy the property . All sets that satisfy this formula would also include the trace \(ac^{n-1}d^\omega \), and therefore no such X exists; thus, we can conclude that starting from trace \(a^nd^\omega \), it is not common knowledge that holds. On the other hand, it is common knowledge that a holds in the first step (cf. Sect. 6).

3.4 \(\text {Hyper}^2\text {LTL}\) Model Checking

As Hyper²LTL and Hyper²LTL_fp allow quantification over arbitrary sets of traces, we can encode the satisfiability of HyperQPTL (i.e., the question of whether some set of traces satisfies a formula) within their model-checking problem; rendering the model-checking problem highly undecidable [34], even for very simple formulas [4].

Proposition 2

For any HyperQPTL formula \(\varphi \) there exists a Hyper²LTL formula \(\varphi '\) such that \(\varphi \) is satisfiable iff \(\varphi '\) holds on some arbitrary transition system. The model-checking problem of Hyper²LTL is thus highly undecidable (\(\varSigma _1^1\)-hard).

Proof

Let \(\varphi '\) be the Hyper²LTL formula obtained from \(\varphi \) by replacing each HyperQPTL trace quantifier \(\mathbb {Q}\pi \) with the Hyper²LTL quantifier \(\mathbb {Q}\pi \in X\), and each propositional quantifier \(\mathbb {Q}q\) with \(\mathbb {Q}\pi _q \in \mathfrak {A}\) for some fresh trace variable \(\pi _q\). In the body, we replace each propositional variable q with \(a_{\pi _q}\) for some fixed proposition \(a \in \text {AP}\). Then, \(\varphi \) is satisfiable iff the Hyper²LTL formula \(\exists X. \varphi '\) holds in some arbitrary system.    \(\square \)

Hyper²LTL_fp cannot express HyperQPTL satisfiability directly. If there exists a model of a HyperQPTL formula, there may not exist a least one. However, model checking of Hyper²LTL_fp is also highly undecidable.

Proposition 3

The model-checking problem of Hyper²LTL_fp is \(\varSigma _1^1\)-hard.

Proof (Sketch)

We can encode the existence of a recurrent computation of a Turing machine, which is known to be \(\varSigma _1^1\)-hard [1].   \(\square \)

Conversely, the existential fragment of Hyper²LTL can be encoded back into HyperQPTL satisfiability:

Proposition 4

Let \(\varphi \) be a Hyper²LTL formula that uses only existential second-order quantification and \(\mathcal {T}\) be any system. We can effectively construct a formula \(\varphi '\) in HyperQPTL such that \(\mathcal {T}\vDash \varphi \) iff \(\varphi '\) is satisfiable.

Lastly, we present some easy fragments of Hyper²LTL for which the model-checking problem is decidable. Here we write \(\exists ^* X\) (resp. \(\forall ^* X\)) for some sequence of existentially (resp. universally) quantified second-order variables and \(\exists ^* \pi \) (resp. \(\forall ^* \pi \)) for some sequence of existentially (resp. universally) quantified first-order variables. For example, \(\exists ^* X \forall ^*\pi \) captures all formulas of the form \(\exists X_1, \ldots X_n. \forall \pi _1, \ldots , \pi _m. \psi \) where \(\psi \) is quantifier-free.

Proposition 5

The model-checking problem of Hyper²LTL is decidable for the fragments: \(\exists ^* X \forall ^*\pi \), \(\forall ^* X \forall ^*\pi \), \(\exists ^* X \exists ^*\pi \), \(\forall ^* X \exists ^*\pi \), \(\exists X.\exists ^* \pi \in X \forall ^*\pi '\in X\).

We refer the reader to the full version [11] for detailed proofs.

4 Expressiveness of \(\text {Hyper}^2\text {LTL}\)

In this section, we point to existing logics that can naturally be encoded within our second-order hyperlogics Hyper²LTL and Hyper²LTL_fp.

4.1 \(\text {Hyper}^2\text {LTL}\) and LTL\(_{\textsf{K}, \textsf{C}}\)

LTL\(_\textsf{K}\) extends LTL with the knowledge operator \(\textsf{K}\). For some subset of agents A, the formula \(\textsf{K}_A \psi \) holds in timestep i, if \(\psi \) holds on all traces equivalent to some agent in A up to timestep i. See full version [11] for detailed semantics. LTL\(_\textsf{K}\) and HyperCTL\(^*\) have incomparable expressiveness [16] but the knowledge operator \(\textsf{K}\) can be encoded by either adding a linear past operator [16] or by adding propositional quantification (as in HyperQPTL) [45].

Using Hyper²LTL_fp we can encode LTL\(_{\textsf{K}, \textsf{C}}\), featuring the knowledge operator \(\textsf{K}\) and the common knowledge operator \(\textsf{C}\) (which requires that \(\psi \) holds on the closure set of equivalent traces, up to the current timepoint) [41]. Note that LTL\(_{\textsf{K}, \textsf{C}}\) is not encodable by only adding propositional quantification or the linear past operator.

Proposition 6

For every LTL\(_{\textsf{K}, \textsf{C}}\) formula \(\varphi \) there exists an Hyper²LTL_fp formula \(\varphi '\) such that for any system \(\mathcal {T}\) we have \(\mathcal {T}\vDash _{LTL_{\textsf{K}, \textsf{C}}} \varphi \) iff \(\mathcal {T}\vDash \varphi '\).

Proof (Sketch)

We follow the intuition discussed in Sect. 3.3. For each occurrence of a knowledge operator in \(\{\textsf{K}, \textsf{C}\}\), we use a fresh trace variable to keep track on the points in time with respect to which we need to compare traces. We then use this trace variable to introduce a second-order set that collects all equivalent traces (by the observations of one agent, or the closure of all agents’ observations). We then inductively construct a Hyper²LTL_fp formula that captures all the knowledge and common-knowledge sets, over which we check the properties at hand. See full version for more details [11].    \(\square \)

4.2 \(\text {Hyper}^2\text {LTL}\) and Asynchronous Hyperproperties

Most existing hyperlogics (including Hyper²LTL) traverse the traces of a system synchronously. However, in many cases such a synchronous traversal is too restricting and we need to compare traces asynchronously. As an example, consider observational determinism (OD), which we can express in HyperLTL as . The formula states that the output of a system is identical across all traces and so (trivially) no information about high-security inputs is leaked. In most systems encountered in practice, this synchronous formula is violated, as the exact timing between updates to o might differ by a few steps (we provide some examples in the full version [11]). However, assuming that an attacker only has access to the memory footprint and not a timing channel, we would only like to check that all traces are stutter equivalent (with respect to o).

A range of extensions to existing hyperlogics has been proposed to reason about such asynchronous hyperproperties [3, 5, 9, 17, 39]. We consider AHLTL [3]. An AHLTL formula has the form \(\mathbb {Q}_1 \pi _1, \ldots , \mathbb {Q}_n \pi _m. \textbf{E} \mathpunct {.}\psi \) where \(\psi \) is a qunatifier-free HyperLTL formula. The initial trace quantifier prefix is handled as in HyperLTL. However, different from HyperLTL, a trace assignment \([\pi _1 \mapsto t_1, \ldots , \pi _n \mapsto t_n]\) satisfies \(\textbf{E} \mathpunct {.}\psi \) if there exist stuttered traces \(t_1', \ldots , t_n'\) of \(t_1, \ldots , t_n\) such that \([\pi _1 \mapsto t_1', \ldots , \pi _n \mapsto t_n'] \vDash \psi \). We write \(\mathcal {T}\vDash _{ AHLTL } \varphi \) if a system \(\mathcal {T}\) satisfies the AHLTL formula \(\varphi \). Using this quantification over stutterings we can, for example, express an asynchronous version of observational determinism as stating that every two traces can be aligned such that they (globally) agree on o. Despite the fact that Hyper²LTL_fp is itself synchronous, we can use second-order quantification to encode asynchronous hyperproperties, as we state in the following proposition.

Proposition 7

For any AHLTL formula \(\varphi \) there exists a Hyper²LTL_fp formula \(\varphi '\) such that for any system \(\mathcal {T}\) we have \(\mathcal {T}\vDash _{ AHLTL } \varphi \) iff \(\mathcal {T}\vDash \varphi '\).

Proof

Assume that \(\varphi = \mathbb {Q}_1 \pi _1, \ldots , \mathbb {Q}_n \pi _n. \textbf{E} \mathpunct {.}\psi \) is the given AHLTL formula. For each \(i \in [n]\) we define a formula \(\varphi _i\) as follows

The formula asserts that the set of traces bound to \(X_i\) is closed under stuttering, i.e., if we start from any trace in \(X_i\) and stutter it once (at some arbitrary position) we again end up in \(X_i\). Using the formulas \(\varphi _i\), we then construct a Hyper²LTL_fp formula that is equivalent to \(\varphi \) as follows

$$\begin{aligned} \varphi ' := \,&\mathbb {Q}_1 \pi _1 \in \mathfrak {S}{}, \ldots , \mathbb {Q}_n \pi _n \in \mathfrak {S}{}. (X_1, \curlyvee , \pi _1 \triangleright X_1 \wedge \varphi _1) \cdots (X_n, \curlyvee , \pi _n \triangleright X_n \wedge \varphi _n) \\&\quad \quad \exists \pi _1' \in X_1, \ldots , \exists \pi _n' \in X_n. \psi [\pi _1'/\pi _1, \ldots , \pi _n'/\pi _n] \end{aligned}$$

We first mimic the quantification in \(\varphi \) and, for each trace \(\pi _i\), construct a least set \(X_i\) that contains \(\pi _i\) and is closed under stuttering (thus describing exactly the set of all stuttering of \(\pi _i\)). Finally, we assert that there are traces \(\pi _1', \ldots , \pi _n'\) with \(\pi _i' \in X_i\) (so \(\pi _i'\) is a stuttering of \(\pi _i\)) such that \(\pi _1', \ldots , \pi _n'\) satisfy \(\psi \). It is easy to see that \(\mathcal {T}\vDash _{ AHLTL } \varphi \) iff \(\mathcal {T}\vDash \varphi '\) holds for all systems.    \(\square \)

Hyper²LTL_fp captures all properties expressible in AHLTL. In particular, our approximate model-checking algorithm for Hyper²LTL_fp (cf. Sect. 5) is applicable to AHLTL; even for instances where no approximate solutions were previously known. In Sect. 6, we show that our prototype model checker for Hyper²LTL_fp can verify asynchronous properties in practice.

5 Model-Checking \(\text {Hyper}^2\text {LTL}_{fp}\)

In general, finite-state model checking of Hyper²LTL_fp is highly undecidable (cf. Proposition 2). In this section, we outline a partial algorithm that computes approximations on the concrete values of second-order variables for a fragment of Hyper²LTL_fp. At a very high-level, our algorithm (Algorithm 1) iteratively computes under- and overapproximations for second-order variables. It then turns to resolve first-order quantification, using techniques from HyperLTL model checking [8, 32], and resolves existential and universal trace quantification on the under- and overapproximation of the second-order variables, respectively. If the verification fails, it goes back to refine second-order approximations.

In this section, we focus on the setting where we are interested in the least sets (using \(\curlyvee \)), and use techniques to approximate the least fixpoint. A similar (dual) treatment is possible for Hyper²LTL_fp formulas that use the largest set. Every Hyper²LTL_fp which uses only minimal sets has the following form:

$$\begin{aligned} \varphi = \gamma _1. (Y_1, \curlyvee , \varphi ^ con _1). \gamma _2 \ldots . (Y_k, \curlyvee {}, \varphi ^ con _k)\mathpunct {.}\gamma _{k+1}\mathpunct {.}\psi \end{aligned}$$

(1)

We quantify second-order variables \(Y_1, \ldots , Y_k\), where, for each \(j \in [k]\), \(Y_j\) is the least set that satisfies \(\varphi ^ con _j\). Finally, for each \(j \in [k+1]\),

$$\begin{aligned} \gamma _j = \mathbb {Q}_{l_j+1} \pi _{l_j+1} \in X_{l_j+1} \ldots \mathbb {Q}_{l_{j+1}} \pi _{l_{j+1}} \in X_{l_{j+1}} \end{aligned}$$

is the block of first-order quantifiers that sits between the quantification of \(Y_{j-1}\) and \(Y_j\). Here \(X_{l_j+1}, \ldots , X_{l_{j+1}} \in \{\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_{j-1}\}\) are second-order variables that are quantified before \(\gamma _j\). In particular, \(\pi _1, \ldots , \pi _{l_j}\) are the first-order variables quantified before \(Y_j\).

5.1 Fixpoints in \(\text {Hyper}^2\text {LTL}_{fp}\)

We consider a fragment of Hyper²LTL_fp which we call the least fixpoint fragment. Within this fragment, we restrict the formulas \(\varphi ^ con _1, \ldots , \varphi ^ con _k\) such that \(Y_1, \ldots , Y_k\) can be approximated as (least) fixpoints. Concretely, we say that \(\varphi \) is in the least fixpoint fragment of Hyper²LTL_fp if for all \(j \in [k]\), \(\varphi ^ con _j\) is a conjunction of formulas of the form

$$\begin{aligned} \forall \dot{\pi }_1 \in X_1. \ldots \forall \dot{\pi }_n \in X_n\mathpunct {.}\psi _{ step } \rightarrow \dot{\pi }_M \triangleright Y_j \end{aligned}$$

(2)

where each \(X_i \in \{\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_j\}\), \(\psi _{ step }\) is quantifier-free formula over trace variables \(\dot{\pi }_1, \ldots , \dot{\pi }_n, \pi _1, \ldots , \pi _{l_j}\), and \(M \in [n]\). Intuitively, Eq. (2) states a requirement on traces that should be included in \(Y_j\). If we find traces \(\dot{t}_1 \in X_1, \ldots , \dot{t}_n \in X_n\) that, together with the traces \(t_1, \ldots , t_{l_j}\) quantified before \(Y_j\), satisfy \(\psi _{ step }\), then \(\dot{t}_M\) should be included in \(Y_j\).

Together with the minimality constraint on \(Y_j\) (stemming from the semantics of Hyper²LTL_fp), this effectively defines a (monotone) least fixpoint computation, as \(\psi _{ step }\) defines exactly the traces to be added to the set. This will allow us to use results from fixpoint theory to compute approximations for the sets \(Y_j\).

Our least fixpoint fragment captures most properties of interest, in particular, common knowledge (Sect. 3.3) and asynchronous hyperproperties (Sect. 4.2). We observe that formulas of the above form ensure that the solution \(Y_j\) is unique, i.e., for any trace assignment \(\varPi \) to \(\pi _1, \ldots , \pi _{l_j}\) and second-order assignment \(\varDelta \) to \(\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_{j-1}\), there is only one element in \( sol (\varPi , \varDelta , (Y_j, \curlyvee , \varphi _j^ con ))\).

5.2 Functions as Automata

In our (approximate) model-checking algorithm, we represent a concrete assignment to the second-order variables \(Y_1, \ldots , Y_k\) using automata \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\). The concrete assignment of \(Y_j\) can depend on traces assigned to \(\pi _1, \ldots , \pi _{l_j}\), i.e., the first-order variables quantified before \(Y_j\). To capture these dependencies, we view each \(Y_j\) not as a set of traces but as a function mapping traces of all preceding first-order variables to a set of traces. We represent such a function \(f : (\varSigma ^\omega )^{l_j} \rightarrow 2^{(\varSigma ^\omega )}\) mapping the \(l_j\) traces to a set of traces as an automaton \(\mathcal {A}\) over \(\varSigma ^{l_j+1}\). For traces \(t_1, \ldots , t_{l_j}\), the set \(f(t_1, \ldots , t_{l_j})\) is represented in the automaton by the set \(\{ t \in \varSigma ^\omega \mid zip (t_1, \ldots , t_{l_j}, t) \in \mathcal {L}(\mathcal {A}) \}\). For example, the function \(f(t_1) := \{t_1\}\) can be defined by the automaton that accepts the zipping of a pair of traces exactly if both traces agree on all propositions. This representation of functions as automata allows us to maintain an assignment to \(Y_j\) that is parametric in \(\pi _1, \ldots , \pi _{l_j}\) and still allows first-order model checking on \(Y_1, \ldots , Y_k\).

5.3 Model Checking for First-Order Quantification

First, we focus on first-order quantification, and assume that we are given a concrete assignment for each second-order variable as fixed automata \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\) (where \(\mathcal {B}_{Y_j}\) is an automaton over \(\varSigma ^{l_j+1}\)). Our construction for resolving first-order quantification is based on HyperLTL model checking [32], but needs to work on sets of traces that, themselves, are based on traces quantified before (cf. Sect. 5.2). Recall that the first-order quantifier prefix is \(\gamma _1 \cdots \gamma _{k+1} = \mathbb {Q}_{1} \pi _{1} \in X_{1} \cdots \mathbb {Q}_{l_{k+1}} \pi _{l_{k+1}} \in X_{l_{k+1}}\). For each \(1 \le i \le l_{k+1}\) we inductively construct an automaton \(\mathcal {A}_i\) over \(\varSigma ^{i-1}\) that summarizes all trace assignments to \(\pi _1, \ldots , \pi _{i-1}\) that satisfy the subformula starting with the quantification of \(\pi _i\). That is, for all traces \(t_1, \ldots , t_{i-1}\) we have

$$\begin{aligned}{}[\pi _1 \mapsto t_1, \ldots , \pi _{i-1} \mapsto t_{i-1}] \vDash \mathbb {Q}_{i} \pi _{i} \in X_{i} \cdots \mathbb {Q}_{l_{k+1}} \pi _{l_{k+1}} \in X_{l_{k+1}}\mathpunct {.}\psi \end{aligned}$$

(under the fixed second-order assignment for \(Y_1, \ldots , Y_k\) given by \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\)) if and only if \( zip (t_1, \ldots , t_{i-1}) \in \mathcal {L}(\mathcal {A}_i)\). In the context of HyperLTL model checking we say \(\mathcal {A}_i\) is equivalent to \(\mathbb {Q}_{i} \pi _{i} \in X_{i} \cdots \mathbb {Q}_{l_{k+1}} \pi _{l_{k+1}} \in X_{l_{k+1}}\mathpunct {.}\psi \) [8, 32]. In particular, \(\mathcal {A}_1\) is an automaton over singleton alphabet \(\varSigma ^0\).

We construct \(\mathcal {A}_1, \ldots , \mathcal {A}_{l_{k+1}+1}\) inductively, starting with \(\mathcal {A}_{l_{k+1}+1}\). Initially, we construct \(\mathcal {A}_{l_{k+1}+1}\) (over \(\varSigma ^{l_{k+1}}\)) using a standard LTL-to-NBA construction on the (quantifier-free) body \(\psi \) (see [32] for details). Now assume that we are given an (inductively constructed) automaton \(\mathcal {A}_{i+1}\) over \(\varSigma ^i\) and want to construct \(\mathcal {A}_i\). We first consider the case where \(\mathbb {Q}_i = \exists \), i.e., the ith trace quantification is existential. Now \(X_i\) (the set where \(\pi _i\) is resolved on) either equals \(\mathfrak {S}\), \(\mathfrak {A}\) or \(Y_j\) for some \(j \in [k]\). In either case, we represent the current assignment to \(X_i\) as an automaton \(\mathcal {C}\) over \(\varSigma ^{T + 1}\) for some \(T < i\) that defines the model of \(X_i\) based on traces \(\pi _1, \ldots , \pi _T\): In case \(X_i = \mathfrak {S}\), we set \(\mathcal {C}\) to be the automaton over \(\varSigma ^{0 + 1}\) that accepts exactly the traces in the given system \(\mathcal {T}\); in case \(X_i = \mathfrak {A}\), we set \(\mathcal {C}\) to be the automaton over \(\varSigma ^{0 + 1}\) that accepts all traces; If \(X_i = Y_j\) for some \(j \in [k]\) we set \(\mathcal {C}\) to be \(\mathcal {B}_{Y_j}\) (which is an automaton over \(\varSigma ^{l_j + 1}\)).¹ Given \(\mathcal {C}\), we can now modify the construction from [32], to resolve first-order quantification: The desired automaton \(\mathcal {A}_i\) should accept the zipping of traces \(t_1, \ldots , t_{i-1}\) if there exists a trace t such that (1) \( zip (t_1, \ldots , t_{i-1}, t) \in \mathcal {L}(\mathcal {A}_{i+1})\), and (2) the trace t is contained in the set of traces assigned to \(X_i\) as given by \(\mathcal {C}\), i.e., \( zip (t_1, \ldots , t_T, t) \in \mathcal {L}(\mathcal {C})\). The construction of this automaton is straightforward by taking a product of \(\mathcal {A}_{i+1}\) and \(\mathcal {C}\). We denote this automaton with . In case \(\mathbb {Q}_i = \forall \) we exploit the duality that \(\forall \pi . \psi \) = \(\lnot \exists \pi . \lnot \psi \), combining the above construction with automata complementation. We denote this universal product of \(\mathcal {A}_{i+1}\) and \(\mathcal {C}\) with .

The final automaton \(\mathcal {A}_1\) is an automaton over singleton alphabet \(\varSigma ^0\) that is equivalent to \(\gamma _1 \cdots \gamma _{k+1}. \psi \), i.e., the entire first-order quantifier prefix. Automaton \(\mathcal {A}_1\) thus satisfies \(\mathcal {L}(\mathcal {A}_1) \ne \emptyset \) (which we can decide) iff the empty trace assignment satisfies the first-order formula \(\gamma _1 \cdots \gamma _{k+1}\mathpunct {.}\psi \), iff \(\varphi \) (of Eq. (1)) holds within the fixed model for \(Y_1, \ldots , Y_k\). For a given fixed second-order assignment (given as automata \(\mathcal {B}_{Y_1}, \ldots , \mathcal {B}_{Y_k}\)), we can thus decide if the system satisfies the first-order part.

During the first-order model-checking phase, each quantifier alternations in the formula require complex automata complementation. For the first-order phase, we could also use cheaper approximate methods by, e.g., instantiating the existential trace using a strategy [6, 7, 25].

5.4 Bidirectional Model Checking

So far, we have discussed the verification of the first-order quantifiers assuming we have a fixed model for all second-order variables \(Y_1, \ldots , Y_k\). In our actual model-checking algorithm, we instead maintain under- and overapproximations on each of the \(Y_1, \ldots , Y_k\).

In each iteration, we first traverse the second-order quantifiers in an outside-in direction and compute lower- and upper-bounds on each \(Y_j\). Given the bounds, we then traverse the first-order prefix in an inside-out direction using the current approximations to \(Y_1, \ldots , Y_k\). If the current approximations are not precise enough to witness the satisfaction (or violation) of a property, we repeat and try to compute better bounds on \(Y_1, \ldots , Y_k\). Due to the different directions of traversal, we refer to our model-checking approach as bidirectional. Algorithm 1 provides an overview. Initially, we convert the system \(\mathcal {T}\) to an NBA \(\mathcal {A}_\mathcal {T}\) accepting exactly the traces of the system. In each round, we compute under- and overapproximations for each \(Y_j\) in a mapping \(\flat \). We initialize \(\flat \) by mapping \(\mathfrak {S}\) to \((\mathcal {A}_\mathcal {T}, \mathcal {A}_\mathcal {T})\) (i.e., the value assigned to the system variable is precisely \(\mathcal {A}_\mathcal {T}\) for both under- and overapproximation), and \(\mathfrak {A}\) to \((\mathcal {A}_\top , \mathcal {A}_\top )\) where \(\mathcal {A}_\top \) is an automaton over \(\varSigma ^1\) accepting all traces. We then traverse the second-order quantifiers outside-in (from \(Y_1\) to \(Y_k\)) and for each \(Y_j\) compute a pair \((\mathcal {B}_j^l, \mathcal {B}_j^u)\) of automata over \(\varSigma ^{l_j + 1}\) that under- and overapproximate the actual (unique) model of \(Y_j\). We compute these approximations using functions and , which can be instantiated with any procedure that computes sound lower and upper bounds (see Sect. 5.5). During verification, we further maintain a precision bound N (initially set to 0) that tracks the current precision of the second-order approximations.

When \(\flat \) contains an under- and overapproximation for each second-order variable, we traverse the first-order variables in an inside-out direction (from \(\pi _{l_{k+1}}\) to \(\pi _1\)) and, following the construction outlined in Sect. 5.3, construct automata \(\mathcal {A}_{l_k+1}, \ldots , \mathcal {A}_1\). Different from the simplified setting in Sect. 5.3 (where we assume a fixed automaton \(\mathcal {B}_{Y_j}\) providing a model for each \(Y_j\)), the mapping \(\flat \) contains only approximations of the concrete solution. We choose which approximation to use according to the corresponding set quantification: In case we construct \(\mathcal {A}_i\) and \(\mathbb {Q}_i = \exists \), we use the underapproximation (thus making sure that any witness trace we pick is indeed contained in the actual model of the second-order variable); and if \(\mathbb {Q}_i = \forall \), we use the overapproximation (making sure that we consider at least those traces that are in the actual solution). If \(\mathcal {L}(\mathcal {A}_1)\) is non-empty, i.e., accepts the empty trace assignment, the formula holds (assuming the approximations returned by and are sound). If not, we increase the precision bound N and repeat.

In Algorithm 1, we only check for the satisfaction of a formula (to keep the notation succinct). Using the second-order approximations in \(\flat \) we can also check the negation of a formula (by considering the negated body and dualizing all trace quantifiers). Our tool (Sect. 6) makes use of this and thus simultaneously tries to show satisfaction and violation of a formula.

5.5 Computing Under- and Overapproximations

In this section we provide concrete instantiations for and .

Computing Underapproximations. As we consider the fixpoint fragment, each formula \(\varphi _j^ con \) (defining \(Y_j\)) is a conjunction of formulas of the form in Eq. (2), thus defining \(Y_j\) via a least fixpoint computation. For simplicity, we assume that \(Y_j\) is defined by the single conjunct, given by Eq. (2) (our construction generalizes easily to a conjunction of such formulas). Assuming fixed models for \(\mathfrak {S}\), \(\mathfrak {A}\) and \(Y_1, \ldots , Y_{j-1}\), the fixpoint operation defining \(Y_j\) is monotone, i.e., the larger the current model for \(Y_j\) is, the more traces we need to add according to Eq. (2). Monotonicity allows us to apply the Knaster-Tarski theorem [47] and compute underapproximations to the fixpoint by iteration.

In our construction of an approximation for \(Y_j\), we are given a mapping \(\flat \) that fixes a pair of automata for \(\mathfrak {S}\), \(\mathfrak {A}\), and \(Y_1, \ldots , Y_{j-1}\) (due to the outside-in traversal in Algorithm 1). As we are computing an underapproximation, we use the underapproximation for each of the second-order variables in \(\flat \). So \(\flat (\mathfrak {S})\) and \(\flat (\mathfrak {A})\) are automata over \(\varSigma ^1\) and for each \(j' \in [j-1]\), \(\flat (Y_{j'})\) is an automaton over \(\varSigma ^{l_{j'} + 1}\). Given this fixed mapping \(\flat \), we iteratively construct automata \(\hat{\mathcal {C}}_0, \hat{\mathcal {C}}_1, \ldots \) over \(\varSigma ^{l_j + 1}\) that capture (increasingly precise) underapproximations on the solution for \(Y_j\). We set \(\hat{\mathcal {C}}_0\) to be the automaton with the empty language. We then recursively define \(\hat{\mathcal {C}}_{N+1}\) based on \(\hat{\mathcal {C}}_{N}\) as follows: For each second-order variable \(X_i\) for \(i \in [n]\) used in Eq. (2) we can assume a concrete assignment in the form of an automaton \(\mathcal {D}_i\) over \(\varSigma ^{T_i + 1}\) for some \(T_i \le l_j\): In case \(X_i \ne Y_j\) (so \(X_i \in \{\mathfrak {S}, \mathfrak {A}, Y_1, \ldots , Y_{j-1}\}\)), we set \(\mathcal {D}_i := \flat (X_i)\). In case \(X_i = Y_j\), we set \(\mathcal {D}_i := \hat{\mathcal {C}}_N\), i.e., we use the current approximation of \(Y_j\) in iteration N. After we have set \(\mathcal {D}_1, \ldots , \mathcal {D}_n\), we compute an automaton \(\dot{\mathcal {C}}\) over \(\varSigma ^{l_j+1}\) that accepts \( zip (t_1, \ldots , t_{l_j}, t)\) iff there exists traces \(\dot{t}_1, \ldots , \dot{t}_n\) such that (1) \( zip (t_1, \ldots , t_{T_i}, \dot{t}_i) \in \mathcal {L}(\mathcal {D}_i)\) for all \(i \in [n]\), (2) \([\pi _1 \mapsto t_1, \ldots , \pi _{l_j} \mapsto t_{l_j}, \dot{\pi }_1 \mapsto \dot{t}_{1},\ldots , \dot{\pi }_n \mapsto \dot{t}_n] \vDash \psi _ step \), and (3) trace t equals \(\dot{t}_M\) (of Eq. (2)). The intuition is that \(\dot{\mathcal {C}}\) captures all traces that should be added to \(Y_j\): Given \(t_1, \ldots , t_{l_j}\) we check if there are traces \(\dot{t}_1, \ldots , \dot{t}_n\) for trace variables \(\dot{\pi }_1, \ldots , \dot{\pi }_n\) in Eq. (2) where (1) each \(\dot{t}_i\) is in the assignment for \(X_i\), which is captured by the automaton \(\mathcal {D}_i\) over \(\varSigma ^{T_i + 1}\), and (2) the traces \(\dot{t}_1, \ldots , \dot{t}_n\) satisfy \(\varphi _ step \). If this is the case, we want to add \(\dot{t}_M\) (as stated in Eq. (2)). We then define \(\hat{\mathcal {C}}_{N+1}\) as the union of \(\hat{\mathcal {C}}_{N}\) and \(\dot{\mathcal {C}}\), i.e. extend the previous model with all (potentially new) traces that need to be added.

Computing Overapproximations. As we noted above, conditions of the form of Eq. (2) always define fixpoint constraints. To compute upper bounds on such fixpoint constructions we make use of Park’s theorem, [48] stating that if we find some set (or automaton) \(\mathcal {B}\) that is inductive (i.e., when computing all traces that we would need to add assuming the current model of \(Y_j\) is \(\mathcal {B}\), we end up with traces that are already in \(\mathcal {B}\)), then \(\mathcal {B}\) overapproximates the unique solution (aka. least fixpoint) of \(Y_j\). To derive such an inductive invariant, we employ techniques developed in the context of regular model checking [15] (see Sect. 7). Concretely, we employ the approach from [19] that uses automata learning [2] to find suitable invariants. While the approach from [19] is limited to finite words, we extend it to an \(\omega \)-setting by interpreting an automaton accepting finite words as one that accepts an \(\omega \)-word u iff every prefix of u is accepted.² As soon as the learner provides a candidate for an equivalence check, we check that it is inductive and, if not, provide some finite counterexample (see [19] for details). If the automaton is inductive, we return it as a potential overapproximation. Should this approximation not be precise enough, the first-order model checking (Sect. 5.3) returns some concrete counterexample, i.e., some trace contained in the invariant but violating the property, which we use to provide more counterexamples to the learner.

6 Implementation and Experiments

We have implemented our model-checking algorithm in a prototype tool we call HySO (Hyperproperties with Second Order).³ Our tool uses spot [29] for basic automata operations (such as LTL-to-NBA translations and complementations). To compute under- and overapproximations, we use the techniques described in Sect. 5.5. We evaluate the algorithm on the following benchmarks.

Muddy Children. The muddy children puzzle [30] is one of the classic examples in common knowledge literature. The puzzle consists of n children standing such that each child can see all other children’s faces. From the n children, an unknown number \(k \ge 1\) have a muddy forehead, and in incremental rounds, the children should step forward if they know if their face is muddy or not. Consider the scenario of \(n=2\) and \(k = 1\), so child a sees that child b has a muddy forehead and child b sees that a is clean. In this case, b immediately steps forward, as it knows that its forehead is muddy since \(k\ge 1\). In the next step, a knows that its face is clean since b stepped forward in round 1. In general, one can prove that all children step forward in round k, deriving common knowledge.

For each n we construct a transition system \(\mathcal {T}_n\) that encodes the muddy children scenario with n children. For every m we design a Hyper²LTL_fp formula \(\varphi _m\) that adds to the common knowledge set X all traces that appear indistinguishable in the first m steps for some child. We then specify that all traces in X should agree on all inputs, asserting that all inputs are common knowledge.⁴ We used HySO to fully automatically check \(\mathcal {T}_n\) against \(\varphi _m\) for varying values of n and m, i.e., we checked if, after the first m steps, the inputs of all children are common knowledge. As expected, the above property holds only if \(m \ge n\) (in the worst case, where all children are dirty \((k = n)\), the inputs of all children only become common knowledge after n steps). We depict the results in Table 1a.

Table 1. In Table 1a, we check common knowledge in the muddy children puzzle for n children and m rounds. We give the result (✓ if common knowledge holds and ✗ if it does not), and the running time. In Table 1a, we check synchronous and asynchronous versions of observational determinism. We depict the number of iterations needed and running time. Times are given in seconds.

Asynchronous Hyperproperties. As we have shown in Sect. 4.2, we can encode arbitrary AHLTL properties into Hyper²LTL_fp. We verified synchronous and asynchronous version of observational determinism (cf. Sect. 4.2) on programs taken from [3, 5, 9]. We depict the verification results in Table 1b. Recall that Hyper²LTL_fp properties without any second-order variables correspond to HyperQPTL formulas. HySO can check such properties precisely, i.e., it constitutes a sound-and-complete model checker for HyperQPTL properties with an arbitrary quantifier prefix. The synchronous version of observational determinism is a HyperLTL property and thus needs no second-order approximation (we set the method column to “-” in these cases).

Common Knowledge in Multi-agent Systems. We used HySO for an automatic analysis of the system in Fig. 1. Here, we verify that on initial trace \(\{a\}^n\{d\}^\omega \) it is CK that a holds in the first step. We use a similar formula as the one of Sect. 3.3, with the change that we are interested in whether a is CK (whereas we used in Sect. 3.3). As expected, HySO requires \(2n-1\) iterations to converge. We depict the results in Table 2a.

Table 2. In Table 1a, we check common knowledge in the example from Fig. 1 when starting with \(a^nd^\omega \) for varying values of n. We depict the number of refinement iterations, the result, and the running time. In Table 2b, we verify various properties on Mazurkiewicz traces. We depict whether the property could be verified or refuted by iteration or automata learning, the result, and the time. Times are given in seconds.

Mazurkiewicz Traces. Mazurkiewicz traces are an important concept in the theory of distributed computing [27]. Let \(I \subseteq \varSigma \times \varSigma \) be an independence relation that determines when two consecutive letters can be switched (think of two actions in disjoint processes in a distributed system). Any \(t \in \varSigma ^\omega \) then defines the set of all traces that are equivalent to t by flipping consecutive independent actions an arbitrary number of times (the equivalence class of all these traces is called the Mazurkiewicz Trace). See [27] for details. The verification problem for Mazurkiewicz traces now asks if, given some \(t \in \varSigma ^\omega \), all traces in the Mazurkiewicz trace of t satisfy some property \(\psi \). Using Hyper²LTL_fp we can directly reason about the Mazurkiewicz Trace of any given trace, by requiring that all traces that are equal up to one swap of independent letters are also in a given set (which is easily expressed in Hyper²LTL_fp).

Using HySO we verify a selection of such trace properties that often require non-trivial reasoning by coming up with a suitable invariant. We depict the results in Table 2b. In our preliminary experiments, we model a situation where we start with \(\{a\}^1\{\}^\omega \) and can swap letters \(\{a\}\) and \(\{\}\). We then, e.g., ask if on any trace in the resulting Mazurkiewicz trace, a holds at most once, which requires inductive invariants and cannot be established by iteration.

7 Related Work

In recent years, many logics for the formal specification of hyperproperties have been developed, extending temporal logics with explicit path quantification (examples include HyperLTL, HyperCTL\(^*\) [20], HyperQPTL [10, 45], HyperPDL [38], and HyperATL\(^*\) [5, 9]); or extending first and second-order logics with an equal level predicate [25, 33]. Others study (\(\omega \))-regular [14, 37] and context-free hyperproperties [35]; or discuss hyperproperties over data and modulo theories [24, 31]. Hyper²LTL is the first temporal logic that reasons about second-order hyperproperties which allows is to capture many existing (epistemic, asynchronous, etc.) hyperlogics while at the same time taking advantage of model-checking solutions that have been proven successful in first-order settings.

Asynchronous Hyperproperties. For asynchronous hyperproperties, Gutfeld et al. [39] present an asynchronous extension of the polyadic \(\mu \)-calculus. Bozelli et al. [17] extend HyperLTL with temporal operators that are only evaluated if the truth value of some temporal formula changes. Baumeister et al. present AHLTL [3], that extends HyperLTL with a explicit quantification over trajectories and can be directly encoded within Hyper²LTL_fp.

Regular Model Checking. Regular model checking [15] is a general verification method for (possibly infinite state) systems, in which each state of the system is interpreted as a finite word. The transitions of the system are given as a finite-state (regular) transducer, and the model checking problem asks if, from some initial set of states (given as a regular language), some bad state is eventually reachable. Many methods for automated regular model checking have been developed [12, 13, 19, 26]. Hyper²LTL can be seen as a logical foundation for \(\omega \)-regular model checking: Assume the set of initial states is given as a QPTL formula \(\varphi _ init \), the set of bad states is given as a QPTL formula \(\varphi _ bad \), and the transition relation is given as a QPTL formula \(\varphi _ step \) over trace variables \(\pi \) and \(\pi '\). The set of bad states is reachable from a trace (state) in \(\varphi _ init \) iff the following Hyper²LTL_fp formula holds on the system that generates all traces:

$$\begin{aligned}&\big (X, \curlyvee , \forall \pi \in \mathfrak {S}\mathpunct {.}\varphi _ init (\pi ) \rightarrow \pi \triangleright X \wedge \\&\quad \quad \quad \forall \pi \in X. \forall \pi ' \in \mathfrak {S}\mathpunct {.}\varphi _ step (\pi , \pi ') \rightarrow \pi ' \triangleright X\big )\mathpunct {.}\forall \pi \in X. \lnot \varphi _ bad (\pi ) \end{aligned}$$

Conversely, Hyper²LTL_fp can express more complex properties, beyond the reachability checks possible in the framework of (\(\omega \)-)regular model checking.

Model Checking Knowledge. Model checking of knowledge properties in multi-agent systems was developed in the tools MCK [36] and MCMAS [42], which can exactly express LTL\(_{\textsf{K}}\). Bozzelli et al. [16] have shown that HyperCTL\(^*\) and LTL\(_\textsf{K}\) have incomparable expressiveness, and present HyperCTL\(^*_{lp}\)  – an extension of HyperCTL\(^*\) that can reason about past – to unify HyperCTL\(^*\) and LTL\(_\textsf{K}\). While HyperCTL\(^*_{lp}\) can express the knowledge operator, it cannot capture common knowledge. LTL\(_{\textsf{K},\textsf{C}}\) [41] captures both knowledge and common knowledge, but the suggested model-checking algorithm only handles a decidable fragment that is reducible to LTL model checking.

8 Conclusion

Hyperproperties play an increasingly important role in many areas of computer science. There is a strong need for specification languages and verification methods that reason about hyperproperties in a uniform and general manner, similar to what is standard for more traditional notions of safety and reliability. In this paper, we have ventured forward from the first-order reasoning of logics like HyperLTL into the realm of second-order hyperproperties, i.e., properties that not only compare individual traces but reason comprehensively about sets of such traces. With Hyper²LTL, we have introduced a natural specification language and a general model-checking approach for second-order hyperproperties. Hyper²LTL provides a general framework for a wide range of relevant hyperproperties, including common knowledge and asynchronous hyperproperties, which could previously only be studied with specialized logics and algorithms. Hyper²LTL also provides a starting point for future work on second-order hyperproperties in areas such as cyber-physical [44] and probabilistic systems [28].