Abstract
Many types of attacks on confidentiality stem from the nondeterministic nature of the environment that computer programs operate in. We focus on verification of confidentiality in nondeterministic environments by reasoning about asynchronous hyperproperties. We generalize the temporal logic AHLTL to allow nested trajectory quantification, where a trajectory determines how different execution traces may advance and stutter. We propose a bounded model checking algorithm for AHLTL based on QBFsolving for a fragment of AHLTL and evaluate it by various case studies on concurrent programs, scheduling attacks, compiler optimization, speculative execution, and cache timing attacks. We also rigorously analyze the complexity of model checking AHLTL.
This research has been partially supported by the United States NSF SaTC Award 2100989, by the Madrid Regional Gov. Project BLOQUESCM (S2018/TCS4339), by Project PRODIGY (TED2021132464BI00) funded by MCIN/AEI/10.13039/501100011033/ and the EU NextGenerationEU/PRTR, by the German Research Foundation (DFG) as part of TRR 248 (389792660), and by the European Research Council (ERC) Grant HYPER (101055412)
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Motivation. Consider the concurrent program [10] shown in Fig. 1, where h is a secret variable, and await command is a conditional critical region. This program should satisfy the following informationflow policy: “Any sequences of observable outputs produced by an interleaving should be reproducible by some other interleaving for a different value of h”. If this is the case, then an attacker cannot successfully guess the value of h from the sequence of observable outputs of the print() statements. For example, Fig. 2 shows how one can align two interleavings of threads T1 and T2 with respect to the observable sequence of outputs ‘abcd’, given two different values of secret h. Let us call such an alignment a trajectory (illustrated by the sequence of dashed lines). However, if thread T1 holds the semaphore and executes the critical region as an atomic operation. Then, output ‘acdb’ arising due to concurrent execution of threads T1 and T2 reveals the value of h as 0, as the same output cannot be reproduced when h=1. Thus, the program in Fig. 1 violates the above policy.
The above policy is an example of a hyperproperty [5]; i.e., a set of sets of execution traces. In addition to informationflow requirements, hyperproperties can express other complex requirements such as linearizability [12] and control conditions in cyberphysical systems such as robustness and sensitivity. The temporal logic AHLTL [1] can express hyperproperties whose sets of traces advance at different speeds, allowing stuttering steps. For example, the above policy can be expressed in AHLTL by the following formula: where \(\textsf{obs}\) denotes the output observations, meaning that for all executions (i.e., interleavings) \(\pi \), there should exist another execution \(\pi '\) and a trajectory \(\tau \), such that \(\pi \) and \(\pi '\) start from different values of h and \(\tau \) can align all the observations along \(\pi \) and \(\pi '\) (see Fig. 2). AHLTL can reason about one source of nondeterminism by the scheduler in the system that may lead to information leak. Indeed, the model checking algorithms proposed in [1] can discover the bug in the program in Fig. 1.
Now, consider a more complex version of the same program shown in Fig. 3 inspired by modern programming languages such as Go and P that allow CSPstyle concurrency. Here, new threads T3 and T4 read the values of secret input h and public input l from two asynchronous channels, rendering two different sources of nondeterminism: (1) the scheduler that results in different interleavings, and (2) data availability in the channels. This, in turn, means formula \(\varphi _ \textsf {NI}\) no longer captures the following specification of the program, which should be:
“Any sequence of observable outputs produced by an interleaving should be reproducible by some other interleaving such that for all alignments of public inputs, there exists an alignment of the public outputs”.
Satisfaction of this policy (not expressible in AHLTL as proposed in [1]) prohibits an attacker from successfully determining the sequence of values of h.
Contributions. In this paper, we strive for a general logicbased approach that enables model checking of a rich set of asynchronous hyperproperties. To this end, we concentrate on AHLTL model checking for programs subject to multiple sources of nondeterminism. Our first contribution is a generalization of AHLTL that allows nested trajectory quantification. For example, the above policy requires reasoning about two different trajectories that cannot be composed into one since their sources of nondeterminism are different. This observation motivates the need for enriching AHLTL with the tools to quantify over trajectories. This generalization enables expressing policies such as follows:
where \(\textsf{A}\) and \(\textsf{E}\) denote the universal (res., existential) trajectory quantifiers.
Our second contribution is a bounded model checking (BMC) algorithm for a fragment of the extended AHLTL that allows an arbitrary number of trace quantifier alternations and up to one trajectory quantifier alternation. Following [15], we propose two bounded semantics (called optimistic and pessimistic) for AHLTL based on the satisfaction of eventualities. We introduce a reduction to the satisfiability problem for quantified Boolean formulas (QBF) and prove that our translation provides decision procedures for AHLTL BMC for terminating systems, i.e., those whose Kripke structure is acyclic. Our focus on terminating programs is due to the general undecidability of AHLTL model checking [1]. As in the classic BMC for LTL, the power of our technique is in hunting bugs that are often in the shallow parts of reachable states.
Our third contribution is rigorous complexity analysis of AHLTL model checking for terminating programs (see Table 1). We show that for formulas with only one trajectory quantifier the complexity is aligned with that of classic synchronous semantics of HyperLTL [4]. However, the complexity of AHLTL model checking with multiple trajectory quantifiers is one step higher than HyperLTL model checking in the polynomial hierarchy. An interesting observation here is that the complexity of model checking a formula with two existential trajectory quantifiers is one step higher than one with only one existential quantifier although the plurality of the quantifiers does not change. Generally speaking, AHLTL model checking for terminating programs remains in PSPACE.
Finally, we have implemented our BMC technique. We evaluate our implementation on verification of four case studies: (1) informationflow security in concurrent programs, (2) information leak in speculative executions, (3) preservation of security in compiler optimization, and (4) cachebased timing attacks. These case studies exhibit a proof of concept for the highly intricate nature of informationflow requirements and how our foundational theoretical results handle them.
Related Work. The concept of hyperproperties is due to Clarkson and Schneider [5]. HyperLTL [4] and AHLTL are currently the only logics for which practical model checking algorithms are known [1, 7, 8, 15]. For HyperLTL, the algorithms have been implemented in the model checkers MCHyper and bounded model checker HyperQB [14]. HyperLTL is limited to synchronous hyperproperties. The AHLTL model checking problem is known to be undecidable in general [1]. However, decidable fragments that can express observational determinism, noninterference, and linearizability have been identified. This paper generalizes AHLTL by allowing nested trajectory quantifiers and due to the general undecidability result focuses on terminating programs.
FOL[E] [6] can express a limited form of asynchronous hyperproperties. As shown in [6], FOL[E] is subsumed by HyperLTL with additional quantification over predicates. For S1S[E] and \(H_\mu \), the model checking problem is in general undecidable; for \(H_\mu \), two fragments, the ksynchronous, kcontext bounded fragments, have been identified for which model checking remains decidable [11]. Other logical extensions of HyperLTL with asynchronous capabilities are studied in [3], including their decidable fragments, but their model checking problems have not been implemented and the relative expressive power with respect to other asynchronous formalisms has not been studied.
2 Extended Asynchronous HyperLTL
Preliminaries. Given a natural number \(k \in \mathbb {N}_0\), we use [k] for the set \(\{0,\ldots ,k\}\). Let \(\textsf{AP} \) be a set of atomic propositions and \(\mathrm {\Sigma }=2^\textsf{AP} \) be the alphabet, where we call each element of \(\mathrm {\Sigma }\) a letter. A trace is an infinite sequence \(\sigma =a_0a_1\cdots \) of letters from \(\mathrm {\Sigma }\). We denote the set of all infinite traces by \(\mathrm {\Sigma }^\omega \). We use \(\sigma (i)\) for \(a_i\) and \(\sigma ^i\) for the suffix \(a_ia_{i+1}\cdots \). A pointed trace is a pair \((\sigma ,p)\), where \(p \in \mathbb {N}_0\) is a natural number (called the pointer). Pointed traces allow to traverse a trace by moving the pointer. Given a pointed trace \((\sigma , p)\) and \(n > 0\), we use \((\sigma , p) + n\) to denote the resulting trace \((\sigma ,p+n)\). We denote the set of all pointed traces by \(\textsf{PTR} = \{(\sigma , p) \mid \sigma \in \mathrm {\Sigma }^\omega \, \text { and } \, p \in \mathbb {N}_0\}\).
A Kripke structure is a tuple \(\mathcal {K}= \langle S, s_ init , \delta , L \rangle \), where \(S\) is a set of states, \(s_{ init } \in S\) is the initial state, \(\delta \subseteq S\times S\) is a transition relation, and \(L: S \rightarrow \mathrm {\Sigma }\) is a labeling function on the states of \(\mathcal {K}\). We require that for each \(s\in S\), there exists \(s' \in S\), such that \((s, s') \in \delta \). \(\square \)
A path of a Kripke structure \(\mathcal {K}\) is an infinite sequence of states \(s(0)s(1)\cdots \in S^\omega \), such that \(s(0) = s_ init \) and \((s(i), s({i+1})) \in \delta \), for all \(i \ge 0\). A trace of \(\mathcal {K}\) is a sequence \(\sigma (0)\sigma (1)\sigma (2) \cdots \in \mathrm {\Sigma }^\omega \), such that there exists a path \(s(0)s(1)\cdots \in S^\omega \) with \(\sigma (i) = L(s(i))\) for all \(i\ge 0\). We denote by \(\textsf{Traces}(\mathcal {K}, s)\) the set of all traces of \(\mathcal {K}\) with paths that start in state \(s\in S\).
The directed graph \(\mathcal {F}= \langle S, \delta \rangle \) is called the Kripke frame of the Kripke structure \(\mathcal {K}\). A loop in \(\mathcal {F}\) is a finite sequence \(s_0s_1\cdots s_n\), such that \((s_i, s_{i+1}) \in \delta \), for all \(0 \le i < n\), and \((s_n, s_0) \in \delta \). We call a Kripke frame acyclic, if the only loops are selfloops on terminal states, i.e., on states that have no other outgoing transition. Acyclic Kripke structures model terminating programs.
Extended AHLTL. The syntax of extended AHLTL is:
where \(a \in \textsf{AP} \), \(\pi \) is a trace variable from an infinite supply \(\mathcal {V}\) of trace variables, \(\tau \) is a trajectory variable from an infinite supply \(\mathcal {J}\) of trajectory variables (see formula \(\varphi _ {\textsf {NI}_\textsf {nd}} \) in Section 1 for an example). The intended meaning of \(a_{\pi , \tau }\) is that proposition \(a \in \textsf{AP} \) holds in the current time in trace \(\pi \) and trajectory \(\tau \) (explained later). Trace (respectively, trajectory) quantifiers \(\exists \pi \) and \(\forall \pi \) (respectively, \(\textsf{E}\tau \) and \(\textsf{A}\tau \)) allow reasoning simultaneously about different traces (respectively, trajectories). The intended meaning of \(\textsf{E}\) is that there is a trajectory that gives an interpretation of the relative passage of time between the traces for which the temporal formula that relates the traces is satisfied. Dually, \(\textsf{A}\) means that all trajectories satisfy the inner formula. Given an AHLTL formula \(\varphi \), we use \(\textsf{Paths} (\varphi )\) (respectively, \(\textsf{Trajs} (\varphi )\)) for the set of trace (respectively, trajectory) variables quantified in \(\varphi \). A formula \(\varphi \) is wellformed if for all atoms \(a_{\pi , \tau }\) in \(\varphi \), \(\pi \) and \(\tau \) are quantified in \(\varphi \) (i.e., \(\tau \in \textsf{Trajs} (\varphi )\) and \(\pi \in \textsf{Paths} (\varphi )\)) and no trajectory/trace variable is quantified twice in \(\varphi \). We use the usual syntactic sugar \( false \triangleq \lnot true \), and , \(\varphi _1 \rightarrow \varphi _2 \triangleq \lnot \varphi _1 \vee \varphi _2\), and , etc. We choose to add \({\mathcal {R}}\) (release) and \({\wedge }\) to the logic to enable negation normal form (NNF). As our BMC algorithm cannot handle formulas that are not invariant under stuttering, the next operator is not included.
Semantics. A trajectory \(t: t(0)t(1)t(2)\cdots \) for a formula \(\varphi \) is an infinite sequence of subsets of \(\textsf{Paths} (\varphi )\), i.e., each \(t_i \subseteq \textsf{Paths} (\varphi )\), for all \(i \ge 0\). Essentially, in each step of the trajectory one or more of the traces make progress or all may stutter. A trajectory is fair for a trace variable \(\pi \in \textsf{Paths} (\varphi )\) if there are infinitely many positions j such that \(\pi \in t(j)\). A trajectory is fair if it is fair for all trace variables in \(\textsf{Paths} (\varphi )\). Given a trajectory \(t\), by \(t^i\), we mean the suffix \(t(i)t(i+1)\cdots \). Furthermore, for a set of trace variables \(\mathcal {V}\), we use \(\textsf{TRJ} _\mathcal {V}\) for the set of all fair trajectories for indices from \(\mathcal {V}\). We also use a trajectory assignment \(\varGamma : \textsf{Trajs} (\varphi ) \mathrel {\rightharpoonup }\textsf{TRJ} _{\textit{Dom}(\varGamma )}\), where \(\textit{Dom}(\varGamma )\) is the subset of \(\textsf{Trajs} (\varphi )\) for which \(\varGamma \) is defined. Given a trajectory assignment \(\varGamma \), a trajectory variable \(\tau \), and a trajectory t, we denote by \(\varGamma [\tau \mapsto t]\) the assignment that coincides with \(\varGamma \) for every trajectory variable except for \(\tau \), which is mapped to t.
For the semantics of extended AHLTL, we need asynchronous trace assignments \(\varPi :\textsf{Paths} (\varphi )\times \textsf{Trajs} (\varphi )\mathrel {\rightarrow }T\times \mathbb {N}\) which map each pair \((\pi ,\tau )\) formed by a path variable and trajectory variable into a pointed trace. Given \((\varPi ,\varGamma )\) where \(\varPi \) is an asynchronous trace assignment and \(\varGamma \) a trajectory assignment, we use \((\varPi ,\varGamma )+1\) for the successor of \((\varPi ,\varGamma )\) defined as \((\varPi ',\varGamma ')\) where \(\varGamma '(\tau )=\varGamma (\tau )^1\), and \(\varPi '(\pi ,\tau )=\varPi (\pi ,\tau )+1\) if \(\pi \in \varGamma (\tau )(0)\) and \(\varPi '(\pi ,\tau )=\varPi (\pi ,\tau )\) otherwise. Note that \(\varPi \) can assign the same \(\pi \) to different pointed traces depending on the trajectory. We use \((\varPi ,\varGamma )+k\) as the kth successor of \((\varPi ,\varGamma )\). Given an asynchronous trace assignment \(\varPi \), a trace variable \(\pi \), a trajectory variable \(\tau \) a trace \(\sigma \), and a pointer p, we denote by \(\varPi [(\pi , \tau ) \mapsto (\sigma ,p)]\) the assignment that coincides with \(\varPi \) for every pair except for \((\pi , \tau )\), which is mapped to \((\sigma ,p)\). The satisfaction of an AHLTL formula \(\varphi \) over a trace assignment \(\varPi \), a trajectory assignment \(\varGamma \), and a set of traces T is defined as follows (we omit \(\lnot \), \({\wedge }\) and \(\mathrel {\vee }\) which are standard):
We say that a set T of traces satisfies a sentence \(\varphi \), denoted by \(T \models \varphi \), if \((\varPi _\emptyset ,\varGamma _\emptyset ) \models _T \varphi \). We say that a Kripke structure \(\mathcal {K}\) satisfies an AHLTL formula \(\varphi \) (and write \(\mathcal {K}\models \varphi \)) if and only if we have \(\textsf{Traces}(\mathcal {K}, S_ init )\models \varphi \). An example is illustrated in Fig. 4.
3 Bounded Model Checking for AHLTL
We first introduce the bounded semantics of AHLTL (for at most one trajectory quantifier alternation but arbitrary trace quantifiers) which will be used to generate queries to a QBF solver to aid solving the BMC problem. The main result of this section is Theorem 1 which provides decision procedures for model checking AHLTL for terminating systems.
3.1 Bounded Semantics of AHLTL
The bounded semantics corresponds to the exploration of the system up to a certain bound. In our case, we will consider two bounds k and m (with \(k\le m\)). The bound k corresponds to the maximum depth of the unrolling of the Kripke structures and m is the bound on trajectories length. We start by introducing some auxiliary functions and predicates, for a given trace assignment and \((\varPi ,\varGamma )\). First, the family of functions \(\textit{pos}_{\pi ,\tau }:\{0\ldots {}m\}\mathrel {\rightarrow }\mathbb {N}\). The meaning of \(\textit{pos}_{\pi ,\tau }(i)\) provides how many times \(\pi \) has been selected in \(\{\tau (0),\ldots ,\tau (i)\}\). We assume that Kripke structures are equipped with an atomic proposition \(\textit{halt} \) (one per trace variable \(\pi \)) which encodes whether the state is a halting state. Given \((\varPi ,\varGamma )\) we consider the predicate \(\textit{halted} \) that holds whenever for all \(\pi \) and \(\tau \), \(\textit{halt} \in \sigma (j)\) for \((\sigma ,j)=\varPi (\pi ,\tau )\). In this case we write \((\varPi ,\varGamma ,n)\models \textit{halted} \).
We define two bounded semantics which only differ in how they inspect beyond the (k, m) bounds: \(\models ^{ hpes }_{k,m}\), called the halting pessimistic semantics and \(\models ^{ hopt }_{k,m}\), called the halting optimistic semantics. We start by defining the bounded semantics of the quantifiers.
For the Boolean operators, for \(i\le {} m\):
For the temporal operators, we must consider the cases of falling of the paths (beyond k) and falling of the traces (beyond m). We define the predicate \(\textit{off}\,\) which holds for \((\varPi ,\varGamma ,i)\) if for some \((\pi ,\tau )\), \(\textit{pos}_{\pi ,\tau }(i)>k\) and \(\textit{halt} _\pi \notin \sigma (k)\) where \(\sigma \) is the trace assigned to \(\pi \). Note that \(\textit{halted} \) implies that \(\textit{off}\,\) does not hold because all paths (including those at k or beyond) satisfy \(\textit{halt} \).
We define two semantics that differ on how to interpret when the end of the unfolding of the traces and trajectories is reached. The halting pessimistic semantics, denoted by \(\models ^{ hpes }_{k,m}\) take (1)(9) above and add (10)(13) together with \((\varPi ,\varGamma ,i)\not \models _{k,m}\textit{off}\,\). Rules (10) and (11) define the semantics of the temporal operators for the case \(i<m\), that is, before the end of the unrolling of the trajectories (recall that we do not consider ):
For the case of \(i=m\), that is, at the bound of the trajectory:
The halting optimistic semantics, denoted by \(\models ^{ hopt }_{k,m}\) take rules (1)(11) and (12’)(13’), but now if \((\varPi ,\varGamma ,i)\models ^{ hopt }_{k,m}\textit{off}\,\) then \((\varPi ,\varGamma ,i)\models ^{ hopt }_{k,m}\varphi \) holds for every formula. Again, rules (10) and (11) define the semantics of the temporal operators for the case \(i<m\). Then, for \(i=m\):
Similar to [15] for the case of HyperLTL, the pessimistic semantics capture the case where we assume that pending eventualities will not become true in the future after the end of the trace (this is also assumed in LTL BMC). Dually, the optimistic semantics assume that all pending eventualities at the end of the trace will be fulfilled. Therefore, the following hold (proofs in [13]).
Lemma 1
Let \(k\le k'\) and \(m\le m'\).

1.
If \((\varPi ,\varGamma ,0)\models ^{ hpes }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\models ^{ hpes }_{k',m'}\varphi \).

2.
If \((\varPi ,\varGamma ,0)\not \models ^{ hopt }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\not \models ^{ hopt }_{k',m'}\varphi \).
Lemma 2
The following hold for every k and m,

1.
If \((\varPi ,\varGamma ,0)\models ^{ hpes }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\models \varphi \).

2.
If \((\varPi ,\varGamma ,0)\not \models ^{ hopt }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\not \models \varphi \).
3.2 From Bounded Semantics to QBF Solving
Let \(\mathcal {K}\) be a Kripke structure and \(\varphi \) be an AHLTL formula. Based on the bounded semantics introduced previously, our main approach is to generate a QBF query (with bounds k, m), which can use either the pessimistic or the optimistic semantics. We use \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) if the pessimistic semantics are used and \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) if the optimistic semantics are used. Our translations will satisfy that

(1)
if \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) is SAT, then \(\mathcal {K}\models \varphi \);

(2)
if \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) is UNSAT, then \(\mathcal {K}\not \models \varphi \);

(3)
if the Kripke structure is unrolled to the diameter and the trajectories up to a maximum length (see below), then \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) is SAT if and only if \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) is SAT.
The first step to define \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) and \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) is to encode the unrolling of the models upto a given depth k. For a path variable \(\pi \) corresponding to Kripke structure \(\mathcal {K}\), we introduce \((k+1)\) copies (\(x^0,\ldots ,x^k\)) of the Boolean variables that define the state of \(\mathcal {K}\) and use the initial condition I and the transition relation R of \(\mathcal {K}\) to relate these variables. For example, for \(k=3\), we unroll the transition relation upto 3 as follows:
Encoding positions. For each trajectory variable \(\tau \) and given the bound m on the unrolling of trajectories, we add \(\textsf{Paths} (\varphi )\times (m+1)\) variables \(t_{\pi }^0\ldots t_{\pi }^m\), for each \(\pi \). The intended meaning of \(t_{\pi }^j\) is that \(t_{\pi }^j\) is true whenever \(\pi \in {}t(j)\), that is, when t dictates that \(\pi \) moves at time instant j. In order to encode sanity conditions on trajectories, that are crucial for completeness, it is necessary to introduce a family of variables that captures how much \(\pi \) has moved according to \(\tau \) after j steps. There is a variable \(\textit{pos}\) for each trace variable \(\pi \), each trajectory \(\tau \) and each \(i\le {}k\) and \(j\le {}m\). We represent this variable by \(\textit{pos}^{i,j}_{\pi ,\tau }\). The intention is that \(\textit{pos}\) is true whenever after j steps trajectory \(\tau \) has dictated that trace \(\pi \) progresses precisely i times. Fig. 5 shows encodings \(t_{\pi }^j\) and \(\textit{pos}^{i,j}_{\pi ,\tau }\) for the traces w.r.t. the blue trajectory, \(\tau '\) in Fig. 4. We will use the auxiliary definitions (for \(i\in \{0\ldots {}k\}\) and \(j\in \{0\ldots {}m\}\)) to force that the path \(\pi \) has moved to position i after j moves from the trajectory and that \(\pi \) has not fallen off the trace (and does not change position when the paths fall off the trace):
Initially, \( I_\textit{pos}\,{\mathop {=}\limits ^{\text {def }}}\,\bigwedge _{\pi ,\tau }\textit{setpos}\,^{0,0}_{\pi ,\tau } \), where \(\pi \in \textsf{Traces} (\varphi )\) and \(\tau \in \textsf{TRJ} _{\textit{Dom}(\varPi )}\). \(I_\textit{pos}\) captures that all paths are initially at position 0. Then, for every step \(j\in \{0\ldots m\}\), the following formulas relate the values of \(\textit{pos}\) and \(\textit{off}\,\), depending on whether trajectory \(\tau \) moves path \(\pi \) or not (and on whether \(\pi \) has reached the end k or halted):
Then the following formula captures the correct assignment to the the \(\textit{pos}\) variables, including the initial assignment:
For example, Fig. 5 (w.r.t. Fig. 4) encodes the blue trajectory \((\tau ')\) of \(\pi \) (i.e., \(t_1\)) and \(\pi '\) (i.e., \(t_2\)) as follows. First, for \(j\in [0,3)\), it advances \(t_1\) and stutters \(t_2\). Therefore, \({t_\pi ^{0}} , {t_\pi ^{1}}, { t_\pi ^{2}}\) are \( true \) and \({t_{\pi '}^{0}}, {t_{\pi '}^{1}}, { t_{\pi '}^{2}}\) are \( false \). Notice that for \(\textit{pos}\) encodings, the \(\pi \) position advances according to \(\textit{step}\,^j_{\pi ,\tau '}\) (i.e., \({\textit{pos}_{\pi ,\tau '}^{0,0}}, {\textit{pos}_{\pi ,\tau '}^{1,1}}, {\textit{pos}_{\pi ,\tau '}^{2,2}}, {\textit{pos}_{\pi ,\tau '}^{3,3}}\)); while \(\pi '\) stutters according to \( \textit{stutters}\,^j_{\pi ',\tau '}\) (i.e., \( {\textit{pos}_{\pi ',\tau '}^{0,0}}, {\textit{pos}_{\pi ',\tau '}^{0,1}}, {\textit{pos}_{\pi ',\tau '}^{0,2}}, {\textit{pos}_{\pi ',\tau '}^{0,3}}\)). Then, for \(j \in [3,5]\), it alternatively advances \(t_2\) which makes \({ t_\pi ^{3}}, {t_\pi ^{4}}, {t_\pi ^{5}}\) \( false \) and \( { t_{\pi '}^{3}}, { t_{\pi '}^{4}}, { t_{\pi '}^{5}}\) \( true \). Similarly, the movements becomes \({\textit{pos}_{\pi ,\tau '}^{3,4}}, {\textit{pos}_{\pi ,\tau '}^{3,5}}, {\textit{pos}_{\pi ,\tau '}^{3,6}} \) and \({\textit{pos}_{\pi ',\tau '}^{1,4}}, {\textit{pos}_{\pi ',\tau '}^{2,5}}, {\textit{pos}_{\pi ',\tau '}^{3,6}}\). At the halting point (i.e., \(j = k\)), both trajectory trigger \(\textit{ends}\,^{j}\) and do not advance anymore.
Encoding the inner LTL formula. We will use the following auxiliary predicates:
We now give the encoding for the inner temporal formulas for a fix unrolling k and m as follows. For the atomic and Boolean formulas, the following translations are performed for \(j\in \{0\ldots {}m\}\).
The halting pessimistic semantics translation uses \(\llbracket \cdot \rrbracket _ hpes \), taking (14)(17) and (18)(21) below. For the temporal operators and \(j<m\):
For \(j=m\):
The halting optimistic semantics translation uses \(\llbracket \cdot \rrbracket _ hopt \), taking (14)(17) and (18’)(21’) as follows, For the temporal operators and \(j<m\):
For \(j=m\):
Combining the encodings. Let \(\varphi \) be a AHLTL formula of the form \(\varphi = \mathbb {Q}_A\pi _A.\dots .\mathbb {Q}_Z\pi _Z.\mathbb {Q}_a\tau _a.\dots .\mathbb {Q}_z\tau _z.\psi \). Combining all the components, the encoding of the AHLTL BMC problem into QBF, for bounds k and m is:
where \(\circ _A=\mathrel {\rightarrow }\) if \(\mathbb {Q}_A=\forall \) (and \(\circ _A={\wedge }\) if \(\mathbb {Q}_A=\exists \)), and \(\circ _B\), \(\ldots \) are defined similarly. The sets \(\overline{\textit{pos}}\) is the set of variables \(\textit{pos}^{i,j}_{\pi ,\tau }\) that encode the positions and \(\overline{\textit{off}\,}\) is the set of variables \(\textit{off}\,^j_{\pi ,\tau }\) that encode when a trace progress has fallen off its unrolling limit. We next define the encoding \(\textit{enc}(\psi )\) of the temporal formula \(\psi \).
Encoding formulas with up to 1 trajectory quantifier alternations We consider the encoding into QBF of formulas with zero and one quantifier alternation separately. In the following, we say that at position j a collection of trajectories U “moves” whenever either all trajectories have moved all their paths to the halting state, or at least one of the trajectories in U makes one of the nonhalted path move at position j. Formally,

\(\textsf{E}^+ U. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is
$$\begin{aligned} (\bigwedge _{j\in \{0\ldots {}m\}}\textit{moves}\,^j_U) {\wedge }\llbracket \psi \rrbracket ^0_{k,m} \end{aligned}$$This is correct since the positions at which all trajectories stutter all paths can be removed (obtaining a satisfying path), we can restrict the search to nonstuttering trajectory steps.

\(\textsf{A}^+ U. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is
$$\begin{aligned} (\bigwedge _{j\in \{0\ldots {}m\}}\textit{moves}\,^j_U) \mathrel {\rightarrow }\llbracket \psi \rrbracket ^0_{k,m} \end{aligned}$$The reasoning is similar as the previous case.

\(\textsf{A}^+ U_A\textsf{E}^+ U_E. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is
$$ (\bigwedge _{j \in \{0\ldots {}m\}}\textit{moves}\,^j_{U_A}) \mathrel {\rightarrow }\big ( \bigwedge _{j \in \{0\ldots {}m\}}({\textit{halted} \,}^j_{U_A} \mathrel {\rightarrow }\textit{moves}\,^j_{U_E}){\wedge }\llbracket \psi \rrbracket ^0_{k,m}\big ) $$Universally quantified trajectories must explore all trajectories, which must be responded by the existential trajectories. Assume there is a strategy for \(U_E\) for the case that universal trajectories \(U_A\) never stutter at any position. This can be extended into a strategy for the case where \(U_A\) can possible stutter, by adding a stuttering step to the \(U_E\) trajectories at the same position. This guarantees the same evaluation. Therefore, we restrict our search for the outer \(U_A\) to nonstuttering trajectories. Finally, \(U_E\) is obliged to move after \(U_A\) has halted all paths to prevent global stuttering.

\(\textsf{E}^+ U_E\textsf{A}^+ U_A. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is similar,
$$ \big (\bigwedge _{j \in \{0\ldots {}m\}}\textit{moves}\,^j_{U_E}\big ) \wedge \big (\bigwedge _{j\in \{0\ldots {}m\}}({\textit{halted} \,}^j_{U_E} \mathrel {\rightarrow }\textit{moves}\,^j_{U_A})\mathrel {\rightarrow }\llbracket \psi \rrbracket ^0_{k,m}\big ) $$The rationale for this encoding is the following. It is not necessary to explore a nonmoving step j for the existentially quantified trajectories \(U_E\) because if this stuttering step is successful it must work for all possible moves of the \(U_A\) trajectories at the same time step j. This includes the case that all trajectories in \(U_A\) make all paths stutter (which, if we remove j one still has all the legal trajectories for \(U_A\)). Since the logic does not contain the next operator, the evaluation for the given \(U_E\) and one of the trajectories for \(U_A\) that stutter at j will be the same as for \(j+1\) for all logical formulas. Therefore, the trajectory that is obtained from removing step j from \(U_E\) is still a satisfying trajectory assignment. It follows that if there is a model for \(U_E\) there is a model that does not stutter. Finally, after all paths have halted according to the \(U_E\) trajectories, a step of \(U_A\) that stutters all paths that have not halted can be removed because, again the evaluation is the same in the previous and subsequent state. It follows that if the formula has a model, then it has a model satisfying the encoding.
Theorem 1
Let \(\varphi \) be an AHLTL formula with at most one trajectory quantifier alternation, let K be the maximum depth of a Kripke structure and let \(M=K \times \textsf{Paths} (\varphi ) \times \textsf{Trajs} (\varphi )\). Then, the following hold:

\(\llbracket \mathcal {K},\varphi \rrbracket _{K,M}^ hpes \) is satisfiable if and only if \(\mathcal {K}\models \varphi \).

\(\llbracket \mathcal {K},\varphi \rrbracket _{K,M}^ hopt \) is satisfiable if and only if \(\mathcal {K}\models \varphi \).
Theorem 1 (proof in [13]) provides a model checking decision procedure. An alternative decision procedure is to iteratively increase the bound of the unrollings and invoke both semantics in parallel until the outcome coincides.
4 Complexity of AHLTL Model Checking for Acyclic Frames
Our goal in this section is to analyze the complexity of the AHLTL model checking problem in the size of an acyclic Kripke structure (all proofs in [13]).
Problem Formulation. We use \(\textsf{MC}\big [\textsf{Fragment}\big ]\) to distinguish different variations of the problem, where MC is the model checking decision problem, i.e., whether or not \(\mathcal {K}\models \varphi \), and Fragment is one of the following for \(\varphi \):

‘\([\exists (\exists /\forall )^+\textsf{A}/\textsf{E}]^k\)’, for \(k\ge 0\), is the fragment with a lead existential trace quantifier, one outermost universal or existential trajectory quantifier, and k (counting all) quantifier alternations, where \(k=0\) means the existential alternationfree fragment ‘\(\exists ^+\textsf{E}^+\)’. Fragment ‘\([\forall (\forall /\exists )^+\textsf{A}/\textsf{E}]^k\)’ is defined similarly, where \(k=0\) is the universal alternationfree fragment ‘\(\forall ^+\textsf{A}^+\)’.

Fragments ‘\([\exists (\exists /\forall )^+(\textsf{E}^+\textsf{A}^+/\textsf{A}^+\textsf{E}^+/\textsf{E}\textsf{E}^+/\textsf{A}\textsf{A}^+)]^k\)’, for \(k \ge 1\) denotes the fragment with a lead existential trace quantifier, multiple outermost trajectory quantifiers with at most one alternation, and k quantifier alternations (counting all quantifiers), where \(k=1\) means fragment ‘\(\exists \textsf{E}\textsf{A}\)’. Fragment ‘\([\forall (\forall /\exists )^+(\textsf{E}^+\textsf{A}^+/\textsf{A}^+\textsf{E}^+/\textsf{E}\textsf{E}^+/\textsf{A}\textsf{A}^+)]^k\)’ is defined similarly, where \(k=1\) means fragment ‘\(\forall \textsf{A}\textsf{E}\)’.
The Complexity of AHLTL Model Checking. We first show the AHLTL model checking problem for the alternationfree fragment with only one trajectory quantifier is NLcomplete. For example, verification of information leak in speculative execution in sequential programs renders a formula of the form \(\forall ^4\textsf{A}\), which belongs to the alternationfree fragment (more details in Section 5).
Theorem 2
\(\textsf{MC}{\big [\exists ^+\textsf{E}\big ]}\) and \(\textsf{MC}{\big [\forall ^+\textsf{A}\big ]}\) are NLcomplete.
We now switch to formulas with alternating trace quantifiers. The significance of the next theorem is that a single trajectory quantifier does not change the complexity of model checking as compared to the classic HyperLTL verification [2]. It is noteworthy to mention that several important classes of formulas belong to this fragment. For example, according to Theorem 3 while model checking observational determinism [19] (\(\forall \forall \textsf{E}\)), generalized noninference [16] (\(\forall \forall \exists \textsf{E}\)), and noninference [5] (\(\forall \exists \textsf{E}\)) with a single initial input are all coNPcomplete.
Theorem 3
\(\textsf{MC}{\big [\exists (\exists /\forall )^{+}(\textsf{A}/\textsf{E})\big ]^{k}}\) is \({\varSigma ^p_{k}}\) complete and \(\textsf{MC}{\big [\forall (\forall /\exists )^{+}(\textsf{E}/\textsf{A})\big ]^{k}}\) is \({\varPi ^p_{k}}\) complete in the size of the Kripke structure.
We now focus on formulas with multiple trajectory quantifiers. We first show that alternationfree multiple trajectory quantifiers bumps the class of complexity by one step in the polynomial hierarchy.
Theorem 4
\(\textsf{MC}{\big [\exists (\exists /\forall )^{+}\textsf{E}\textsf{E}^+\big ]^{k}}\) is \({\varSigma ^p_{k+1}}\) complete and \(\textsf{MC}{\big [\forall (\forall /\exists )^{+}\textsf{A}\textsf{A}^+\big ]^{k}}\) is \({\varPi ^p_{k+1}}\) complete in the Kripke structure.
Theorem 5
For \(k \ge 1\), \(\textsf{MC}{\big [\exists (\exists /\forall )^{+}\textsf{A}^+\textsf{E}^+\big ]^{k}}\) is \({\varSigma ^p_{k+1}}\) complete and \(\textsf{MC}{\big [\forall (\forall /\exists )^{+}\textsf{E}^+\textsf{A}^+\big ]^{k}}\) is \({\varPi ^p_{k+1}}\) complete in the size of the Kripke structure.
Finally, Theorems 3, 4, and 5 imply that the model checking problem for acyclic Kripke structures and AHLTL formulas with an arbitrary number of trace quantifier alternation and only one trajectory quantifier is in PSPACE.
5 Case Studies and Evaluation
We now evaluate our technique. The encoding in Section 3 is implemented on top of the opensource bounded model checker HyperQB [15]. All experiments are executed on a MacBook Pro with 2.2GHz processor and 16GB RAM (https://github.com/TARTMSU/async_hltl_tacas23).
Noninterference in Concurrent Programs. We first consider the programs presented earlier in Figs. 1 and 3 together with AHLTL formulas \(\varphi _ \textsf {NI}\) and \(\varphi _ {\textsf {NI}_\textsf {nd}} \) from Section 1. We receive UNSAT (for the original formula and not its negation), which indicates that violations have been spotted. Indeed, our implementation successfully finds a counterexample with a specific trajectory that prints out ‘acdb’ when the highsecurity value h is equal to zero (entries of \(\texttt {ACDB}\) and \(\texttt {ACDB}_\texttt {ndet}\) in Table 3). Our other experiment is an extension of the example in [10] for multiple asynchronous channels (see Fig. 6) and the following formula: . The results for this case are entries of \(\texttt {ConcLeak}\) and \(\texttt {ConcLeak}_\texttt {ndet}\) in Table 3. Details of the counterexample can be found in [13].
Speculative Information Flow. Speculative execution is a standard optimization technique that allows branch prediction by the processor. Speculative noninterference (SNI) [9] requires that two executions with the same policy \(\textsf{p}\) (i.e., initial configuration) can be observed differently in speculative semantics (e.g., a possible branch), if and only if their nonspeculative semantics with normal condition checks are also observed differently; i.e., the following AHLTL formula:
where \(\textsf{obs}\) is the memory footprint, traces \(\pi _1\) and \(\pi _2\) range over the (nonspeculative) C code and traces \(\pi '_1\) and \(\pi '_2\) range over the corresponding (speculative) assembly code. We evaluate SNI on the translation from a C program (details in [13]), where y is the input policy \(\textsf{p}\) and multiple versions of x86 assembly code [9]. The results of model checking speculative execution are in Table 3 (see entries from \(\texttt {SpecExcu}_{V1}\) to \(\texttt {SpecExcu}_{V7}\)). Additional versions from \(\texttt {SpecExcu}_{V3}\) to \(\texttt {SpecExcu}_{V7}\) are under different compilation options. Our method correctly identify all the insecure and secure ones as stated in [9].
Compiler Optimization Security. Secure compiler optimization [17] aims at preserving inputoutput behaviors of a source program (original implementation) and a target program (after applying optimization), including security policies. We investigate the following optimization strategies: Dead Branch Elimination (DBE), Loop Peeling (LP), and Expression Flattening (EF). To verify a secure optimization, we consider two scenarios: (1) one single I/O event (one trajectory, similar to [1]), and (2) a sequences of I/O events (two trajectories):
where in is the set of inputs and out is the set of outputs. Table 3 (cases \(\texttt {DBE}\) – \(\texttt {EFLP}_\texttt {ndet}\)) shows the verification results of each optimization strategy and different combination of the strategies (details in [13]).
CacheBased Timing Attacks. Asynchrony also leads to attacks when system executions are confined to a single CPU and its cache [18]. A cachebased timing attack happens when an attacker is able to guess the values of highsecurity variables when cache operations (i.e., evict, fetch) influence the scheduling of different threads. Our case study is inspired by the cachebased timing attack example in [18] and we use the formula of observational determinism \(\varphi _{\textsf {OD}_\textsf {nd}} \) introduced earlier in this section to find the potential attacks (see cases of \(\texttt {CacheTA}\) and \(\texttt {CacheTA}_\texttt {ndet}\) in Table 3 with details in [13]).
5.1 Analysis of Experimental Results
Table 3 presents the diameter of the transition relation, length of trajectories m, state spaces, and the number of trajectory variables. We also present the total solving time of our algorithm as well as the break down: generating models (genQBF), building trajectory encodings (buildTr), and final QBF solving (solveQBF). Our two most complex cases are concurrent leak (\(\texttt {ConcLeak}_\texttt {ndet}\)) and loop peeling (\(\texttt {LP}_\texttt {ndet}\)). For concurrent leak, it is because there are three threads with many interleavings (i.e., asynchronous composition), takes longer time to build. For loop peeling, although there is no need to consider interleavings except for the nondeterministic inputs; however, the diameters of traces (\(D_{\mathcal {K}_1}\), \(D_{\mathcal {K}_2}\)) are longer than other cases, which makes the length and size of trajectory variables (i.e., m and T) grow and increases the total solving time. Our encoding is able to handle a variety of cases with one or more trajectories, depending on whether multiple sources of nondeterminism is present. To see efficiency, we compare the solving time for cases of compiler optimization with one trajectory with the results in [1]. This method reduces AHLTL model checking to HyperLTL model checking for limited fragments and utilizes the model checker MCHyper. On the other hand, we directly handle asynchrony by trajectory encoding. Table 2 shows our algorithm considerably outperforms the approach in [1] in larger cases.
6 Conclusion and Future Work
In this paper, we focused on the problem of AHLTL model checking for terminating programs. We generalized AHLTL to allow nested trajectory quantification, where a trajectory determines how different traces may advance and stutter. We rigorously analyzed the complexity of AHLTL model checking for acyclic Kripke structures. The complexity grows in the polynomial hierarchy with the number of quantifier alternations, and, it is either aligned with that of HyperLTL or is one step higher in the polynomial hierarchy. We also proposed a BMC algorithm for AHLTL based on QBFsolving and reported successful experimental results on verification of information flow security in concurrent programs, speculative execution, compiler optimization, and cachebased timing attacks.
Asynchronous hyperproperties enable logicbased verification for software programs. Thus, future work includes developing different abstraction techniques such as predicate abstraction, abstractionrefinement, etc, to develop software model checking techniques. We also believe developing synthesis techniques for AHLTL creates opportunities to automatically generate secure programs and assist in areas such as secure compilation.
References
J. Baumeister, N. Coenen, B. Bonakdarpour, B. Finkbeiner, and C. Sánchez. A temporal logic for asynchronous hyperproperties. In Proc. of the 33rd Int’l Conf. on Computer Aided Verification (CAV’21), Part I, volume 12759 of LNCS, pages 694–717. Springer, 2021.
B. Bonakdarpour and B. Finkbeiner. The complexity of monitoring hyperproperties. In Proceedings of the 31st IEEE Computer Security Foundations Symposium CSF, pages 162–174, 2018.
L. Bozzelli, A. Peron, and C. Sánchez. Asynchronous extensions of HyperLTL. In Proc. of the 36th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS’21), pages 1–13. IEEE, 2021.
M. R. Clarkson, F. Finkbeiner, K. Koleini, K. K. Micinski, M. N. Rabe, and C. Sánchez. Temporal logics for hyperproperties. In Proceedings of the 3rd International Conference on Principles of Security and Trust (POST), pages 265–284, 2014.
M. R. Clarkson and F. B. Schneider. Hyperproperties. Journal of Computer Security, 18(6):1157–1210, 2010.
N. Coenen, B. Finkbeiner, C. Hahn, and J. Hofmann. The hierarchy of hyperlogics. In 2019 34th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), pages 1–13, 2019.
N. Coenen, B. Finkbeiner, C. Sánchez, and L. Tentrup. Verifying hyperliveness. In I. Dillig and S. Tasiran, editors, Computer Aided Verification, pages 121–139, Cham, 2019. Springer International Publishing.
B. Finkbeiner, M. Rabe, and C. Sánchez. Algorithms for model checking HyperLTL and HyperCTL\(^*\). In In Proc. of the 27th Int’l Conf. on Computer Aided Verification (CAV’15), volume 9206 of LNCS, pages 30–48. Springer, 2015.
M. Guarnieri, B. Köpf, J. F. Morales, J. Reineke, and A. Sánchez. Spectector: Principled detection of speculative information flows. In Proceedings of the 41st IEEE Symposium on Security and Privacy, S &P 2020. IEEE, 2020.
G. L. Guernic. Automatonbased confidentiality monitoring of concurrent programs. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF), pages 218–232, 2007.
J. O. Gutsfeld, M. MüllerOlm, and C. Ohrem. Automata and fixpoints for asynchronous hyperproperties. Proc. ACM Program. Lang., 5(POPL):1–29, 2021.
M. Herlihy and J. M. Wing. Linearizability: A correctness condition for concurrent objects. ACM Transactions on Programming Languages and Systems, 12(3):463–492, 1990.
T. Hsu, B. Bonakdarpour, B. Finkbeiner, and C. Sánchez. Bounded model checking for asynchronous hyperproperties. CoRR, abs/2301.07208, 2023.
T. Hsu and C. Sánchez. Hyperqube: A qbfbased bounded model checker for hyperproperties. CoRR, abs/2109.12989, 2021.
T.H. Hsu, C. Sánchez, and B. Bonakdarpour. Bounded model checking for hyperproperties. In Proceedings of the 27th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS), pages 94–112, 2021.
J. McLean. A general theory of composition for trace sets closed under selective interleaving functions. In Proceedings of the IEEE Symposium on Security and Privacy, pages 79–93, Apr. 1994.
K. S. Namjoshi and L. M. Tabajara. Witnessing secure compilation. In International Conference on Verification, Model Checking, and Abstract Interpretation, pages 1–22. Springer, 2020.
D. Stefan, P. Buiras, E. Z. Yang, A. Levy, D. Terei, A. Russo, and D. Mazières. Eliminating cachebased timing attacks with instructionbased scheduling. In European Symposium on Research in Computer Security, pages 718–735. Springer, 2013.
S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In Proceedings of the 16th IEEE Computer Security Foundations Workshop (CSFW), page 29, 2003.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this paper
Cite this paper
Hsu, TH., Bonakdarpour, B., Finkbeiner, B., Sánchez, C. (2023). Bounded Model Checking for Asynchronous Hyperproperties. In: Sankaranarayanan, S., Sharygina, N. (eds) Tools and Algorithms for the Construction and Analysis of Systems. TACAS 2023. Lecture Notes in Computer Science, vol 13993. Springer, Cham. https://doi.org/10.1007/9783031308239_2
Download citation
DOI: https://doi.org/10.1007/9783031308239_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783031308222
Online ISBN: 9783031308239
eBook Packages: Computer ScienceComputer Science (R0)