Abstract
Hyperproperties are properties of computational systems that require more than one trace to evaluate, e.g., many informationflow security and concurrency requirements. Where a trace property defines a set of traces, a hyperproperty defines a set of sets of traces. The temporal logics HyperLTL and HyperCTL* have been proposed to express hyperproperties. However, their semantics are synchronous in the sense that all traces proceed at the same speed and are evaluated at the same position. This precludes the use of these logics to analyze systems whose traces can proceed at different speeds and allow that different traces take stuttering steps independently. To solve this problem in this paper, we propose an asynchronous variant of HyperLTL. On the negative side, we show that the modelchecking problem for this variant is undecidable. On the positive side, we identify a decidable fragment which covers a rich set of formulas with practical applications. We also propose two modelchecking algorithms that reduce our problem to the HyperLTL modelchecking problem in the synchronous semantics.
This work was funded in part by Madrid Regional Government under project “S2018/TCS4339 (BLOQUESCM)”, by Spanish National Project “BOSCO (PGC2018102210B100)”, by the German Research Foundation (DFG) as part of the Collaborative Research Center “Foundations of Perspicuous Software Systems” (TRR 248, 389792660), by the European Research Council (ERC) Grant OSARES (No. 683300), and by the United Stated NSF SaTC Award 2100989.
Download conference paper PDF
1 Introduction
Hyperproperties [8] extend the conventional notion of trace properties [1] from a set of traces to a set of sets of traces. In other words, a hyperproperty stipulates a system property and not the property of just individual traces. Many interesting requirements in computing systems are hyperproperties and cannot be expressed by trace properties. Examples include (1) a wide range of informationflow security policies such as noninterference [14] and observational determinism [28], (2) sensitivity and robustness requirements in cyberphysical systems [27], and (3) consistency conditions such as linearizability in concurrent data structures [5].
HyperLTL [7] is a temporal logic for hyperproperties that enriches LTL with quantifiers allowing explicit and simultaneous quantification over multiple execution traces. For example, the observational determinism security policy [28] stipulates that any two executions that start in two lowequivalent states (i.e., states whose value of publicly observable variables are the same), should remain in lowequivalent states. This property can be expressed in HyperLTL as the following formula, called \(\varphi _{\mathsf {OD}} \), However, the semantics of HyperLTL (and other formal languages for hyperproperties) is synchronous, meaning that they completely abstract away the notion of time passage. In HyperLTL, all traces proceed at the same speed, as all temporal operators move the position on all traces simultaneously. Consider the program \(\textit{P}{}_1\) in Fig. 1, where input values \(\mathtt {0}\) and \(\mathtt {1}\) are possible for highsecret variable \(\mathtt {h}\). This renders two possible traces shown in Fig. 4a that satisfy \(\varphi _{\mathsf {OD}} \).
The synchronous semantics of HyperLTL has a shortcoming which has practical implications as well: formulas are not invariant under stuttering. Note that, contrary to LTL, disallowing the use of does not make the formula invariant under stuttering, as traces can still stutter independently. This limits the scope of application of HyperLTL to only those settings where different traces can be perfectly aligned. For example, consider program \(\textit{P}{}_2\) in Fig. 2, where line \(\ell _4\) in \(\textit{P}{}_1\) is refined to its intermediate code using a register that stores the value \(\mathtt {l+1}\) and then stores this value in memory location \(\mathtt {l}\) in lines \(\ell _4\) and \(\ell _5\), respectively. Applying the synchronous semantics of HyperLTL results in declaring a violation of \(\varphi _{\mathsf {OD}} \) in the second position. This, however, is not an accurate interpretation of \(\varphi _{\mathsf {OD}} \) (assuming that an attacker only has access to the memory footprint and not the CPU registers or a timing channel), as the two traces are stutter equivalent with respect to the state of variable \(\mathtt {l}\). In fact, the synchronous semantics of HyperLTL may incorrectly identify good programs as bad because it ignores the notion of relative time between traces. This problem is generally amplified in Kripke structures where selfloops correspond to nondeterministic choices that model that the system may remain in a state for some arbitrary time. For instance, consider \(\mathcal {K}\) in Fig. 3 and HyperLTL formula . Only pairs of traces that take the selfloop the same number of times satisfy this formula. However, since the goal of employing a selfloop is typically to make the duration of staying in a state irrelevant, this semantics is too restrictive.
Besides HyperLTL, other logics have been proposed that allow trace quantification, for example, \(H_\mu \) [15], which extends the linear time \(\mu \)calculus [3] with path quantifiers and indexed next operators. For \(H_\mu \), the modelchecking problem is in general undecidable, but two fragments, the ksynchronous, kcontext bounded fragments, have been identified for which model checking remains decidable [15].
In this paper, we propose an asynchronous temporal logic for hyperproperties. Our main motivation is to be able to reason about execution traces according to the relative order of the sequences of actions in each trace but not about the duration of each action. Software is inherently asynchronous, and so is hardware in many cases if one abstracts the execution platform or many features of the execution platform like pipelines, caches, memory contention, etc. We call our temporal logic Asynchronous HyperLTL or in short, AHLTL. The key addition is the notion of trajectory that controls the relative speed at which traces progress by chosing at each instant which traces move and which traces stutter. For example, the trajectory shown in Fig. 4c for the two traces of the program in Fig. 2 allows the lower trace to stutter in the first position while the upper trace advances. On the contrary, in the third position, the upper trace stutters while the lower trace moves from the second to the third position. This trajectory enables identification of stutter equivalence of the two traces with respect to state variable \(\mathtt {l}\) and, hence, successful verification of observational determinism. In order to reflect the notion of trajectories in our logic, we lift the syntax of HyperLTL by allowing a trajectory modality. This way, the corresponding formula for observational determinism in AHLTL is the following:
where \(\mathsf {E}\) denotes the existence of a trajectory for temporal operator . The AHLTL formula for the Kripke structure in Fig. 3 is . AHLTL allows us to reason about relational properties between two different systems that differ on timing, like for example, translation validation [22], which relates executions of the target code with the source code with respect to a (trace or hyper) property.
We show an encoding of the PCP problem into modelchecking a formula of the shape , which implies that modelchecking AHLTL is undecidable, even for the universal fragment. On the positive side, we show two decidable fragments of AHLTL. The first algorithm is based on a stuttering construction in which we modify the Kripke structure to accept all stuttering expansions of the original paths. This algorithm can handle fragment \(\forall \pi _1 \ldots \pi _n. \mathsf {E}.\psi \), where the \(\psi \) is a phase formula, a class of safety formulas that appear in many hyperproperties and are the building block of expressing trace equivalence. Our second algorithm uses an acceleration construction to convert a finite sequence of transitions that do not change phase, into a single transition. This algorithm is able to handle formulas with arbitrary quantification but a simpler kind of phase formulas. AHLTL is, thus, the first logic for hyperproperties that can express the major asynchronous hyperproperties of interest within decidable fragments. Moreover, AHLTL is the first logic for asynchronous hyperproperties with a practical model checking algorithm. Both algorithms use internally HyperLTL modelchecking as a building block. However, the reduction from AHLTL modelchecking into HyperLTL requires modifying both the formula and the model in a highly nontrivial way, to encode the exitence of trajectories. The choice of using HyperLTL modelchecking as a building block is based on the existence of tools, but it does not imply that asynchronous properties of interest can be expressed in HyperLTL directly.
We have evaluated the stuttering construction on two sets of cases studies: a range of compiler optimizations and an SPI bus protocol. In both case studies, we were able to prove system correctness using our reduction from AHLTL to synchronous HyperLTL.
Organization. The rest of the paper is structured as follows. Section 2 contains the preliminaries, and Sect. 3 introduces AHLTL and presents examples of properties expressible in AHLTL. Section 4 describes the decidable fragments and present procedures for the modelchecking problem. Section 5 shows that the modelchecking problem for general AHLTL formulas is undecidable and present the lowerbound complexity. Experimental results are presented in Sect. 6. Finally, Sect. 7 discusses the related work, while Sect. 8 concludes. Detailed proofs appear in the longer version of this paper in [4].
2 Preliminaries
Let \(\mathsf {AP} \) be a set of atomic propositions and \(\mathrm {\Sigma }=2^\mathsf {AP} \) be the alphabet, where we call each element of \(\mathrm {\Sigma }\) a letter. A trace is an infinite sequence \(\sigma =a_0a_1\cdots \) of letters from \(\mathrm {\Sigma }\). We denote the set of all infinite traces by \(\mathrm {\Sigma }^\omega \). We use \(\sigma (i)\) for \(a_i\) and \(\sigma ^i\) for the suffix \(a_ia_{i+1}\cdots \). A pointed trace is a pair \((\sigma ,p)\), where \(p \in \mathbb {N}_0\) is a natural number (called the pointer). Pointed traces allow to traverse a trace by moving the pointer. Given a pointed trace \((\sigma , p)\) and \(n > 0\), we use \((\sigma , p) + n\) as a short for \((\sigma ,p+n)\). We denote the set of all pointed traces by \(\mathsf {PTR} = \{(\sigma , p) \mid \sigma \in \mathrm {\Sigma }^\omega \, \text { and } \, p \in \mathbb {N}_0\}\).
Two pointed traces \((\sigma ,p)\) and \((\sigma ',p')\) are stuttering equivalent if there are two infinite sequences of indices \(p=i_0<i_1\ldots \) and \(p'=j_0<j_1\ldots \) such that for all \(k\ge 0\) and for all \(l\in [i_k,i_{k+1})\) and \(l'\in [j_k,j_{k+1})\), \(\sigma (l)=\sigma '(l')\). A pointed trace \((\sigma ',p')\) is a stuttering expansion of \((\sigma ,p)\) if there is a sequence \(p'=j_0<j_1<\ldots \) such that for all \(k\ge 0\) and for all \(l\in [j_k,j_{k+1})\), \(\sigma (p+k)=\sigma '(l)\). We say that \(\sigma \) is stuttering equivalent to \(\sigma '\) if \((\sigma ,0)\) is stuttering equivalent to \((\sigma ',0)\), and that \(\sigma '\) is a stuttering expansion of \(\sigma \) if \((\sigma ',0)\) is a stuttering expansion of \((\sigma ,0)\).
A Kripke structure is a tuple \(\mathcal {K}= \langle S, S_ init , \delta , L \rangle \), where \(S\) is a set of states, \(S_{ init } \subseteq S\) is the set of initial states, \(\delta \subseteq S\times S\) is a transition relation, and \(L: S \rightarrow \mathrm {\Sigma }\) is a labeling function on the states of \(\mathcal {K}\). We require that for each \(s\in S\), there exists \(s' \in S\), such that \((s, s') \in \delta \).
A path of a Kripke structure is an infinite sequence of states \(s(0)s(1)\cdots \in S^\omega \), such that \(s(0) \in S_ init \) and \((s(i), s({i+1})) \in \delta \), for all \(i \ge 0\). A trace of a Kripke structure is a trace \(\sigma (0)\sigma (1)\sigma (2) \cdots \in \mathrm {\Sigma }^\omega \), such that there exists a path \(s(0)s(1)\cdots \in S^\omega \) with \(\sigma (i) = L(s(i))\) for all \(i\ge 0\). Abusing notation we use \(\sigma =L(\rho )\) to denote that \(\sigma \) is the trace corresponding to path \(\rho \). We denote by \(\mathsf {Traces}(\mathcal {K}, s)\) the set of all traces of \(\mathcal {K}\) with paths that start in state \(s\in S\), We denote by \(\mathsf {Traces}(\mathcal {K},A)\) the set of all traces that start from some state in \(A\subseteq S\) and \(\mathsf {Traces}(\mathcal {K})\) as a short for \(\mathsf {Traces}(\mathcal {K},S_{ init })\).
HyperLTL. HyperLTL [7] is a temporal logic that extends LTL [19, 21] for hyperproperties, which allows reasoning about multiple execution traces simultaneously. The syntax of HyperLTL is:
where \(\pi \) is a trace variable from an infinite supply of trace variables. The intended meaning of \(a_\pi \) is that proposition \(a\in \mathrm {\Sigma }\) holds in the current time in trace \(\pi \). Trace quantifiers \(\exists \pi \) and \(\forall \pi \) allow reasoning simultaneously about different traces of the computation. Atomic predicates \(a_\pi \) refer to a single trace \(\pi \). Given a HyperLTL formula \(\varphi \), we use \(\mathsf {Vars} (\varphi )\) for the set of trace variables quantified in \(\varphi \). A formula \(\varphi \) is wellformed if for all atoms \(a_\pi \) in \(\varphi \), \(\pi \) is quantified in \(\varphi \) (i.e., \(\pi \in \mathsf {Vars} (\varphi )\)) and if no trace variable is quantified twice in \(\varphi \). Given a set of traces T, the semantics of a HyperLTL formula \(\varphi \) is defined in terms of trace assignments, which is a (partial) map from trace variables to indexed traces \(\varPi :\mathsf {Vars} (\varphi )\mathrel {\rightharpoonup }\mathsf {PTR} \). The trace assignment with empty domain is denoted by \(\varPi _\emptyset \). We use \(\textit{Dom}(\varPi )\) for the subset of \(\mathsf {Vars} (\varphi )\) for which \(\varPi \) is defined. Given a trace assignment \(\varPi \), a trace variable \(\pi \), a trace \(\sigma \) and a pointer p, we denote by \(\varPi [\pi \mapsto (\sigma ,p)]\) the assignment that coincides with \(\varPi \) for every trace variable except for \(\pi \), which is mapped to \((\sigma ,p)\). Also, we use \(\varPi +n\) to denote the trace assignment \(\varPi '\) such that \(\varPi '(\pi )=\varPi (\pi )+n\) for all \(\pi \in \textit{Dom}(\varPi ) = \textit{Dom}(\varPi ')\). The semantics of HyperLTL is:
Note that quantifiers assign traces to trace variables and set the pointer to the initial position 0. We say that a set of traces T is a model of a HyperLTL formula \(\varphi \), denoted \(T\models \varphi \) whenever \(\varPi _\emptyset \models _T\varphi \). A Kripke structure \(\mathcal {K}\) is a model of a HyperLTL formula \(\varphi \), denoted by \(\mathcal {K}\models \varphi \), whenever \(\mathsf {Traces}(\mathcal {K})\models \varphi \).
3 Asynchronous HyperLTL
We introduce a temporal logic AHLTL as an extension of HyperLTL to express asynchronous hyperproperties.
Trajectories. To model the asynchronous passage of time, we now introduce the notion of a trajectory, which chooses when traces move and when they stutter. Let \(\mathcal {V}\) be a set of trace variables and let \(I \subseteq \mathcal {V}\). The Isuccessor of a trace assignment \(\varPi \), denoted by \(\varPi +I\), is the trace assignment \(\varPi '\) such that \(\varPi '(\pi )=\varPi (\pi )+1\) if \(\pi \in I\) and \(\varPi '(\pi )=\varPi (\pi )\) otherwise. That is, the pointers of indices in I advance by one step, while the others remain the same. A trajectory \(t: t(0)t(1)t(2)\cdots \) for a formula \(\varphi \) is an infinite sequence of nonempty subsets of \(\mathsf {Vars} (\varphi )\). Essentially, in each step of the trajectory one or more of the traces make progress. A trajectory is fair for a trace variable \(\pi \in \mathsf {Vars} (\varphi )\) if there are infinitely many positions j such that \(\pi \in t(j)\). A trajectory is fair if it is fair for all trace variables in \(\mathsf {Vars} (\varphi )\). Given a trajectory \(t\), by \(t^i\), we mean the suffix \(t(i)t(i+1)\cdots \). Furthermore, for a set of trace variables \(\mathcal {V}\), we use \(\mathsf {TRJ} _\mathcal {V}\) for set of all trajectories for indices from \(\mathcal {V}\).
3.1 Syntax and Semantics of Asynchronous HyperLTL
The syntax of Asynchornous HyperLTL is:
where \(a \in \mathsf {AP} \), \(\pi \) is a trace variable from an infinite supply \(\mathcal {V}\) of trace variables, \(\mathsf {E}\) is the existential trajectory modality and \(\mathsf {A}\) is the universal trajectory modality. The intended meaning of \(\mathsf {E}\) is that there is a trajectory that gives an interpretation of the relative passage of time between the traces for which the temporal formula that relates the traces is satisfied. Dualy, \(\mathsf {A}\) means that for all trajectories, the resulting alignment makes the inner formula true. It is important to note that there is no nesting of trajectory modalities and that all temporal operators in a formula are interpreted with respect to a single modality.
We use the usual syntactic sugar for Boolean operators \( true {\mathop {=}\limits ^{\text {def }}}a_\pi \vee \lnot a_\pi \), \( false {\mathop {=}\limits ^{\text {def }}}\lnot true \), \(\varphi _1 \wedge \varphi _2 {\mathop {=}\limits ^{\text {def }}}\lnot (\lnot \varphi _1 \vee \lnot \varphi _2)\), and the syntactic sugar for temporal operators , \(\varphi _1 \rightarrow \varphi _2 {\mathop {=}\limits ^{\text {def }}}\lnot \varphi _1 \vee \varphi _2\), and , etc.
As before, we use trace assignments for the semantics of AHLTL. Given \((\varPi ,t)\) where \(\varPi \) is a trace assignment and t a trajectory, we use \((\varPi ,t)+1\) for the successor of \((\varPi ,t)\) defined as \((\varPi ',t')\) where \(t'=t^1\), and \(\varPi '(\pi )=\varPi (\pi )+1\) if \(\pi \in t(0)\) and \(\varPi '(\pi )=\varPi (\pi )\) otherwise. We use \((\varPi ,t)+k\) as the kth successor of \((\varPi ,t)\).
The satisfaction of an asynchronous HyperLTL formula \(\varphi \) over a trace assignment \(\varPi \) and a set of traces T, denoted by \(\varPi \models _T \varphi \) is defined as follows:
We say that a set T of traces satisfies a closed sentence \(\varphi \), denoted by \(T \models \varphi \), if \(\varPi _\emptyset \models _T \varphi \). We say that a Kripke structure \(\mathcal {K}\) satisfies an AHLTL formula \(\varphi \) (and write \(\mathcal {K}\models \varphi \)) if and only if we have \(\mathsf {Traces}(\mathcal {K}, S_ init )\models \varphi \).
3.2 Examples of AHLTL
We illustrate the expressive power of AHLTL by introducing the asynchronous version of wellknown properties.
Linearizability. [16] requires that any history of execution of a concurrent data structure (i.e., sequence of invocation and response by different threads) matches some sequential order of invocations and responses:
where \(\mathsf {history}\) denotes method invocations (and not the actual execution of the internal instructions of the concurrent library) by the different threads and the response observed, trace \(\pi \) ranges over the concurrent data structure and \(\pi '\) ranges over its sequential counterpart.
Goguen and Meseguer’s Noninterference (GMNI). [14] stipulates that, for all traces, the lowobservable output must not change when all high inputs are removed:
where \(\lambda _{\pi '}\) expresses that all of the high inputs in the current state of \(\pi '\) have dummy value \(\lambda \), and denotes lowobservable output proposition.
Not never Terminates. [18] requires that for every initial state, there is a terminating trace and a nonterminating trace:
TerminationInsensitive Noninterference. [25] requires that for two executions that start from a lowobservable states, information leaks are permitted if they are transmitted purely by the program’s termination behavior. That is, the program may diverge on some high inputs and terminate on others:
TerminationSensitive Noninterference. [2] Terminationsensitive noninterference is the same as termination insensitive, except that it forbids one trace to diverge and the other to terminate:
4 ModelChecking AHLTL
In this section, we show the decidability of the modelchecking problem for two classes of AHLTL formulas using two different algorithms:

(1)
a stuttering construction in which we modify the Kripke structure \(\mathcal {K}\) to accept all stuttering expansions of paths in \(\mathcal {K}\); and

(2)
an acceleration construction in which the modified Kripke structure accelerates jumping directly to the synchronization points.
In both cases the problem is reduced to modelchecking HyperLTL formulas, which is known to be decidable [7, 12]. We describe each construction separately.
4.1 The Stuttering Construction
We consider first AHLTL formulas of the form \( \forall \pi _1\ldots \pi _n.\mathsf {E}.\psi . \) We will then extend our results to the \(\exists ^*\) fragment, to handle the \(\mathsf {A}\) trajectory modality and to a larger collection of predicates. The class of temporal formulas \(\psi \) that we handle are called admissible formulas, and are defined as the Boolean combination of:

1.
any number of state formulas, which may relate propositions \(p_{\pi _i}\) of different traces arbitrarily;

2.
any number temporal formulas (called monadic temporal formulas), each of which only uses one trace variable and is invariant under stuttering (guaranteed for example by forbidding the use of ), and

3.
one phase formula, which is an invariant that can relate different traces in a restricted way (see below).
Given an admissible formula \(\psi \), we use \(\psi _{\textit{ph}}\) for its phase formula, and we use \(\psi [\psi _{\textit{ph}}\triangleleft \xi ]\) for the formula that results from \(\psi \) by replacing \(\psi _{\textit{ph}}\) with \(\xi \). Since \(\psi _{\textit{ph}}\) occurs only once in \(\psi \), we use the fact that \(\psi _{\textit{ph}}\) appears with a single polarity. We present here the construction for positive polarity which is the case in all practical formulas (the case for negative polarity is analogous).
The algorithm has two parts. First, we generate the stuttering Kripke structure \(\mathcal {K}^{\textit{st}}\) whose paths are the stuttering expansions of paths in the original Kripke structure \(\mathcal {K}\). Then, we modify the admissible formula \(\psi \) into \(\psi _{ sync }\) such that \(\mathcal {K}\models \forall \pi _1\ldots \pi _n.\mathsf {E}.\psi \) if and only if \(\mathcal {K}^{\textit{st}}\models \forall \pi _1\ldots \pi _n.\psi _{ sync }\). We describe each of the concepts separately.
Phase Formulas. We first define atomic phase formulas \( (\bigwedge _{p\in P} p_{\pi _i}\mathrel {\leftrightarrow }p_{\pi _j}) \) which are characterized by \((\pi _i,\pi _j,P)\), where \(P\subseteq \mathsf {AP} \) and \(\pi _i\) and \(\pi _j\) are two different trace variables. We use color to refer to a valuation of the variables in P. Essentially, an atomic phase formula asserts that all propositions in P coincide in both traces at all points in time, that is, both traces exhibit the same sequence of colors. Since the passage of time proceeds at different speeds in the different traces—according to the trajectory—atomic phase formulas state the traces for \(\pi _i\) and \(\pi _j\) are sequences of phases of the same color, where corresponding phases may have different lengths. A phase formula is formed from atomic formulas as follows:
We use \(\mathcal {P}:\{(\pi _i^1,\pi _j^1,P^1),\ldots ,(\pi _i^k,\pi _j^k,P^k)\}\) for the collection of predicates and trace variables that characterize a phase formula.
Stuttering Kripke Structure. We start from \(\mathcal {K}\) and create \(\mathcal {K}^{\textit{st}}\) that accepts the stuttering expansions of traces in \(\mathcal {K}\). First, the alphabet of atomic propositions is enriched with a fresh proposition \( st \), that is \(\mathsf {AP} ^{ st }=\mathsf {AP} \cup \{ st \}\), to encode whether the state represents a real move or a stuttering move. Given \(\mathcal {K}=\langle S, S_ init , \delta , L\rangle \), the stuttering Kripke structure is \(\mathcal {K}^{\textit{st}}=\langle S^ st , S_ init , \delta ^ st ,L^ st \rangle \) where:

\(S^ st =S\cup \{s^ st \mid s\in S\}\) contains two copies of each state in S, where we use \(s^ st \) to denote the stuttering state that corresponds to s;

\(\delta ^ st =\delta \cup \{(s,s^ st )\}\cup \{(s^ st ,s^ st )\} \cup \{(s^ st ,s') \mid \text { for every } (s,s')\in \delta \}\).

\(L^ st (s)=L(s)\) for \(s\in S\), and \(L^ st (s^ st )=L(s)\cup \{ st \}\).
The construction generates a Kripke structure \(\mathcal {K}^{\textit{st}}\) which is linear in the size of the original Kripke structure \(\mathcal {K}\). It is easy to see that every stuttering expansion of a path of \(\mathcal {K}\) has a corresponding path in \(\mathcal {K}^{\textit{st}}\), where the repeated version of state s is captured by state \(s^ st \). Conversely every path \(\rho '\) in \(\mathcal {K}^{\textit{st}}\) whose trace satisfies can be turned into its “stuttering compression” by removing all stuttering states, which is a path of \(\mathcal {K}\). Note that the constraint guarantees that there are infinitely many nonstuttering positions in \(\rho '\), so \(\rho \) is welldefined. Hence, this constructions provides a onetoone correspondence between a trajectory toguether with a tuple of traces of \(\mathcal {K}\), and the corresponding tuple of traces of \(\mathcal {K}^{\textit{st}}\).
State and Monadic Formulas are not Affected by Trajectories. State formulas are relational formulas that are evaluated at the beginning of the computation. Temporal monadic formulas only refer to one trace variable and are stuttering invariant by definition. Therefore, none of these formulas are affected by the stuttering induced by a trajectory, as the relative stuttering among traces does not affect their truth valuation. We first note that given a trace assigned for each of the trace variables in \(\mathsf {Vars} (\varphi )\) the truth value of state formulas and monadic formulas does not depend on the trajectory chosen.
Phase Alignment of Asynchronous Sequences. We use the stuttering in \(\mathcal {K}^{\textit{st}}\) to encode the relative progress of traces as dictated by a trajectory. We will now introduce synchronous HyperLTL formulas to reason in \(\mathcal {K}^{\textit{st}}\) about the corresponding states during the asynchronous evaluation in \(\mathcal {K}\). The important concept is that of “phase changes”, which are the points in a trace \(\sigma \) at which the valuation of the predicates P in an atomic phase formula \((\pi _i,\pi _j,P)\) change. Let \(\varPi \) be a trace assignment for traces in \(\mathcal {K}\) that maps \(\pi _i\) to a pointed trace \((\sigma ,l)\). We say that in assignment \(\varPi \), trace variable \(\pi _i\) is about to change phase with respect to \((\pi _i,\pi _j,P)\) if for some \(p\in P\) either \(p\in \sigma (l)\) but \(p\notin \sigma (l+1)\) or \(p\notin \sigma (l)\) but \(p\in \sigma (l+1)\). Note that in \(\mathcal {K}^{\textit{st}}\) the next relevant letter (the one corresponding to \(\sigma (l+1)\) is the first letter that is not a stuttering letter). Formula \(\textit{change} _P(\pi _i)\) captures that the next nonstuttering step of \(\pi _i\) is a phase change (with respect to predicates in P and therefore with respect to atomic phase formula \(\alpha \)):
A phase change for \(\pi _i\) in atomic phase formula \((\pi _i,\pi _j,P)\) implies that \(\pi _j\) must also proceed to change phase. The second observation is that when \(\pi _i\) and \(\pi _j\) are not changing phases, any choice that the trajectory makes will preserve the valuation of the atomic phase formula.
We now capture formally this intuition as formulas. Predicate indicates whether trace variable \(\pi _i\) will move (and not stutter) at a given instant of the computation. The following temporal formula captures the consistency criteria of phase changes as a synchronized decision for moving traces \(\pi _i\) and \(\pi _j\) related by an atomic phase formula \((\pi _i,\pi _j,P)\):
We will reduce the modelchecking problem in AHLTL to checking in \(\mathcal {K}^{\textit{st}}\) that tuples of traces that align phase changes—for all atomic phase formulas— satisfy all subformulas of the specification \(\psi \). The following two formulas express that all atomic phase formulas align, and that all traces are fair (all traces eventually move):
We will then check in \(\mathcal {K}^{\textit{st}}\) that all stuttering traces that align phases and are fair satisfy the desired formula \(\psi \), that is . Note that all those tuples of traces that do not align phases are ruled out in the antecedent.
A final technical detail in the construction is that we must guarantee that for all tuples of paths of \(\mathcal {K}\) there are stuttering expansions that are fair and align phases, and that they have the same number of phases. Otherwise, there are paths of \(\mathcal {K}\) that cannot be aligned, which inevitably leads to a violation of \(\psi _{\textit{ph}}\). It could be the case that some tuple of traces of \(\mathcal {K}\) cannot possibly align the phase changes corresponding to all atomic phase formulas. This can happen in two cases: (1) when two traces have different number of phases, and (2) when there is a circular dependency between the atomic formulas that force the trajectory to synchronize the traces in incompatible orders. The first case is captured by:
The second case is captured by the following formula, where \(\textit{cycles} (\psi _{\textit{ph}})\) are the sequences of atomic formulas that form a simple cycle, that is \([(\pi ^0,\pi ^1,P^0),(\pi ^1,\pi ^2,P^1)\ldots (\pi ^k,\pi ^0,P^k)]\) such that the second trace variable is the first trace variable of the next atomic phase formula, circularly (see Ex. 1 below):
Essentially, \(\textit{block} \) encodes whether the set of traces involved cannot proceed without violating \(\textit{phase} \), because \(\textit{align} \) forbids all traces involved to move. Hence, the formula captures to those traces of \(\mathcal {K}^{\textit{st}}\) that contain an aligned prefix of computation that lead to a missalignment or a block. The proof of correctness shows that given a tuple of traces of \(\mathcal {K}\), if there is a trajectory that aligns the phase changes (which must exist if there is a trajectory that makes \(\psi _{\textit{ph}}\) true), then all trajectories that respect will also align the phase changes (and also satisfy \(\psi _{\textit{ph}}\)).
We are finally ready to describe the synchronous phase formula \(\psi _{ sync }\). First, this formula is only evaluated against tuples of fair traces, which correspond to the stuttering extensions of paths of \(\mathcal {K}\). Then, the phase formula \(\psi _{\textit{ph}}\) is translated into a formula that captures (1) that following a phase alignment cannot lead to a block or to two traces changing phases a different number of times, and (2) that if phases are aligned then \(\psi _{\textit{ph}}\) holds. Formally,
Example 1
We illustrate the previous definitions with the Kripke structures \(\mathcal {K}_1\), \(\mathcal {K}_2\) and \(\mathcal {K}_3\) in Fig. 5 and their stuttering variants \(\mathcal {K}_1^ st \), \(\mathcal {K}_2^ st \) and \(\mathcal {K}_3^ st \) Consider formula . Consider the following trace assignments:
Consider the trace assignment \(\varPi ^1\) on the left, where \(\pi _1\) is a trace of \(\mathcal {K}_1^ st \) corresponding to the path of \(\mathcal {K}_1\) that visits \(s_1\), and \(\pi _2\) corresponds to the path that visits \(s_2\). This trace assignment aligns the atomic phase formula \((\pi _1,\pi _2,\{a\})\) at all positions. In particular, at position 0, we have \(\textit{change} _{\{a\}}(\pi _1)\), but \(\lnot \textit{change} _{\{a\}}(\pi _2)\), and \(\lnot \textit{move} (\pi _1)\) and \(\textit{move} (\pi _2)\), as \(\textit{align} _{\{a\}}\) requires.
Consider now the trace assignment \(\varPi ^2\) in the middle, where again \(\pi _1\) corresponds to the path in \(\mathcal {K}_1^ st \) that visits \(s_1\) and \(\pi _2\) the path that visits \(s_2\). In this case, we have \(\lnot \textit{align} _{\{a\}}\) at position 0 because \(\textit{change} _{\{a\}}(\pi _1)\) and \(\lnot \textit{change} _{\{a\}}(\pi _2)\) hold, and both \(\textit{move} (\pi _1)\) and \(\textit{move} (\pi _2)\). Consider now \(\varPi ^3\) on the right, where \(\pi _1\) corresponds to the path of \(\mathcal {K}_2^ st \) that visits \(s_3\) and \(\pi _2\) to the path of \(\mathcal {K}_2^ st \) that visits \(s_4\). In this case \(\textit{align} _{\{a\}}\) holds at 0 and \(\textit{missalign} \) holds at 1 because at 1, holds, but not . Therefore, holds for \(\varPi ^3\). Finally, consider and the trace assignment \(\varPi \) of \(\mathcal {K}_3^ st \) shown below on the left. In this case \(\textit{phase} \) holds at position 0 and \(\textit{block} \) holds at position 1. This is because \(\textit{change} _{\{a\}}(\pi _1)\) and \(\lnot \textit{change} _{\{a\}}(\pi _2)\), \(\textit{change} _{\{b\}}(\pi _2)\) and \(\lnot \textit{change} _{\{b\}}(\pi _3)\), and \(\textit{change} _{\{c\}}(\pi _3)\) and also \(\lnot \textit{change} _{\{c\}}(\pi _1)\). This illustrates that it will not be possible to align all three atomic phase formulas.
We are now ready to state the main result of this section.
Theorem 1
Let \(\mathcal {K}\) be a Kripke structure and \(\psi \) an admissible formula. Then, \(\mathcal {K}\models \forall \pi _1\ldots \pi _n.\mathsf {E}.\psi \) if and only if \(\mathcal {K}^{\textit{st}}\models \forall \pi _1\ldots \pi _n.\psi _{ sync }\).
Dually, to show that the \(\exists ^*\) fragment is decidable, we consider replacing \(\psi _{\textit{ph}}\) by the formula
Theorem 2
Let \(\mathcal {K}\) be a Kripke structure and \(\psi \) an admissible formula. Then \(\mathcal {K}\models \exists \pi _1\ldots \pi _n.\mathsf {E}.\psi \) if and only if \(\mathcal {K}^{\textit{st}}\models \exists \pi _1\ldots \pi _n.\psi _{\textit{esync}}\).
The proof of Theorem 2 takes a witness tuple and trajectory in \(\mathcal {K}\) and shows that the induced tuple in \(\mathcal {K}^{\textit{st}}\) is \(\textit{fair} \), satisfies and that the valuation of \(\psi _{\textit{ph}}\) is preserved. Similarly, as before, tuples of traces of \(\mathcal {K}^{\textit{st}}\) that are fair and follow phase alignments induce a trajectory on their stuttering compression that also preserve \(\psi _{\textit{ph}}\).
Corollary 1
The problems of modelchecking \(\forall ^*\) admissible AHLTL formulas and \(\exists ^*\) admissible AHLTL formulas is decidable.
We finally consider the negation of phase formulas, called cophase formulas, which are formulas of the form where R a conjunction of atomic phase formulas. Interestingly, deciding coadmissible formulas (consisting of Boolean combinations of stateformulas, monadic temporal formulas and one cophase formula in positive polarity) is easier than before, as one can turn the cophase formula into a monadic formula enumerating all the violations of the atomic phase formulas (\(p\in P\) such that ) turns the atomic phase formula into . It follows that modelchecking coadmissible formulas is also decidable (for both \(\forall ^*\) and \(\exists ^*\)). Note that an admissible formula in negative polarity is a coadmissible formula in positive polarity (and vice versa). Finally, since \(\mathcal {K}\models \forall \pi _1\ldots \forall \pi _n.\mathsf {A}.\psi \) if and only if \(\mathcal {K}\not \models \exists \pi _1\ldots \exists \pi _n.\mathsf {E}.\lnot \psi \), it follows that modelchecking is also decidable for the \(\mathsf {A}\) modality for both admissible and coadmissible formulas (in both polarities), and for both the \(\forall ^*\) and \(\exists ^*\) fragments.
Theorem 3
Modelchecking \(\forall ^*\) or \(\exists ^*\) admissible and coadmissible formulas is decidable both for formulas with \(\mathsf {E}\) and formulas with \(\mathsf {A}\).
4.2 The Accelerating Construction
The admissible formula in the stuttering construction can express many formulas of interest, but the quantifier structure admits no quantifier alternation. We now consider a second decidable fragment for AHLTL formulas consisting of formulas with arbitrary quantification \( \mathbb {Q}_1 \pi _1. \mathbb {Q}_2\pi _2.\ldots . \mathbb {Q}_n\pi _n \mathsf {E}. \psi \) such that \(\mathbb {Q}_i \in \{\forall , \exists \}\), but where \(\psi \) is an admissible formula where all atomic phase formulas use the same atomic predicates \(P\subseteq \mathsf {AP} \). We call these admissible formulas simple admissible formulas. The proof of decidability proceeds this time by creating the accelerated Kripke structure \(\mathcal {K}^{\textit{acc}}\), where paths jump in one step to the next phase change, and reducing to a HyperLTL modelchecking problem on \(\mathcal {K}^{\textit{acc}}\).
Accelerated Kripke Structure. The main idea of the acceleration construction is to convert a finite sequence of transitions in \(\mathcal {K}\) that only change phase in the last transition into a single transition in \(\mathcal {K}^{\textit{acc}}\). Also, an infinite sequence of transitions with no phase change is transformed into a selfloop around a sink state. The alphabet remains the same, \(\mathsf {AP} \). Given \(\mathcal {K}=\langle S, S_ init , \delta , L\rangle \), the accelerated Kripke structure is \(\mathcal {K}^{\textit{acc}}=\langle S^ acc , S_ init , \delta ^ acc ,L^ acc \rangle \) where:

\(S^ acc =S\cup \{s_\bot \mid s\in S\}\) contains two copies of each state in S, where we use \(s_\bot \) to denote the sink state associated with s. We use \(\textit{color}(s)\) for the phase of s, that is, the concrete valuation in s of the Boolean predicates in P of the atomic phase formula.

For every states \(s, s' \in S\) such that \(\textit{color}(s)\ne \textit{color}(s')\), if there is a finite path \(ss_2s_3\ldots s_ns'\) in \(\mathcal {K}\) such that \(\textit{color}(s)=\textit{color}(s_2)=\cdots =\textit{color}(s_n),\) then we add a transition \((s,s')\) to \(\delta ^ acc \). These transitions model the jump at the frontier of phase changes. Additionally, if s can be a sink we add a transition \((s,s_\bot )\) and a selfloop from \(s_\bot \) to itself.

\(L^ acc (s)=L(s)\) for \(s\in S\), and \(L^ acc (s_\bot )=L(s)\).
This construction can, with standard techniques, be enriched to encode the satisfaction of the temporal monadic formulas along paths of \(\mathcal {K}\), and then also accelerate the fairness conditions (annotating the accepting states reached along the accelerated paths) into \(\mathcal {K}^{\textit{acc}}\).
Relating Paths to Accelerated Paths. We now define two auxiliary functions to aid in the proof.

The first function, \(\textit{acc}\), maps paths in \(\mathcal {K}\) into paths in \(\mathcal {K}^{\textit{acc}}\). Let s be an arbitrary state of \(\mathcal {K}\) and \(\rho :ss_1s_2s_3\ldots \) an outgoing path from s. Either there are infinitely many phase changes in \(\rho \) or only finitely many changes. We create the path \(\rho '=\textit{acc}(\rho )\) as follows. The initial state of \(\rho \), that is, s, is preserved. The states \(s_{i_j}\) in \(\sigma \) that are color changes (that is \(\textit{color}(s_{i_j1} )\ne \textit{color}(s_{i_j}\)) are also preserved, while the states \(s_k\) with \(\textit{color}(s_{k1})=\textit{color}(s_k)\) are removed from \(\rho \). If there are only finitely many color changes in \(\rho \), with r being the last state preserved, then we pad the path with \(r_\bot ^\omega \), so \(\rho '\) is also an infinite path. It is easy to see that \(\rho '\) is a path of \(\mathcal {K}^{\textit{acc}}\) outgoing s. It is also easy to see that the phase changes in \(\rho \) and \(\rho '\) are the same.

The second map, \(\textit{dec}\), takes a path \(\rho ':ss_1's_2'\ldots \) of \(\mathcal {K}^{\textit{acc}}\) and maps it to a path of \(\mathcal {K}\) as follows. For every transition \((s_i',s_{i+1}')\) in \(\rho \) such that \(s_{i+1}'\) is not of the form \(r_\bot \), there is a finite path \(r_1r_2\ldots r_m\) in \(\mathcal {K}\) from \(s_i'\) into \(s_{i+1}'\) that visits only states with the same color as \(s_i'\), except \(s_{i+1}\) that is a color change. In \(\rho \), we insert \(r_1r_2\ldots r_m\) between \(s_i'\) and \(s_{i+1}'\). Now, if for some j, \(s'_j\) is of the form \(r_\bot \) then \(s'_k=r_\bot \) for all \(k>j\). In \(\mathcal {K}\) there must an infinite path from \(s'_j\) that only visits the same color as \(s'_j\). We remove all successor states after the first such \(r_\bot \) state and replace it with one such infinite path.
Given a trace assignment \(\varPi \) for formula \(\mathbb {Q}_1\pi _1.\ldots \mathbb {Q}_n\pi _n.\mathsf {E}.\psi \) that assigns \(\varPi (\pi _i)=(\sigma _i,0)\) for every i and a path assignment \(\varPi '\) for formula \(\mathbb {Q}_1\pi _1.\ldots .\mathbb {Q}_n\pi _n.\psi \) that assigns \(\varPi '(\pi _)i=(\sigma _i',0)\), we write \(\textit{acc}(\varPi )=\varPi '\) if the paths that generate the corresponding traces are related by \(\textit{acc}\). Similarly we defined \(\textit{dec}(\varPi ')=\varPi \). It is easy to show from the construction above that if \(\varPi \models \mathsf {E}\psi \) then \(\textit{acc}(\varPi )\models \psi \), and if \(\varPi '\models \psi \) then \(\textit{dec}(\varPi ')\models \mathsf {E}\psi \).
The main result for the accelerating construction follows immediately from this observation and allows to reduce the modelchecking problem to HyperLTL.
Theorem 4
Let \(\mathcal {K}\) be an arbitrary Kripke structure, \(\mathbb {Q}_1\pi _1.\ldots .\mathbb {Q}_n\pi _n.\mathsf {E}.\psi \) such that \(\psi \) is a simple admissible formula. Then \(\mathcal {K}\models {}\mathbb {Q}_1\pi _1.\ldots {}\mathbb {Q}_n\pi _n\mathsf {E}.\psi \) if and only if \(\mathcal {K}^{\textit{acc}}\models {}\mathbb {Q}_1\pi _1.\ldots {}\mathbb {Q}_n\pi _n.\psi \).
4.3 Decidable Practical AHLTL Formulas
We revisit the properties expressed in Sect. 3.2.

Linearizability. The property \(\varphi _{\mathsf {LNZ}}\) is of the form where the temporal formula is a simple admissible formula. Therefore \(\varphi _{\mathsf {LNZ}}\) is decidable by the accelerating construction.

Goguen and Meseguer’s noninterference. The property \(\varphi _{\mathsf {GMNI}}\) is expressed by , that is, a Boolean combination of a monadic temporal formula and a simple admissible formula. Therefore, \(\varphi _{\mathsf {GMNI}}\) is decidable by the acceleration algorithm.

Not never terminates. Formula \(\varphi _{\mathsf {NNT}}\) is simply a Boolean combination of state formulas and monadic temporal formulas: , so it is again decidable by the acceleration construction.

Terminationinsensitive noninterference. To handle \(\varphi _{\mathsf {TIN}}\) we rewrite the formula as follows
Note that can be turned into a state predicate of \(\pi \). This formula is equivalent because the last case is evaluates precisely to \(l_\pi \mathrel {\leftrightarrow }l_{\pi '}\) when both traces terminate. This formula can be handled by the stuttering construction.

Terminationsensitive noninterference. Similarly, to handle \(\varphi _{\mathsf {TSN}}\) we rewrite the formula as
This is again equivalent because the last case again is the only relevant case when both paths terminate. Again, this case is covered by the stuttering construction.
5 Undecidability and LowerBound Complexity
In this section, we show that the general problem of modelchecking AHLTL is undecidable. Then, we show a polynomial reduction from the synchronous HyperLTL modelchecking into AHLTL modelchecking, which shows that even for those AHLTL formulas for which the modelchecking is decidable, this problem is no easier than the corresponding problem for HyperLTL, which is known to be PSPACEhard in the size of the Kripke structure.
Theorem 5
Let \(\mathcal {K}\) be a Kripke structure and \(\varphi \) be an asynchronous HyperLTL formula. The problem of determining whether or not \(\mathcal {K}\models \varphi \) is undecidable.
Proof (sketch)
We reduce the complement of the post correspondence problem (PCP) [23, 26] to the AHLTL model checking problem. PCP consists of a set of dominos, for example, of the form \([\frac{w}{v}] =\{[\frac{b}{ca}],[\frac{a}{ab}],[\frac{ca}{a}],[\frac{abc}{c}]\}\) and the problem is to decide whether there is a sequence of dominos (with possible repetitions), such that the upper and lower finite strings of the dominos are equal. A solution to the above set of dominos is the sequence \([\frac{a}{ab}][\frac{b}{ca}][\frac{ca}{a}] [\frac{a}{ab}][\frac{abc}{c}]\). We map a given set of dominos to a Kripke structure that allows arranging the dominos in a sequence (see Fig. 6 for an example), where v and w indicate lower and upper words, respectively, \( dom ^i\) is for each domino \([\frac{w_i}{v_i}]\), and proposition \( lc \) marks whether or not a new letter is processed. The AHLTL formula in our reduction is the following such that \( dom _{\pi _w} \,{\mathop {=}\limits ^{\text {def }}}\,\bigvee _{i\in [1..k]} dom _{\pi _w}^i\):
The intention of formula \(\varphi _{\overline{ pcp }}\) is that the Kripke structure is a model of the formula if and only if the original PCP problem has no solution. Intuitively, formula \(\varphi _{\textit{type}}\) forces trace \(\pi _w\) (respectively, \(\pi _v\)) to traverse only the traces labeled by w (respectively, v) to build a wword (respectively, vword). Formula \(\varphi _{ domino }\) establishes that the trajectory aligns the positions at which the domino indices are checked and at last once the index is different. Finally, formula \(\varphi _{ word }\) captures if \(\pi _w\) and \(\pi _v\) are aligned to compare the letters, at least one pair of the letters prescribed by the existential trajectory are different. In the detailed proof in [4], we show that the constructed Kripke structure satisfies formula \(\varphi _{\overline{ pcp }}\) if and only if the answer to deciding PCP is negative. \(\square \)
Theorem 5 above implies that there is no algorithm to decide the modelchecking problem correctly for every formula and every system. However, as we saw in Sect. 4 for some formulas the modelchecking problem is decidable. We now show that in these cases the problem is at least as hard as modelchecking HyperLTL, which is known to be PSPACEhard [7, 24].
Theorem 6
Given a HyperLTL formula \(\varphi \) and a Kripke structure \(\mathcal {K}\) there is a AHLTL formula \(\varphi '\) and a Kripke structure \(\mathcal {K}'\) such that \(\mathcal {K}'\) is linear in the size of \(\mathcal {K}\), \(\varphi '\) is polynomial on the size of \(\varphi \) and \( \mathcal {K}\models \varphi \text { if and only if } \mathcal {K}'\models \varphi '\).
The proof proceeds as follow. Giving \(\mathcal {K}\) we build a Kripke structure \(\mathcal {K}'\) that alternates between real states in \(\mathcal {K}\) and synchronization states. Then the formula is transformed to force alternations at every other step, therefore forcing the trajectory to synchronize (see [4] for details). Since the modelchecking problem for HyperLTL is PSPACEhard on the size of the Kripke structure, the same follows for AHLTL.
Corollary 2
For asynchronous HyperLTL formulas, the model checking problem is PSPACEhard in the size of the system.
6 Case Studies and Evaluation
We applied our algorithm for the \(\forall ^*_\pi \mathsf {E}\) AHLTL fragment to several examples. After manually reducing the asynchronous model checking problem to a synchronous one, we use MCHyper [10, 11] to check our property. MCHyper is a model checker for synchronous HyperLTL that can handle formulas with up to one quantifier alternation. It computes the self composition of the system and composes it with the formula automaton. ABC [6] is then used as the backend tool checking the reachability of a violation.
Our reduction from the asynchronous to the synchronous semantics follows the stuttering construction described in Sect. 4.1. To model check a system against an AHLTL formula, we first add a stuttering input to the system that forces the system to stutter in the current state. The transformed formula ensures that the stuttering guarantees synchronous phase changes. In future work, we will fully automate our reduction resulting in a verification tool for asynchronous hyperproperties from the decidable fragment. We now describe the various case studies^{Footnote 1}. All our experiments were performed on a MacBook Pro with a 3.3 GHz processor and 16 GB of RAM running MacOS 11.1.
6.1 Compiler Optimizations
We modeled the source and target programs of different compiler optimization techniques (from [20]) as finite state machines encoded as circuits, and used asynchronous hyperproperties to prove the correspondence between both programs. We analyzed the following optimizations:

Common Branch Factorization (CBF), where expressions occurring in both branches of a conditional are factored out;

Loop Peeling (LP), which consists in unrolling of a loop that is executed at least once;

Dead Branch Elimination (DBE), that is, removing conditional checks and their branches that are unreachable; and

Expression Flatting (EF), which splits complex computations into several explicit steps.
Besides evaluating each optimization individually, we also examined several combinations of these optimizations. Each optimization affects the alignment between source and target program, so synchronous hyperproperties fail to recognize the correspondence between both programs. Using asynchronous hyperproperties instead allows us to compensate for this misalignment by stuttering the programs accordingly. Essentially, each optimization is checked against the following AHLTL formula in which \(\pi \) represents traces from the source program and \(\pi '\) traces from the target program:
This formula states that for all pairs of traces that initially agree on the inputs from the set I there exists a trajectory that aligns the phase changes of the outputs in set O. We use the stuttering construction and MCHyper to verify that in all cases the source and target programs go through the same phases of possibly different length. The results of this case study are summarized in Table 1(a). We note that AHLTL modelchecking subsumes the approach in [20] based on construction of a buffer automaton to reason about the alignment of executions.
6.2 SPI Bus Protocol
The Serial Peripheral Interface (SPI) is a bus protocol that supports a single main component’s communication with multiple secondary components. Each secondary can be selected individually by the main via the secondary’s own \( ss \) (“secondary select”) input signal. If a secondary is enabled (that is, if \(\lnot ss \) holds as the secondary select is “active low”), it reads the \( mosi \) (main out, secondary in) signal and writes to the \( miso \) (main in, secondary out) wire.
We verify the behavior of a single SPI secondary component that receives an input which it sends to the main component upon request. This behavior should always be the same, independent of when the secondary is enabled or how fast the bus protocol’s “serial clock” (\( sclk \)) set by the main component ticks compared to the secondary’s internal clock. The AHLTL formula we check is the following (see observational determinism in Sect. 1):
This formula (called SPIcorrect in Table 1(b)) ensures that for all pairs of traces \(\pi \) and \(\pi '\) that agree on the initial configuration, on the input, and additional SPI input assumptions, there is a trajectory that aligns their relevant behavior. We consider it relevant that both secondaries agree on their \( miso \) output whenever they are enabled and the \( sclk \) is low. Checking \( miso \) only when the \( sclk \) is low is sufficient as changes on \( miso \) only occur at falling edges of the \( sclk \). The SPI input assumptions are required to guarantee the implicit assumptions of the protocol, for example, that the \( sclk \) behaves as an infinitely ticking clock. By introducing additional variables and applying logical transformations, we obtain an equivalent formula that syntactically lies in the fragment of the stuttering construction. Again, we reduce this model checking problem to the synchronous semantics and use MCHyper to perform the verification.
In a second experiment, we modified the system to send the value only once and checked it for termination insensitive noninterference SPIterm (see Sects. 3.2 and 4.3). In our setup, we use the variable \( term \) to flag that the secondary has sent the full value. In the premise of the formula, we require that the input value is equal on both traces and again assume that the inputs conform to the SPI protocol. The conclusion checks if both secondaries have sent the same values by using additional variables that are set together with \( term \). The results of this case study are summarized in Table 1(b).
7 Related Work
The study of specific hyperproperties, such as noninterference, dates back to the seminal work by Goguen and Meseguer [14] in the 1980s. The first systematic study of hyperproperties is due to Clarkson and Schneider [8].
It is wellknown that classic specification languages like LTL cannot express hyperproperties. There are two principal methods with which the standard logics have been extended to express hyperproperties:

The first method is the quantification over variables that identify specific paths or traces. The temporal logics LTL, CTL\(^*\) have been extended with quantification over traces and paths, resulting in the temporal logics HyperLTL and HyperCTL\(^*\) [7]. There are also extensions of the \(\mu \)calculus, most recently, the temporal fixpoint calculus \(H_\mu \) [15], which extends the linear time \(\mu \)calculus [3] with path quantifiers and indexed next operators.

The second method is the addition of the equallevel predicate E to firstorder and secondorder logics, like MPL, MSO, FOL, and S1S, which results in the logics FOL[E], S1S[E], MPL[E], MSO[E] [9, 13].
HyperCTL\(^*\), MPL[E], and MSO[E] are branchingtime logics, we therefore focus in the following on the lineartime logics HyperLTL, \(H_\mu \), FOL[E], and S1S[E]. Among these logics, HyperLTL is the only logic for which practical modelchecking algorithms are known [10, 11, 17]. For HyperLTL, the algorithms have been implemented in the model checkers MCHyper and bounded model checker HyperQube. As discussed in this paper, HyperLTL is limited to synchronous hyperproperties.
FOL[E] can express a limited form of asynchronous hyperproperties. As shown in [9], FOL[E] is subsumed by HyperLTL with additional quantification over predicates. Using such predicates as “markers,” one can relate different positions in different traces. However, only a finite number of such predicates is available in each formula. S1S[E] is known to be strictly more expressive than FOL[E] [9], and conjectured to subsume \(H_\mu \) [15]. For S1S[E] and \(H_\mu \), the model checking problem is in general undecidable; for \(H_\mu \), two fragments, the ksynchronous, kcontext bounded fragments, have been identified for which model checking remains decidable [15]. Even though some asynchronous properties can be expressed in these decidable fragments of \(H_\mu \), there is no systematic study to characterize practical properties that can be encoded. Like S1S[E] and \(H_\mu \), asynchronous HyperLTL has an (in general) undecidable model checking problem. However, in this paper we have identified decidable fragments of asynchronous HyperLTL that can express observational determinism, noninterference, and linearizability. AHLTL is thus the first logic for hyperproperties that can express the major asynchronous hyperproperties of interest within decidable fragments. Furthermore, asynchronous HyperLTL is the first logic for asynchronous hyperproperties with a practical model checking algorithm.
8 Conclusion
We have introduced AHLTL, a temporal logic to describe asynchronous hyperproperties. This logic extends HyperLTL with trajectory modalities, which control when a trace proceeds and when it stutters. Synchronous HyperLTL corresponds to a trajectory that always moves all paths in a lockstep manner. This notion of trajectory allows to define formulas that are invariant under stuttering, paving the way for relevant modelchecking optimizations such a partial order reduction and abstractionrefinement techniques in the context of hyperproperties. We show that modelchecking AHLTL formulas is in general undecidable, and identify two fragments of AHLTL formulas, which cover a rich set of security requirements and can be decided by a reduction to HyperLTL modelchecking. This in turn has allowed us to the reuse the existing modelchecker MCHyper.
Future work includes the study of larger decidable fragments (that encompass both fragments studied here), extending the logic allowing several trajectory modalities, as well as their implementation in practical tools. Extending bounded modelchecking [17] to AHLTL is another interesting research problem. Asynchronous hyperproperties are important for applying a logicbased verification approach to verify hyperproperties for software programs, because the relative speed of the execution of programs depends on many factors like the compiler, hardware, execution platform and concurrent running programs, that the analysis must tolerate. Therefore, future work includes adapting techniques for infinitestate software modelchecking, like deductive methods, abstraction, etc. to verify AHLTL properties of software systems.
Notes
 1.
The experimental data is publicly available at https://github.com/reactivesystems/MCHyper in .
References
Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21, 181–185 (1985)
Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Terminationinsensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540883135_22
Barringer, H., Kuiper, R., Pnueli, A.: A really abstract concurrent model and its temporal logic. In: Proceedings of the 13th Annual ACM Symposium on Principles of Programming Languages (POPL 1986), pp. 173–183. ACM (1986)
Baumeister, J., Coenen, N., Bonakdarpour, B., Finkbeiner, B., Sánchez, C.: A temporal logic for asynchronous hyperproperties. CoRR, abs/2104.14025 (2021)
Bonakdarpour, B., Sanchez, C., Schneider, G.: Monitoring hyperproperties by combining static analysis and runtime verification. In: Margaria, T., Steffen, B. (eds.) ISoLA 2018, Part II. LNCS, vol. 11245, pp. 8–27. Springer, Cham (2018). https://doi.org/10.1007/9783030034214_2
Brayton, R., Mishchenko, A.: ABC: an academic industrialstrength verification tool. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 24–40. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642142956_5
Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642547928_15
Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)
Coenen, N., Finkbeiner, B., Hahn, C., Hofmann, J.: The hierarchy of hyperlogics. In: Proceedings of the 34th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS 2019), pp. 1–13. IEEE (2019)
Coenen, N., Finkbeiner, B., Sánchez, C., Tentrup, L.: Verifying hyperliveness. In: Dillig, I., Tasiran, S. (eds.) CAV 2019, Part I. LNCS, vol. 11561, pp. 121–139. Springer, Cham (2019). https://doi.org/10.1007/9783030255404_7
Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\(^*\). In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015, Part I. LNCS, vol. 9206, pp. 30–48. Springer, Cham (2015). https://doi.org/10.1007/9783319216904_3
Finkbeiner, B., Rabe, M.N., Sánchez, C.: A temporal logic for hyperproperties. CoRR, abs/1306.6657 (2013)
Finkbeiner, B., Zimmermann, M.: The firstorder logic of hyperproperties. In: 34th Symposium on Theoretical Aspects of Computer Science, STACS 2017, 8–11 Mar 2017, Hannover, Germany, pp. 30:1–30:14 (2017)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 11–20 (1982)
Gutsfeld, J.O., MüllerOlm, M., Ohrem, C.: Automata and fixpoints for asynchronous hyperproperties. Proc. ACM Program. Lang. 5(POPL), 1–29 (2021)
Herlihy, M., Wing, J.M.: Linearizability: a correctness condition for concurrent objects. ACM Trans. Program. Lang. Syst. 12(3), 463–492 (1990)
Hsu, T.H., Sánchez, C., Bonakdarpour, B.: Bounded model checking for hyperproperties. In: TACAS 2021, Part I. LNCS, vol. 12651, pp. 94–112. Springer, Cham (2021). https://doi.org/10.1007/9783030720162_6
Lamport, L.: “Sometime” is sometimes “not never”  on the temporal logic of programs. In: Proceedings of the Seventh Annual ACM Symposium on Principles of Programming Languages (POPL 1980), pp. 174–185. ACM Press (1980)
Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems. SpringerVerlag, New York (1995). https://doi.org/10.1007/9781461242222
Namjoshi, K.S., Tabajara, L.M.: Witnessing secure compilation. In: Beyer, D., Zufferey, D. (eds.) VMCAI 2020. LNCS, vol. 11990, pp. 1–22. Springer, Cham (2020). https://doi.org/10.1007/9783030393229_1
Pnueli, A.: The temporal logic of programs. In: Symposium on Foundations of Computer Science (FOCS), pp. 46–57 (1977)
Pnueli, A., Siegel, M., Singerman, E.: Translation validation. In: Steffen, B. (ed.) TACAS 1998. LNCS, vol. 1384, pp. 151–166. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054170
Post, E.L.: A variant of a recursively unsolvable problem. Bull. Am. Math. Soc. 52, 264–268 (1946)
Rabe, M.N.: A Temporal Logic Approach to Informationflow Control. PhD thesis, Saarland University (2016)
Sabelfeld, A., Sands, D.: A per model of secure information flow in sequential programs. High. Order Symb. Comput. 14(1), 59–91 (2001)
Sipser, M.: Introduction to the Theory of Computation. MIT Press, Boston (2012)
Wang, Y., Zarei, M., Bonakdarpour, B., Pajic, M.: Statistical verification of hyperproperties for cyberphysical systems. ACM Trans. Embed. Comput. Syst. (TECS) 18(5s), 92:1–92:23 (2019)
Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop (CSFW), p. 29 (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this paper
Cite this paper
Baumeister, J., Coenen, N., Bonakdarpour, B., Finkbeiner, B., Sánchez, C. (2021). A Temporal Logic for Asynchronous Hyperproperties. In: Silva, A., Leino, K.R.M. (eds) Computer Aided Verification. CAV 2021. Lecture Notes in Computer Science(), vol 12759. Springer, Cham. https://doi.org/10.1007/9783030816858_33
Download citation
DOI: https://doi.org/10.1007/9783030816858_33
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030816841
Online ISBN: 9783030816858
eBook Packages: Computer ScienceComputer Science (R0)