Temporal Logics for Hyperproperties

  • Michael R. Clarkson
  • Bernd Finkbeiner
  • Masoud Koleini
  • Kristopher K. Micinski
  • Markus N. Rabe
  • César Sánchez
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8414)


Two new logics for verification of hyperproperties are proposed. Hyperproperties characterize security policies, such as noninterference, as a property of sets of computation paths. Standard temporal logics such as LTL, CTL, and CTL* can refer only to a single path at a time, hence cannot express many hyperproperties of interest. The logics proposed here, HyperLTL and HyperCTL*, add explicit and simultaneous quantification over multiple paths to LTL and to CTL*. This kind of quantification enables expression of hyperproperties. A model checking algorithm for the proposed logics is given. For a fragment of HyperLTL, a prototype model checker has been implemented.


Model Check Temporal Logic Security Policy Atomic Proposition Label Transition System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alur, R., Černý, P., Chaudhuri, S.: Model checking on trees with path equivalences. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 664–678. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Alur, R., Černý, P., Zdancewic, S.: Preserving secrecy under refinement. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 107–118. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Andersen, H.R.: A polyadic modal mu-calculus. Technical Report 1994-145, Technical University of Denmark, DTU (1994)Google Scholar
  4. 4.
    Balliu, M., Dam, M., Guernic, G.L.: Epistemic temporal logic for information flow security. In: Proc. Workshop on Programming Languages and Analysis for Security (June 2011)Google Scholar
  5. 5.
    Banerjee, A., Naumann, D.A.: Stack-based access control and secure information flow. Journal of Functional Programming 15(2), 131–177 (2005)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Barthe, G., Crespo, J.M., Kunz, C.: Beyond 2-safety: Asymmetric product programs for relational program verification. In: Artemov, S., Nerode, A. (eds.) LFCS 2013. LNCS, vol. 7734, pp. 29–43. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  7. 7.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: Proc. IEEE Computer Security Foundations Workshop, pp. 100–114 (June 2004)Google Scholar
  8. 8.
    Bradfield, J., Stirling, C.: Modal mu-calculi. In: Handbook of Modal Logic, pp. 721–756. Elsevier, Amsterdam (2007)CrossRefGoogle Scholar
  9. 9.
    Bryans, J.W., Koutny, M., Mazaré, L., Ryan, P.Y.A.: Opacity generalised to transition systems. In: Dimitrakos, T., Martinelli, F., Ryan, P.Y.A., Schneider, S. (eds.) FAST 2005. LNCS, vol. 3866, pp. 81–95. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Chadha, R., Delaune, S., Kremer, S.: Epistemic logic for the applied pi calculus. In: Lee, D., Lopes, A., Poetzsch-Heffter, A. (eds.) FMOODS 2009. LNCS, vol. 5522, pp. 182–197. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  11. 11.
    Cimatti, A., Clarke, E., Giunchiglia, F., Roveri, M.: NuSMV: A new symbolic model verifier. In: Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 495–499. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  12. 12.
    Clark, D., Hunt, S., Malacaria, P.: Quantified interference for a while language. Electronic Notes in Theoretical Computer Science 112, 149–166 (2005)CrossRefGoogle Scholar
  13. 13.
    Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties (January 2014),
  14. 14.
    Clarkson, M.R., Myers, A.C., Schneider, F.B.: Quantifying information flow with beliefs. Journal of Computer Security 17(5), 655–701 (2009)Google Scholar
  15. 15.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. Journal of Computer Security 18(6), 1157–1210 (2010)Google Scholar
  16. 16.
    Cook, B., Koskinen, E., Vardi, M.: Temporal property verification as a program analysis task. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 333–348. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Dimitrova, R., Finkbeiner, B., Kovács, M., Rabe, M.N., Seidl, H.: Model checking information flow in reactive systems. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 169–185. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Emerson, E.A., Halpern, J.Y.: “Sometimes” and “not never” revisited: On branching versus linear time temporal logic. Journal of the ACM 33(1), 151–178 (1986)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning About Knowledge. MIT Press, Cambridge (1995)zbMATHGoogle Scholar
  20. 20.
    Focardi, R., Gorrieri, R.: Classification of security properties (Part I: Information flow. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331–396. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  21. 21.
    Gastin, P., Oddoux, D.: Fast LTL to Büchi automata translation. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, pp. 53–65. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  22. 22.
    Gerth, R., Peled, D., Vardi, M.Y., Wolper, P.: Simple on-the-fly automatic verification of linear temporal logic. In: Proc. Protocol Specification, Testing and Verification, pp. 3–18 (June 1995)Google Scholar
  23. 23.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symposium on Security and Privacy, pp. 11–20 (April 1982)Google Scholar
  24. 24.
    Gray III, J.W.: Toward a mathematical foundation for information flow security. In: Proc. IEEE Symposium on Security and Privacy, pp. 210–234 (May 1991)Google Scholar
  25. 25.
    Gray III, J.W., Syverson, P.F.: A logical approach to multilevel security of probabilistic systems. Distributed Computing 11(2), 73–90 (1998)CrossRefGoogle Scholar
  26. 26.
    Halpern, J.Y., O’Neill, K.R.: Secrecy in multiagent systems. ACM Transactions on Information and System Security 12(1), 5:1–5:47 (2008)Google Scholar
  27. 27.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security 8(6), 399–422 (2009)CrossRefGoogle Scholar
  28. 28.
    Holzmann, G.J.: The model checker SPIN. IEEE Transactions on Software Engineering 23, 279–295 (1997)CrossRefGoogle Scholar
  29. 29.
    Huisman, M., Blondeel, H.-C.: Model-checking secure information flow for multi-threaded programs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 148–165. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  30. 30.
    Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterisation of observational determinism. In: Proc. IEEE Computer Security Foundations Workshop, pp. 3–15 (July 2006)Google Scholar
  31. 31.
    Köpf, B., Basin, D.: An information-theoretic model for adaptive side-channel attacks. In: Proc. ACM Conference on Computer and Communications Security, pp. 286–296 (October 2007)Google Scholar
  32. 32.
    Lamport, L.: Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering 3(2), 125–143 (1977)CrossRefzbMATHMathSciNetGoogle Scholar
  33. 33.
    Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems: Specification. Springer, New York (1992)CrossRefGoogle Scholar
  34. 34.
    Mantel, H.: Possibilistic definitions of security—an assembly kit. In: Proc. IEEE Computer Security Foundations Workshop, pp. 185–199 (July 2000)Google Scholar
  35. 35.
    McCullough, D.: Noninterference and the composability of security properties. In: Proc. IEEE Symposium on Security and Privacy, pp. 177–186 (April 1988)Google Scholar
  36. 36.
    McCullough, D.: A hookup theorem for multilevel security. Proc. IEEE Transactions on Software Engineering 16(6), 563–568 (1990)CrossRefGoogle Scholar
  37. 37.
    McLean, J.: Proving noninterference and functional correctness using traces. Journal of Computer Security 1(1), 37–58 (1992)MathSciNetGoogle Scholar
  38. 38.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proc. IEEE Symposium on Security and Privacy, pp. 79–93 (April 1994)Google Scholar
  39. 39.
    Millen, J.K.: Unwinding forward correctability. In: Proc. IEEE Computer Security Foundations Workshop, pp. 2–10 (June 1994)Google Scholar
  40. 40.
    Milushev, D., Clarke, D.: Towards incrementalization of holistic hyperproperties. In: Degano, P., Guttman, J.D. (eds.) POST 2012. LNCS, vol. 7215, pp. 329–348. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  41. 41.
    Milushev, D., Clarke, D.: Incremental hyperproperty model checking via games. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 247–262. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  42. 42.
    Milushev, D.V.: Reasoning about Hyperproperties. PhD thesis, Katholieke Universiteit Leuven (June 2013)Google Scholar
  43. 43.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. ACM Symposium on Principles of Programming Languages, pp. 228–241 (1999)Google Scholar
  44. 44.
    Pnueli, A.: The temporal logic of programs. In: Proc. Foundations of Computer Science, pp. 46–57 (September 1977)Google Scholar
  45. 45.
    Rogers, H.: Theory of Recursive Functions and Effective Computability. MIT Press, Cambridge (1987)Google Scholar
  46. 46.
    Roscoe, A.W.: CSP and determinism in security modelling. In: Proc. IEEE Symposium on Security and Privacy, pp. 114–127 (May 1995)Google Scholar
  47. 47.
    Ryan, P.Y.A., Peacock, T.: Opacity—further insights on an information flow property. Technical Report CS-TR-958, Newcastle University (April 2006)Google Scholar
  48. 48.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  49. 49.
    Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: Proc. IEEE Computer Security Foundations Workshop, pp. 255–269 (2005)Google Scholar
  50. 50.
    Sistla, A.P., Vardi, M.Y., Wolper, P.: The complementation problem for Büchi automata with appplications to temporal logic. Theoretical Computer Science 49, 217–237 (1987)CrossRefzbMATHMathSciNetGoogle Scholar
  51. 51.
    Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FOSSACS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  52. 52.
    Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  53. 53.
    Tsay, Y.-K., Chen, Y.-F., Tsai, M.-H., Wu, K.-N., Chan, W.-C.: GOAL: A graphical tool for manipulating Büchi automata and temporal formulae. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 466–471. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  54. 54.
    van der Meyden, R.: Axioms for knowledge and time in distributed systems with perfect recall. In: Proc. IEEE Symposium on Logic in Computer Science, pp. 448–457 (1993)Google Scholar
  55. 55.
    van der Meyden, R., Wilke, T.: Preservation of epistemic properties in security protocol implementations. In: Proc. ACM Conference on Theoretical Aspects of Rationality and Knowledge, pp. 212–221 (2007)Google Scholar
  56. 56.
    van der Meyden, R., Zhang, C.: Algorithmic verification of noninterference properties. Electronic Notes in Theoretical Computer Science 168, 61–75 (2007)CrossRefGoogle Scholar
  57. 57.
    Vardi, M.Y.: An automata-theoretic approach to linear temporal logic. In: Moller, F., Birtwistle, G. (eds.) Logics for Concurrency. LNCS, vol. 1043, pp. 238–266. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  58. 58.
    Vardi, M.Y., Wolper, P.: Reasoning about infinite computations. Information and Computation 115(1), 1–37 (1994)CrossRefzbMATHMathSciNetGoogle Scholar
  59. 59.
    Wolper, P.: Constructing automata from temporal logic formulas: A tutorial. In: Brinksma, E., Hermanns, H., Katoen, J.-P. (eds.) FMPA 2000. LNCS, vol. 2090, pp. 261–277. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  60. 60.
    Yasuoka, H., Terauchi, T.: On bounding problems of quantitative information flow. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 357–372. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  61. 61.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proc. IEEE Computer Security Foundations Workshop, pp. 29–43 (June 2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Michael R. Clarkson
    • 1
  • Bernd Finkbeiner
    • 2
  • Masoud Koleini
    • 1
  • Kristopher K. Micinski
    • 3
  • Markus N. Rabe
    • 2
  • César Sánchez
    • 4
  1. 1.George Washington UniversityUSA
  2. 2.Universität des SaarlandesGermany
  3. 3.University of MarylandCollege ParkUSA
  4. 4.IMDEA Software InstituteSpain

Personalised recommendations