1 Introduction

Fig. 1.
figure 1

T1 and T2 leak the value of h.

Full size image

Motivation. Consider the concurrent program [10] shown in Fig. 1, where h is a secret variable, and await command is a conditional critical region. This program should satisfy the following information-flow policy: “Any sequences of observable outputs produced by an interleaving should be reproducible by some other interleaving for a different value of h”. If this is the case, then an attacker cannot successfully guess the value of h from the sequence of observable outputs of the print() statements. For example, Fig. 2 shows how one can align two interleavings of threads T1 and T2 with respect to the observable sequence of outputs ‘abcd’, given two different values of secret h. Let us call such an alignment a trajectory (illustrated by the sequence of dashed lines). However, if thread T1 holds the semaphore and executes the critical region as an atomic operation. Then, output ‘acdb’ arising due to concurrent execution of threads T1 and T2 reveals the value of h as 0, as the same output cannot be reproduced when h=1. Thus, the program in Fig. 1 violates the above policy.

Fig. 2.
figure 2

Two secure interleavings for the program in Fig. 1

Full size image
Fig. 3.
figure 3

T1 and T2 receive inputs from asynch. channels read by T3 and T4.

Full size image

The above policy is an example of a hyperproperty [5]; i.e., a set of sets of execution traces. In addition to information-flow requirements, hyperproperties can express other complex requirements such as linearizability [12] and control conditions in cyber-physical systems such as robustness and sensitivity. The temporal logic A-HLTL  [1] can express hyperproperties whose sets of traces advance at different speeds, allowing stuttering steps. For example, the above policy can be expressed in A-HLTL by the following formula: where \(\textsf{obs}\) denotes the output observations, meaning that for all executions (i.e., interleavings) \(\pi \), there should exist another execution \(\pi '\) and a trajectory \(\tau \), such that \(\pi \) and \(\pi '\) start from different values of h and \(\tau \) can align all the observations along \(\pi \) and \(\pi '\) (see Fig. 2). A-HLTL can reason about one source of nondeterminism by the scheduler in the system that may lead to information leak. Indeed, the model checking algorithms proposed in [1] can discover the bug in the program in Fig. 1.

Now, consider a more complex version of the same program shown in Fig. 3 inspired by modern programming languages such as Go and P that allow CSP-style concurrency. Here, new threads T3 and T4 read the values of secret input h and public input l from two asynchronous channels, rendering two different sources of nondeterminism: (1) the scheduler that results in different interleavings, and (2) data availability in the channels. This, in turn, means formula \(\varphi _ \textsf {NI}\) no longer captures the following specification of the program, which should be:

“Any sequence of observable outputs produced by an interleaving should be reproducible by some other interleaving such that for all alignments of public inputs, there exists an alignment of the public outputs”.

Satisfaction of this policy (not expressible in A-HLTL as proposed in [1]) prohibits an attacker from successfully determining the sequence of values of h.

Contributions. In this paper, we strive for a general logic-based approach that enables model checking of a rich set of asynchronous hyperproperties. To this end, we concentrate on A-HLTL model checking for programs subject to multiple sources of nondeterminism. Our first contribution is a generalization of A-HLTL that allows nested trajectory quantification. For example, the above policy requires reasoning about two different trajectories that cannot be composed into one since their sources of nondeterminism are different. This observation motivates the need for enriching A-HLTL with the tools to quantify over trajectories. This generalization enables expressing policies such as follows:

figure b

where \(\textsf{A}\) and \(\textsf{E}\) denote the universal (res., existential) trajectory quantifiers.

Our second contribution is a bounded model checking (BMC) algorithm for a fragment of the extended A-HLTL that allows an arbitrary number of trace quantifier alternations and up to one trajectory quantifier alternation. Following [15], we propose two bounded semantics (called optimistic and pessimistic) for A-HLTL based on the satisfaction of eventualities. We introduce a reduction to the satisfiability problem for quantified Boolean formulas (QBF) and prove that our translation provides decision procedures for A-HLTL BMC for terminating systems, i.e., those whose Kripke structure is acyclic. Our focus on terminating programs is due to the general undecidability of A-HLTL model checking [1]. As in the classic BMC for LTL, the power of our technique is in hunting bugs that are often in the shallow parts of reachable states.

Table 1. A-HLTL model checking complexity for acyclic models.
Full size table

Our third contribution is rigorous complexity analysis of A-HLTL model checking for terminating programs (see Table 1). We show that for formulas with only one trajectory quantifier the complexity is aligned with that of classic synchronous semantics of HyperLTL  [4]. However, the complexity of A-HLTL model checking with multiple trajectory quantifiers is one step higher than HyperLTL model checking in the polynomial hierarchy. An interesting observation here is that the complexity of model checking a formula with two existential trajectory quantifiers is one step higher than one with only one existential quantifier although the plurality of the quantifiers does not change. Generally speaking, A-HLTL model checking for terminating programs remains in PSPACE.

Finally, we have implemented our BMC technique. We evaluate our implementation on verification of four case studies: (1) information-flow security in concurrent programs, (2) information leak in speculative executions, (3) preservation of security in compiler optimization, and (4) cache-based timing attacks. These case studies exhibit a proof of concept for the highly intricate nature of information-flow requirements and how our foundational theoretical results handle them.

Related Work. The concept of hyperproperties is due to Clarkson and Schneider [5]. HyperLTL  [4] and A-HLTL are currently the only logics for which practical model checking algorithms are known [1, 7, 8, 15]. For HyperLTL, the algorithms have been implemented in the model checkers MCHyper and bounded model checker HyperQB  [14]. HyperLTL is limited to synchronous hyperproperties. The A-HLTL model checking problem is known to be undecidable in general [1]. However, decidable fragments that can express observational determinism, noninterference, and linearizability have been identified. This paper generalizes A-HLTL by allowing nested trajectory quantifiers and due to the general undecidability result focuses on terminating programs.

FOL[E] [6] can express a limited form of asynchronous hyperproperties. As shown in [6], FOL[E] is subsumed by HyperLTL with additional quantification over predicates. For S1S[E] and \(H_\mu \), the model checking problem is in general undecidable; for \(H_\mu \), two fragments, the k-synchronous, k-context bounded fragments, have been identified for which model checking remains decidable [11]. Other logical extensions of HyperLTL with asynchronous capabilities are studied in [3], including their decidable fragments, but their model checking problems have not been implemented and the relative expressive power with respect to other asynchronous formalisms has not been studied.

2 Extended Asynchronous HyperLTL

Preliminaries. Given a natural number \(k \in \mathbb {N}_0\), we use [k] for the set \(\{0,\ldots ,k\}\). Let \(\textsf{AP} \) be a set of atomic propositions and \(\mathrm {\Sigma }=2^\textsf{AP} \) be the alphabet, where we call each element of \(\mathrm {\Sigma }\) a letter. A trace is an infinite sequence \(\sigma =a_0a_1\cdots \) of letters from \(\mathrm {\Sigma }\). We denote the set of all infinite traces by \(\mathrm {\Sigma }^\omega \). We use \(\sigma (i)\) for \(a_i\) and \(\sigma ^i\) for the suffix \(a_ia_{i+1}\cdots \). A pointed trace is a pair \((\sigma ,p)\), where \(p \in \mathbb {N}_0\) is a natural number (called the pointer). Pointed traces allow to traverse a trace by moving the pointer. Given a pointed trace \((\sigma , p)\) and \(n > 0\), we use \((\sigma , p) + n\) to denote the resulting trace \((\sigma ,p+n)\). We denote the set of all pointed traces by \(\textsf{PTR} = \{(\sigma , p) \mid \sigma \in \mathrm {\Sigma }^\omega \, \text { and } \, p \in \mathbb {N}_0\}\).

A Kripke structure is a tuple \(\mathcal {K}= \langle S, s_ init , \delta , L \rangle \), where \(S\) is a set of states, \(s_{ init } \in S\) is the initial state, \(\delta \subseteq S\times S\) is a transition relation, and \(L: S \rightarrow \mathrm {\Sigma }\) is a labeling function on the states of \(\mathcal {K}\). We require that for each \(s\in S\), there exists \(s' \in S\), such that \((s, s') \in \delta \).   \(\square \)

A path of a Kripke structure \(\mathcal {K}\) is an infinite sequence of states \(s(0)s(1)\cdots \in S^\omega \), such that \(s(0) = s_ init \) and \((s(i), s({i+1})) \in \delta \), for all \(i \ge 0\). A trace of \(\mathcal {K}\) is a sequence \(\sigma (0)\sigma (1)\sigma (2) \cdots \in \mathrm {\Sigma }^\omega \), such that there exists a path \(s(0)s(1)\cdots \in S^\omega \) with \(\sigma (i) = L(s(i))\) for all \(i\ge 0\). We denote by \(\textsf{Traces}(\mathcal {K}, s)\) the set of all traces of \(\mathcal {K}\) with paths that start in state \(s\in S\).

The directed graph \(\mathcal {F}= \langle S, \delta \rangle \) is called the Kripke frame of the Kripke structure \(\mathcal {K}\). A loop in \(\mathcal {F}\) is a finite sequence \(s_0s_1\cdots s_n\), such that \((s_i, s_{i+1}) \in \delta \), for all \(0 \le i < n\), and \((s_n, s_0) \in \delta \). We call a Kripke frame acyclic, if the only loops are self-loops on terminal states, i.e., on states that have no other outgoing transition. Acyclic Kripke structures model terminating programs.

Extended A-HLTL. The syntax of extended A-HLTL is:

figure c

where \(a \in \textsf{AP} \), \(\pi \) is a trace variable from an infinite supply \(\mathcal {V}\) of trace variables, \(\tau \) is a trajectory variable from an infinite supply \(\mathcal {J}\) of trajectory variables (see formula \(\varphi _ {\textsf {NI}_\textsf {nd}} \) in Section 1 for an example). The intended meaning of \(a_{\pi , \tau }\) is that proposition \(a \in \textsf{AP} \) holds in the current time in trace \(\pi \) and trajectory \(\tau \) (explained later). Trace (respectively, trajectory) quantifiers \(\exists \pi \) and \(\forall \pi \) (respectively, \(\textsf{E}\tau \) and \(\textsf{A}\tau \)) allow reasoning simultaneously about different traces (respectively, trajectories). The intended meaning of \(\textsf{E}\) is that there is a trajectory that gives an interpretation of the relative passage of time between the traces for which the temporal formula that relates the traces is satisfied. Dually, \(\textsf{A}\) means that all trajectories satisfy the inner formula. Given an A-HLTL formula \(\varphi \), we use \(\textsf{Paths} (\varphi )\) (respectively, \(\textsf{Trajs} (\varphi )\)) for the set of trace (respectively, trajectory) variables quantified in \(\varphi \). A formula \(\varphi \) is well-formed if for all atoms \(a_{\pi , \tau }\) in \(\varphi \), \(\pi \) and \(\tau \) are quantified in \(\varphi \) (i.e., \(\tau \in \textsf{Trajs} (\varphi )\) and \(\pi \in \textsf{Paths} (\varphi )\)) and no trajectory/trace variable is quantified twice in \(\varphi \). We use the usual syntactic sugar \( false \triangleq \lnot true \), and , \(\varphi _1 \rightarrow \varphi _2 \triangleq \lnot \varphi _1 \vee \varphi _2\), and , etc. We choose to add \({\mathcal {R}}\) (release) and \({\wedge }\) to the logic to enable negation normal form (NNF). As our BMC algorithm cannot handle formulas that are not invariant under stuttering, the next operator is not included.

Semantics. A trajectory \(t: t(0)t(1)t(2)\cdots \) for a formula \(\varphi \) is an infinite sequence of subsets of \(\textsf{Paths} (\varphi )\), i.e., each \(t_i \subseteq \textsf{Paths} (\varphi )\), for all \(i \ge 0\). Essentially, in each step of the trajectory one or more of the traces make progress or all may stutter. A trajectory is fair for a trace variable \(\pi \in \textsf{Paths} (\varphi )\) if there are infinitely many positions j such that \(\pi \in t(j)\). A trajectory is fair if it is fair for all trace variables in \(\textsf{Paths} (\varphi )\). Given a trajectory \(t\), by \(t^i\), we mean the suffix \(t(i)t(i+1)\cdots \). Furthermore, for a set of trace variables \(\mathcal {V}\), we use \(\textsf{TRJ} _\mathcal {V}\) for the set of all fair trajectories for indices from \(\mathcal {V}\). We also use a trajectory assignment \(\varGamma : \textsf{Trajs} (\varphi ) \mathrel {\rightharpoonup }\textsf{TRJ} _{\textit{Dom}(\varGamma )}\), where \(\textit{Dom}(\varGamma )\) is the subset of \(\textsf{Trajs} (\varphi )\) for which \(\varGamma \) is defined. Given a trajectory assignment \(\varGamma \), a trajectory variable \(\tau \), and a trajectory t, we denote by \(\varGamma [\tau \mapsto t]\) the assignment that coincides with \(\varGamma \) for every trajectory variable except for \(\tau \), which is mapped to t.

For the semantics of extended A-HLTL, we need asynchronous trace assignments \(\varPi :\textsf{Paths} (\varphi )\times \textsf{Trajs} (\varphi )\mathrel {\rightarrow }T\times \mathbb {N}\) which map each pair \((\pi ,\tau )\) formed by a path variable and trajectory variable into a pointed trace. Given \((\varPi ,\varGamma )\) where \(\varPi \) is an asynchronous trace assignment and \(\varGamma \) a trajectory assignment, we use \((\varPi ,\varGamma )+1\) for the successor of \((\varPi ,\varGamma )\) defined as \((\varPi ',\varGamma ')\) where \(\varGamma '(\tau )=\varGamma (\tau )^1\), and \(\varPi '(\pi ,\tau )=\varPi (\pi ,\tau )+1\) if \(\pi \in \varGamma (\tau )(0)\) and \(\varPi '(\pi ,\tau )=\varPi (\pi ,\tau )\) otherwise. Note that \(\varPi \) can assign the same \(\pi \) to different pointed traces depending on the trajectory. We use \((\varPi ,\varGamma )+k\) as the k-th successor of \((\varPi ,\varGamma )\). Given an asynchronous trace assignment \(\varPi \), a trace variable \(\pi \), a trajectory variable \(\tau \) a trace \(\sigma \), and a pointer p, we denote by \(\varPi [(\pi , \tau ) \mapsto (\sigma ,p)]\) the assignment that coincides with \(\varPi \) for every pair except for \((\pi , \tau )\), which is mapped to \((\sigma ,p)\). The satisfaction of an A-HLTL formula \(\varphi \) over a trace assignment \(\varPi \), a trajectory assignment \(\varGamma \), and a set of traces T is defined as follows (we omit \(\lnot \), \({\wedge }\) and \(\mathrel {\vee }\) which are standard):

$$ \begin{array}{rllcl} (\varPi ,\varGamma ) &{}\models _T&{} \exists \pi . \varphi &{} \text {iff} &{} \text {for some } \sigma \in T: \\ &{}&{}&{}&{} (\varPi [(\pi ,\tau ) \mapsto (\sigma , 0)], \varGamma ) \models _T \varphi \text { for all }\tau \\ (\varPi ,\varGamma ) &{}\models _T&{} \forall \pi . \varphi &{} \text {iff} &{} \text {for all } \sigma \in T:\\ &{}&{}&{}&{} (\varPi [(\pi , \tau ) \mapsto (\sigma , 0)], \varGamma ) \models _T \varphi \text { for all }\tau \\ (\varPi ,\varGamma ) &{}\models _T&{} \textsf{E}\tau . \psi &{} \text {iff} &{} \text {for some }t\in \textsf{TRJ} _{\textit{Dom}(\varPi )}: (\varPi ,\varGamma [\tau \mapsto t]) \models \psi \\ (\varPi ,\varGamma ) &{}\models _T&{} \textsf{A}\tau .\psi &{} \text {iff} &{} \text {for all }t\in \textsf{TRJ} _{\textit{Dom}(\varPi )} (\varPi ,\varGamma [\tau \mapsto t]) \models \psi \\ (\varPi ,\varGamma ) &{}\models &{} a_{\pi ,\tau } &{} \text {iff} &{} a\in \sigma (n) \text { where } (\sigma ,n)=\varPi (\pi ,\tau )\\ (\varPi ,\varGamma ) &{}\models &{} \psi _1 \, \mathcal {U}\psi _2 &{} \text {iff} &{} \text {for some } i\ge 0: (\varPi ,\varGamma )+i\models \psi _2 \, \text { and } \, \\ &{}&{}&{}&{} \text {for all } j < i: (\varPi ,\varGamma )+j \models \psi _1\\ (\varPi ,\varGamma ) &{}\models &{} \psi _1 \, {\mathcal {R}}\psi _2 &{} \text {iff} &{} \text {for all } i\ge 0: (\varPi ,\varGamma )+i\models \psi _2 \text {, or } \, \\ &{}&{}&{}&{} \text {for some } i\ge 0: (\varPi ,\varGamma )+i \models \psi _1 \text { and } \\ &{}&{}&{}&{} \qquad \text {for all } j\le {}i: (\varPi ,\varGamma )+j \models \psi _2 \end{array} $$

We say that a set T of traces satisfies a sentence \(\varphi \), denoted by \(T \models \varphi \), if \((\varPi _\emptyset ,\varGamma _\emptyset ) \models _T \varphi \). We say that a Kripke structure \(\mathcal {K}\) satisfies an A-HLTL formula \(\varphi \) (and write \(\mathcal {K}\models \varphi \)) if and only if we have \(\textsf{Traces}(\mathcal {K}, S_ init )\models \varphi \). An example is illustrated in Fig. 4.

Fig. 4.
figure 4

Kripke structure \(\mathcal {K}\) and traces \(t_1\) and \(t_2\) of \(\mathcal {K}\), \(\mathcal {K}\models \varphi _ {\textsf {NI}_\textsf {nd}} \) but \(\mathcal {K}\not \models \varphi _ \textsf {NI}\).

Full size image

3 Bounded Model Checking for A-HLTL

We first introduce the bounded semantics of A-HLTL (for at most one trajectory quantifier alternation but arbitrary trace quantifiers) which will be used to generate queries to a QBF solver to aid solving the BMC problem. The main result of this section is Theorem 1 which provides decision procedures for model checking A-HLTL for terminating systems.

3.1 Bounded Semantics of A-HLTL

The bounded semantics corresponds to the exploration of the system up to a certain bound. In our case, we will consider two bounds k and m (with \(k\le m\)). The bound k corresponds to the maximum depth of the unrolling of the Kripke structures and m is the bound on trajectories length. We start by introducing some auxiliary functions and predicates, for a given trace assignment and \((\varPi ,\varGamma )\). First, the family of functions \(\textit{pos}_{\pi ,\tau }:\{0\ldots {}m\}\mathrel {\rightarrow }\mathbb {N}\). The meaning of \(\textit{pos}_{\pi ,\tau }(i)\) provides how many times \(\pi \) has been selected in \(\{\tau (0),\ldots ,\tau (i)\}\). We assume that Kripke structures are equipped with an atomic proposition \(\textit{halt} \) (one per trace variable \(\pi \)) which encodes whether the state is a halting state. Given \((\varPi ,\varGamma )\) we consider the predicate \(\textit{halted} \) that holds whenever for all \(\pi \) and \(\tau \), \(\textit{halt} \in \sigma (j)\) for \((\sigma ,j)=\varPi (\pi ,\tau )\). In this case we write \((\varPi ,\varGamma ,n)\models \textit{halted} \).

We define two bounded semantics which only differ in how they inspect beyond the (km) bounds: \(\models ^{ hpes }_{k,m}\), called the halting pessimistic semantics and \(\models ^{ hopt }_{k,m}\), called the halting optimistic semantics. We start by defining the bounded semantics of the quantifiers.

$$\begin{aligned} \begin{array}{lllclr} (\varPi ,\varGamma ,0) &{} \models _{k,m} &{} \exists \pi .\ \psi &{} \text { iff } &{} \text {there is a } \sigma \in T_\pi \text {, such that for all } \tau \\ &{}&{}&{}&{}(\varPi [(\pi ,\tau )\mathrel {\rightarrow }(\sigma ,0)],\varGamma ,0) \models _{k,m} \psi \end{array} \end{aligned}$$
(1)
$$\begin{aligned} \begin{array}{lllclr} (\varPi ,\varGamma ,0) &{}\models _{k,m} &{} \forall \pi .\ \psi &{} \text { iff } &{} \text {for all } \sigma \in T_\pi , \text { for all } \tau :\\ &{}&{}&{}&{} (\varPi [(\pi ,\tau )\mathrel {\rightarrow }(\sigma ,0)],\varGamma ,0) \models _{k,m} \psi \\ \end{array} \end{aligned}$$
(2)
$$\begin{aligned} \begin{array}{lllclr} (\varPi ,\varGamma ,0) &{} \models _{k,m} &{} \textsf{E}\tau .\ \psi &{} \text { iff } &{} \text {there is a } t \in \textsf{TRJ} _{\textit{Dom}(\varPi )}:\\ &{}&{}&{}&{} (\varPi ,\varGamma [\tau \mathrel {\rightarrow }{}t],0) \models _{k,m} \psi \\ \end{array} \end{aligned}$$
(3)
$$\begin{aligned} \begin{array}{lllclr} (\varPi ,\varGamma ,0) &{} \models _{k,m} &{} \textsf{A}\tau .\ \psi &{} \text { iff } &{} \text {for all } t \in \textsf{TRJ} _{\textit{Dom}(\varPi )}:&{}\\ &{}&{}&{}&{} (\varPi ,\varGamma [\tau \mathrel {\rightarrow }{}t],0) \models _{k,m} \psi \end{array} \end{aligned}$$
(4)

For the Boolean operators, for \(i\le {} m\):

$$\begin{aligned} \begin{array}{lcl} (\varPi , \varGamma ,i) \models _{k,m} \texttt{true}&{} \qquad &{} \qquad \\ \end{array} \end{aligned}$$
(5)
$$\begin{aligned} \begin{array}{lcl} (\varPi , \varGamma ,i) \models _{k,m} a_{\pi ,\tau } &{} \text {iff} &{} a \in (\sigma ,j) \text { where } \\ &{}&{} \ (\sigma ,j)=\varPi (\pi ,\tau )(i) \text { and } j\le {}k \end{array} \end{aligned}$$
(6)
$$\begin{aligned} \begin{array}{lcl} (\varPi , \varGamma ,i) \models _{k,m} \lnot a_{\pi ,\tau } &{} \text {iff} &{} a \not \in (\sigma ,j) \text { where } \\ &{}&{} \ (\sigma ,j)=\varPi (\pi ,\tau )(i) \text { and } j\le {}k \end{array} \end{aligned}$$
(7)
$$\begin{aligned} \begin{array}{lcl} (\varPi , \varGamma ,i) \models _{k,m} \psi _1 \vee \psi _2&\text {iff}&(\varPi ,\varGamma ,i) \models _{k,m} \psi _1 \text { or } (\varPi ,\varGamma ,i) \models _{k,m} \psi _2 \end{array} \end{aligned}$$
(8)
$$\begin{aligned} \begin{array}{lcl} (\varPi , \varGamma ,i) \models _{k,m} \psi _1 \wedge \psi _2&\text {iff}&(\varPi ,\varGamma ,i) \models _{k,m} \psi _1 \text { and } (\varPi ,\varGamma ,i) \models _{k,m} \psi _2 \end{array} \end{aligned}$$
(9)

For the temporal operators, we must consider the cases of falling of the paths (beyond k) and falling of the traces (beyond m). We define the predicate \(\textit{off}\,\) which holds for \((\varPi ,\varGamma ,i)\) if for some \((\pi ,\tau )\), \(\textit{pos}_{\pi ,\tau }(i)>k\) and \(\textit{halt} _\pi \notin \sigma (k)\) where \(\sigma \) is the trace assigned to \(\pi \). Note that \(\textit{halted} \) implies that \(\textit{off}\,\) does not hold because all paths (including those at k or beyond) satisfy \(\textit{halt} \).

We define two semantics that differ on how to interpret when the end of the unfolding of the traces and trajectories is reached. The halting pessimistic semantics, denoted by \(\models ^{ hpes }_{k,m}\) take (1)-(9) above and add (10)-(13) together with \((\varPi ,\varGamma ,i)\not \models _{k,m}\textit{off}\,\). Rules (10) and (11) define the semantics of the temporal operators for the case \(i<m\), that is, before the end of the unrolling of the trajectories (recall that we do not consider ):

$$\begin{aligned} \begin{array}{llcl} (\varPi ,\varGamma ,i) \models _{k,m} &{} \psi _1 \mathcal {U}\psi _2 &{} \quad \text {iff} &{} \ (\varPi ,\varGamma ,i) \models _{k,m}\psi _2\text {, or } (\varPi ,\varGamma ,i) \models _{k,m}\psi _1 \text {, and} \\ &{}&{}&{} (\varPi ,\varGamma ,i)+1 \models _{k,m}\psi _1 \mathcal {U}\psi _2 \end{array} \end{aligned}$$
(10)
$$\begin{aligned} \begin{array}{llcl} (\varPi ,\varGamma ,i) \models _{k,m} &{} \psi _1 {\mathcal {R}}\psi _2 &{} \quad \text {iff} &{} \ (\varPi ,\varGamma ,i) \models _{k,m}\psi _2 \text {, and } (\varPi ,\varGamma ,i) \models _{k,m}\psi _1 \text {, or} \\ &{}&{}&{} (\varPi ,\varGamma ,i)+1 \models _{k,m}\psi _1{\mathcal {R}}\psi _2 \\ \end{array} \end{aligned}$$
(11)

For the case of \(i=m\), that is, at the bound of the trajectory:

$$\begin{aligned} \begin{array}{llcl} (\varPi ,\varGamma ,m) \models ^{ hpes }_{k,m}&\psi _1 \mathcal {U}\psi _2&\quad \text {iff}&\ (\varPi ,\varGamma ,m)\models _{k,m} \psi _2 \end{array} \end{aligned}$$
(12)
$$\begin{aligned} \begin{array}{llcl} (\varPi ,\varGamma ,m) \models ^{ hpes }_{k,m} &{} \psi _1 {\mathcal {R}}\psi _2 &{} \text {iff} &{} (\varPi ,\varGamma ,m) \models _{k,m}\psi _1{\wedge }\psi _2 \text {, or} \\ &{}&{}&{} (\varPi ,\varGamma ,m) \models _{k,m}\textit{halted} {\wedge }\psi _2 \end{array} \end{aligned}$$
(13)

The halting optimistic semantics, denoted by \(\models ^{ hopt }_{k,m}\) take rules (1)-(11) and (12’)-(13’), but now if \((\varPi ,\varGamma ,i)\models ^{ hopt }_{k,m}\textit{off}\,\) then \((\varPi ,\varGamma ,i)\models ^{ hopt }_{k,m}\varphi \) holds for every formula. Again, rules (10) and (11) define the semantics of the temporal operators for the case \(i<m\). Then, for \(i=m\):

$$\begin{aligned} \begin{array}{llcl} (\varPi ,\varGamma ,m) \models ^{ hopt }_{k,m} &{} \psi _1 \mathcal {U}\psi _2 &{} \quad \text {iff} &{} \ (\varPi ,\varGamma ,m) \models _{k,m}\psi _2 \text {, or} \\ &{}&{}&{} (\varPi ,\varGamma ,m) \not \models _{k,m}\textit{halted} {\wedge }\psi _1 \\ \end{array} \end{aligned}$$
(12')
$$\begin{aligned} \begin{array}{llcl} (\varPi ,\varGamma ,m) \models ^{ hopt }_{k,m} &{} \psi _1 {\mathcal {R}}\psi _2 &{} \text {iff} &{} (\varPi ,\varGamma ,m) \models _{k,m}\psi _2 \\ \end{array} \end{aligned}$$
(13')

Similar to [15] for the case of HyperLTL, the pessimistic semantics capture the case where we assume that pending eventualities will not become true in the future after the end of the trace (this is also assumed in LTL BMC). Dually, the optimistic semantics assume that all pending eventualities at the end of the trace will be fulfilled. Therefore, the following hold (proofs in [13]).

Lemma 1

Let \(k\le k'\) and \(m\le m'\).

  1. 1.

    If \((\varPi ,\varGamma ,0)\models ^{ hpes }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\models ^{ hpes }_{k',m'}\varphi \).

  2. 2.

    If \((\varPi ,\varGamma ,0)\not \models ^{ hopt }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\not \models ^{ hopt }_{k',m'}\varphi \).

Lemma 2

The following hold for every k and m,

  1. 1.

    If \((\varPi ,\varGamma ,0)\models ^{ hpes }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\models \varphi \).

  2. 2.

    If \((\varPi ,\varGamma ,0)\not \models ^{ hopt }_{k,m}\varphi \), then \((\varPi ,\varGamma ,0)\not \models \varphi \).

3.2 From Bounded Semantics to QBF Solving

Let \(\mathcal {K}\) be a Kripke structure and \(\varphi \) be an A-HLTL formula. Based on the bounded semantics introduced previously, our main approach is to generate a QBF query (with bounds k, m), which can use either the pessimistic or the optimistic semantics. We use \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) if the pessimistic semantics are used and \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) if the optimistic semantics are used. Our translations will satisfy that

  1. (1)

    if \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) is SAT, then \(\mathcal {K}\models \varphi \);

  2. (2)

    if \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) is UNSAT, then \(\mathcal {K}\not \models \varphi \);

  3. (3)

    if the Kripke structure is unrolled to the diameter and the trajectories up to a maximum length (see below), then \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) is SAT if and only if \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) is SAT.

The first step to define \(\llbracket \mathcal {K},\varphi \rrbracket ^ hopt _{k,m}\) and \(\llbracket \mathcal {K},\varphi \rrbracket ^ hpes _{k,m}\) is to encode the unrolling of the models up-to a given depth k. For a path variable \(\pi \) corresponding to Kripke structure \(\mathcal {K}\), we introduce \((k+1)\) copies (\(x^0,\ldots ,x^k\)) of the Boolean variables that define the state of \(\mathcal {K}\) and use the initial condition I and the transition relation R of \(\mathcal {K}\) to relate these variables. For example, for \(k=3\), we unroll the transition relation up-to 3 as follows:

$$ \llbracket \mathcal {K}\rrbracket _3 = I(x^0) \wedge R(x^0, x^1) \wedge R(x^1, x^2) \wedge R(x^2, x^3). $$
Fig. 5.
figure 5

Variables for encodings of the blue trajectory in Fig. 4, where green variables are \( true \) and gray variables are \( false \).

Full size image

Encoding positions. For each trajectory variable \(\tau \) and given the bound m on the unrolling of trajectories, we add \(\textsf{Paths} (\varphi )\times (m+1)\) variables \(t_{\pi }^0\ldots t_{\pi }^m\), for each \(\pi \). The intended meaning of \(t_{\pi }^j\) is that \(t_{\pi }^j\) is true whenever \(\pi \in {}t(j)\), that is, when t dictates that \(\pi \) moves at time instant j. In order to encode sanity conditions on trajectories, that are crucial for completeness, it is necessary to introduce a family of variables that captures how much \(\pi \) has moved according to \(\tau \) after j steps. There is a variable \(\textit{pos}\) for each trace variable \(\pi \), each trajectory \(\tau \) and each \(i\le {}k\) and \(j\le {}m\). We represent this variable by \(\textit{pos}^{i,j}_{\pi ,\tau }\). The intention is that \(\textit{pos}\) is true whenever after j steps trajectory \(\tau \) has dictated that trace \(\pi \) progresses precisely i times. Fig. 5 shows encodings \(t_{\pi }^j\) and \(\textit{pos}^{i,j}_{\pi ,\tau }\) for the traces w.r.t. the blue trajectory, \(\tau '\) in Fig. 4. We will use the auxiliary definitions (for \(i\in \{0\ldots {}k\}\) and \(j\in \{0\ldots {}m\}\)) to force that the path \(\pi \) has moved to position i after j moves from the trajectory and that \(\pi \) has not fallen off the trace (and does not change position when the paths fall off the trace):

$$\begin{aligned} \textit{setpos}\,_{\pi ,\tau }^{i,j}&\,{\mathop {=}\limits ^{\text {def }}}\,\textit{pos}_{\pi ,\tau }^{i,j} {\wedge }\bigwedge _{n \in \{0..k\} \setminus \{i\}}\lnot \textit{pos}_{\pi ,\tau }^{n,j}{\wedge }\lnot \textit{off}\,^j_{\pi ,\tau } \\ \textit{nopos}\,_{\pi ,\tau }^{j}&\,{\mathop {=}\limits ^{\text {def }}}\,\textit{off}\,^j_{\pi ,\tau }{\wedge }\bigwedge _{n\in \{0..k\}}\lnot \textit{pos}_{\pi ,\tau }^{n,j} \end{aligned}$$

Initially, \( I_\textit{pos}\,{\mathop {=}\limits ^{\text {def }}}\,\bigwedge _{\pi ,\tau }\textit{setpos}\,^{0,0}_{\pi ,\tau } \), where \(\pi \in \textsf{Traces} (\varphi )\) and \(\tau \in \textsf{TRJ} _{\textit{Dom}(\varPi )}\). \(I_\textit{pos}\) captures that all paths are initially at position 0. Then, for every step \(j\in \{0\ldots m\}\), the following formulas relate the values of \(\textit{pos}\) and \(\textit{off}\,\), depending on whether trajectory \(\tau \) moves path \(\pi \) or not (and on whether \(\pi \) has reached the end k or halted):

$$\begin{aligned} \textit{step}\,^j_{\pi ,\tau }&\,{\mathop {=}\limits ^{\text {def }}}\,\bigwedge _{i\in \{0..k-1\}}\big (\textit{pos}^{i,j}_{\pi ,\tau } {\wedge }t_\pi ^{j} \mathrel {\rightarrow }\textit{setpos}\,^{i+1,j+1}_{\pi ,\tau }\big )\\ \end{aligned}$$
$$\begin{aligned} \textit{stutters}\,^j_{\pi ,\tau }&\,{\mathop {=}\limits ^{\text {def }}}\,\bigwedge _{i\in \{0..k\}}\big ( \textit{pos}^{i,j}_{\pi ,\tau } {\wedge }\lnot t_\pi ^{j} \mathrel {\rightarrow }\textit{setpos}\,^{i,j+1}_{\pi ,\tau }\big ) \\ \textit{ends}\,^{j}_{\pi ,\tau }&\,{\mathop {=}\limits ^{\text {def }}}\,(\textit{pos}^{k,j}_{\pi ,\tau } {\wedge }t_\pi ^j) \mathrel {\rightarrow }\big ((\lnot {\textit{halt} \,}^k_{\pi } \mathrel {\rightarrow }\textit{nopos}\,^{j+1}_{\pi ,\tau }) {\wedge }({\textit{halt} \,}^k_{\pi } \mathrel {\rightarrow }\textit{setpos}\,^{k,j+1}_{\pi ,\tau })\big ) \end{aligned}$$

Then the following formula captures the correct assignment to the the \(\textit{pos}\) variables, including the initial assignment:

$$ \varphi _\textit{pos}\,{\mathop {=}\limits ^{\text {def }}}\,I_\textit{pos}{\wedge }\bigwedge _{j\in \{0..m\}}\bigwedge _{\pi ,\tau } (\textit{step}\,_{\pi ,\tau }^j {\wedge }\textit{stutters}\,_{\pi ,\tau }^j{\wedge }\textit{ends}\,_{\pi ,\tau }^j) $$

For example, Fig. 5 (w.r.t. Fig. 4) encodes the blue trajectory \((\tau ')\) of \(\pi \) (i.e., \(t_1\)) and \(\pi '\) (i.e., \(t_2\)) as follows. First, for \(j\in [0,3)\), it advances \(t_1\) and stutters \(t_2\). Therefore, \({t_\pi ^{0}} , {t_\pi ^{1}}, { t_\pi ^{2}}\) are \( true \) and \({t_{\pi '}^{0}}, {t_{\pi '}^{1}}, { t_{\pi '}^{2}}\) are \( false \). Notice that for \(\textit{pos}\) encodings, the \(\pi \) position advances according to \(\textit{step}\,^j_{\pi ,\tau '}\) (i.e., \({\textit{pos}_{\pi ,\tau '}^{0,0}}, {\textit{pos}_{\pi ,\tau '}^{1,1}}, {\textit{pos}_{\pi ,\tau '}^{2,2}}, {\textit{pos}_{\pi ,\tau '}^{3,3}}\)); while \(\pi '\) stutters according to \( \textit{stutters}\,^j_{\pi ',\tau '}\) (i.e., \( {\textit{pos}_{\pi ',\tau '}^{0,0}}, {\textit{pos}_{\pi ',\tau '}^{0,1}}, {\textit{pos}_{\pi ',\tau '}^{0,2}}, {\textit{pos}_{\pi ',\tau '}^{0,3}}\)). Then, for \(j \in [3,5]\), it alternatively advances \(t_2\) which makes \({ t_\pi ^{3}}, {t_\pi ^{4}}, {t_\pi ^{5}}\) \( false \) and \( { t_{\pi '}^{3}}, { t_{\pi '}^{4}}, { t_{\pi '}^{5}}\) \( true \). Similarly, the movements becomes \({\textit{pos}_{\pi ,\tau '}^{3,4}}, {\textit{pos}_{\pi ,\tau '}^{3,5}}, {\textit{pos}_{\pi ,\tau '}^{3,6}} \) and \({\textit{pos}_{\pi ',\tau '}^{1,4}}, {\textit{pos}_{\pi ',\tau '}^{2,5}}, {\textit{pos}_{\pi ',\tau '}^{3,6}}\). At the halting point (i.e., \(j = k\)), both trajectory trigger \(\textit{ends}\,^{j}\) and do not advance anymore.

Encoding the inner LTL formula. We will use the following auxiliary predicates:

$$ {\textit{halted} \,}^j \,{\mathop {=}\limits ^{\text {def }}}\,\bigwedge _{\tau } {\textit{halted} \,}^j_\tau \qquad \qquad \textit{off}\,^j\,{\mathop {=}\limits ^{\text {def }}}\,\bigvee _{\pi ,\tau }\textit{off}\,^j_{\pi ,\tau } $$

We now give the encoding for the inner temporal formulas for a fix unrolling k and m as follows. For the atomic and Boolean formulas, the following translations are performed for \(j\in \{0\ldots {}m\}\).

$$\begin{aligned} \begin{array}{lcl} \llbracket p_{\pi ,\tau } \rrbracket _{k,m}^j&\qquad :=&\bigvee \nolimits _{i\in \{0..k\}}(\textit{pos}^{i,j}_{\pi ,\tau } {\wedge }p^i_\pi ) \end{array} \end{aligned}$$
(14)
$$\begin{aligned} \begin{array}{lcl} \llbracket \lnot {}p_{\pi ,\tau } \rrbracket _{k,m}^j&\quad :=&\bigvee \nolimits _{i\in \{0..k\}}(\textit{pos}^{i,j}_{\pi ,\tau } {\wedge }\lnot {}p^i_\pi ) \end{array} \end{aligned}$$
(15)
$$\begin{aligned} \begin{array}{lcl} \llbracket \psi _1\mathrel {\vee }\psi _2 \rrbracket _{k,m}^j:= & {} \llbracket \psi _1 \rrbracket _{k,m}^j\mathrel {\vee }\llbracket \psi _2 \rrbracket _{k,m}^j \end{array} \end{aligned}$$
(16)
$$\begin{aligned} \begin{array}{lcl} \llbracket \psi _1{\wedge }\psi _2 \rrbracket _{k,m}^j:= & {} \llbracket \psi _1 \rrbracket _{k,m}^j{\wedge }\llbracket \psi _2 \rrbracket _{k,m}^j \end{array} \end{aligned}$$
(17)

The halting pessimistic semantics translation uses \(\llbracket \cdot \rrbracket _ hpes \), taking (14)-(17) and (18)-(21) below. For the temporal operators and \(j<m\):

$$\begin{aligned} \llbracket \psi _1\mathcal {U}\psi _2 \rrbracket _{k,m}^j:= & {} \lnot \textit{off}\,^j {\wedge }\big (\llbracket \psi _2 \rrbracket _{k,m}^j \mathrel {\vee }( \llbracket \psi _1 \rrbracket _{k,m}^j{\wedge }\llbracket \psi _1\mathcal {U}\psi _2 \rrbracket _{k,m}^{j+1})\big ) \end{aligned}$$
(18)
$$\begin{aligned} \llbracket \psi _1{\mathcal {R}}\psi _2 \rrbracket _{k,m}^j:= & {} \lnot \textit{off}\,^j {\wedge }\big ( \llbracket \psi _2 \rrbracket _{k,m}^j {\wedge }( \llbracket \psi _1 \rrbracket _{k,m}^j\mathrel {\vee }\llbracket \psi _1{\mathcal {R}}\psi _2 \rrbracket _{k,m}^{j+1})\big ) \end{aligned}$$
(19)

For \(j=m\):

$$\begin{aligned} \llbracket \psi _1\mathcal {U}\psi _2 \rrbracket _{k,m}^m:= & {} \llbracket \psi _2 \rrbracket _{k,m}^m \end{aligned}$$
(20)
$$\begin{aligned} \llbracket \psi _1{\mathcal {R}}\psi _2 \rrbracket _{k,m}^m:= & {} \big (\llbracket \psi _1 \rrbracket _{k,m}^m {\wedge }\llbracket \psi _2 \rrbracket _{k,m}^m\big )\mathrel {\vee }\big ({\textit{halted} \,}^m{\wedge }\llbracket \psi _2 \rrbracket _{k,m}^m\big ) \end{aligned}$$
(21)

The halting optimistic semantics translation uses \(\llbracket \cdot \rrbracket _ hopt \), taking (14)-(17) and (18’)-(21’) as follows, For the temporal operators and \(j<m\):

$$\begin{aligned} \llbracket \psi _1\mathcal {U}\psi _2 \rrbracket _{k,m}^j&:= \textit{off}\,^j \mathrel {\vee }\big (\llbracket \psi _2 \rrbracket _{k,m}^j \mathrel {\vee }( \llbracket \psi _1 \rrbracket _{k,m}^j{\wedge }\llbracket \psi _1\mathcal {U}\psi _2 \rrbracket _{k,m}^{j+1})\big ) \end{aligned}$$
(18')
$$\begin{aligned} \llbracket \psi _1{\mathcal {R}}\psi _2 \rrbracket _{k,m}^j&:= \textit{off}\,^j \mathrel {\vee }\big ( \llbracket \psi _2 \rrbracket _{k,m}^j {\wedge }( \llbracket \psi _1 \rrbracket _{k,m}^j\mathrel {\vee }\llbracket \psi _1{\mathcal {R}}\psi _2 \rrbracket _{k,m}^{j+1})\big ) \end{aligned}$$
(19')

For \(j=m\):

$$\begin{aligned} \llbracket \psi _1\mathcal {U}\psi _2 \rrbracket _{k,m}^m:= & {} \llbracket \psi _2 \rrbracket _{k,m}^m \mathrel {\vee }\big ({\textit{halted} \,}^m{\wedge }\llbracket \psi _1 \rrbracket _{k,m}^m\big ) \end{aligned}$$
(20')
$$\begin{aligned} \llbracket \psi _1{\mathcal {R}}\psi _2 \rrbracket _{k,m}^m:= & {} \llbracket \psi _2 \rrbracket _{k,m}^m \end{aligned}$$
(21')

Combining the encodings. Let \(\varphi \) be a A-HLTL formula of the form \(\varphi = \mathbb {Q}_A\pi _A.\dots .\mathbb {Q}_Z\pi _Z.\mathbb {Q}_a\tau _a.\dots .\mathbb {Q}_z\tau _z.\psi \). Combining all the components, the encoding of the A-HLTL BMC problem into QBF, for bounds k and m is:

$$\begin{aligned} \llbracket \mathcal {K}, \varphi \rrbracket _{k,m} = \mathbb {Q}_A\overline{x_A}.\cdots .\mathbb {Q}_Z\overline{x_Z}. \mathbb {Q}_a\overline{t_a}.\cdots .\mathbb {Q}_z\overline{t_z}.\ \exists \overline{\textit{pos}}.\ \exists \overline{\textit{off}\,}. \\ \Big ( \llbracket \mathcal {K} \rrbracket _k \circ _A \cdots \llbracket \mathcal {K} \rrbracket _k \circ _Z ( \varphi _\textit{pos}{\wedge }\textit{enc}(\psi ) ) \Big ) \end{aligned}$$

where \(\circ _A=\mathrel {\rightarrow }\) if \(\mathbb {Q}_A=\forall \) (and \(\circ _A={\wedge }\) if \(\mathbb {Q}_A=\exists \)), and \(\circ _B\), \(\ldots \) are defined similarly. The sets \(\overline{\textit{pos}}\) is the set of variables \(\textit{pos}^{i,j}_{\pi ,\tau }\) that encode the positions and \(\overline{\textit{off}\,}\) is the set of variables \(\textit{off}\,^j_{\pi ,\tau }\) that encode when a trace progress has fallen off its unrolling limit. We next define the encoding \(\textit{enc}(\psi )\) of the temporal formula \(\psi \).

Encoding formulas with up to 1 trajectory quantifier alternations We consider the encoding into QBF of formulas with zero and one quantifier alternation separately. In the following, we say that at position j a collection of trajectories U “moves” whenever either all trajectories have moved all their paths to the halting state, or at least one of the trajectories in U makes one of the non-halted path move at position j. Formally,

$$ \textit{moves}\,^j_U\,{\mathop {=}\limits ^{\text {def }}}\,{\textit{halted} \,}^j_U \mathrel {\vee }\bigvee _{\tau \in {}U,\pi } (t^j_\pi {\wedge }\lnot {\textit{halt} \,}_{\pi , \tau }^{j}) $$

  • \(\textsf{E}^+ U. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is

    $$\begin{aligned} (\bigwedge _{j\in \{0\ldots {}m\}}\textit{moves}\,^j_U) {\wedge }\llbracket \psi \rrbracket ^0_{k,m} \end{aligned}$$

    This is correct since the positions at which all trajectories stutter all paths can be removed (obtaining a satisfying path), we can restrict the search to non-stuttering trajectory steps.

  • \(\textsf{A}^+ U. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is

    $$\begin{aligned} (\bigwedge _{j\in \{0\ldots {}m\}}\textit{moves}\,^j_U) \mathrel {\rightarrow }\llbracket \psi \rrbracket ^0_{k,m} \end{aligned}$$

    The reasoning is similar as the previous case.

  • \(\textsf{A}^+ U_A\textsf{E}^+ U_E. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is

    $$ (\bigwedge _{j \in \{0\ldots {}m\}}\textit{moves}\,^j_{U_A}) \mathrel {\rightarrow }\big ( \bigwedge _{j \in \{0\ldots {}m\}}({\textit{halted} \,}^j_{U_A} \mathrel {\rightarrow }\textit{moves}\,^j_{U_E}){\wedge }\llbracket \psi \rrbracket ^0_{k,m}\big ) $$

    Universally quantified trajectories must explore all trajectories, which must be responded by the existential trajectories. Assume there is a strategy for \(U_E\) for the case that universal trajectories \(U_A\) never stutter at any position. This can be extended into a strategy for the case where \(U_A\) can possible stutter, by adding a stuttering step to the \(U_E\) trajectories at the same position. This guarantees the same evaluation. Therefore, we restrict our search for the outer \(U_A\) to non-stuttering trajectories. Finally, \(U_E\) is obliged to move after \(U_A\) has halted all paths to prevent global stuttering.

  • \(\textsf{E}^+ U_E\textsf{A}^+ U_A. \psi \): In this case, the formula generated for \( \textit{enc}(\psi )\) is similar,

    $$ \big (\bigwedge _{j \in \{0\ldots {}m\}}\textit{moves}\,^j_{U_E}\big ) \wedge \big (\bigwedge _{j\in \{0\ldots {}m\}}({\textit{halted} \,}^j_{U_E} \mathrel {\rightarrow }\textit{moves}\,^j_{U_A})\mathrel {\rightarrow }\llbracket \psi \rrbracket ^0_{k,m}\big ) $$

    The rationale for this encoding is the following. It is not necessary to explore a non-moving step j for the existentially quantified trajectories \(U_E\) because if this stuttering step is successful it must work for all possible moves of the \(U_A\) trajectories at the same time step j. This includes the case that all trajectories in \(U_A\) make all paths stutter (which, if we remove j one still has all the legal trajectories for \(U_A\)). Since the logic does not contain the next operator, the evaluation for the given \(U_E\) and one of the trajectories for \(U_A\) that stutter at j will be the same as for \(j+1\) for all logical formulas. Therefore, the trajectory that is obtained from removing step j from \(U_E\) is still a satisfying trajectory assignment. It follows that if there is a model for \(U_E\) there is a model that does not stutter. Finally, after all paths have halted according to the \(U_E\) trajectories, a step of \(U_A\) that stutters all paths that have not halted can be removed because, again the evaluation is the same in the previous and subsequent state. It follows that if the formula has a model, then it has a model satisfying the encoding.

Theorem 1

Let \(\varphi \) be an A-HLTL formula with at most one trajectory quantifier alternation, let K be the maximum depth of a Kripke structure and let \(M=K \times |\textsf{Paths} (\varphi )| \times |\textsf{Trajs} (\varphi )|\). Then, the following hold:

  • \(\llbracket \mathcal {K},\varphi \rrbracket _{K,M}^ hpes \) is satisfiable if and only if \(\mathcal {K}\models \varphi \).

  • \(\llbracket \mathcal {K},\varphi \rrbracket _{K,M}^ hopt \) is satisfiable if and only if \(\mathcal {K}\models \varphi \).

Theorem 1 (proof in [13]) provides a model checking decision procedure. An alternative decision procedure is to iteratively increase the bound of the unrollings and invoke both semantics in parallel until the outcome coincides.

4 Complexity of A-HLTL Model Checking for Acyclic Frames

Our goal in this section is to analyze the complexity of the A-HLTL model checking problem in the size of an acyclic Kripke structure (all proofs in [13]).

Problem Formulation. We use \(\textsf{MC}\big [\textsf{Fragment}\big ]\) to distinguish different variations of the problem, where MC is the model checking decision problem, i.e., whether or not \(\mathcal {K}\models \varphi \), and Fragment is one of the following for \(\varphi \):

  • \([\exists (\exists /\forall )^+\textsf{A}/\textsf{E}]^k\)’, for \(k\ge 0\), is the fragment with a lead existential trace quantifier, one outermost universal or existential trajectory quantifier, and k (counting all) quantifier alternations, where \(k=0\) means the existential alternation-free fragment ‘\(\exists ^+\textsf{E}^+\)’. Fragment ‘\([\forall (\forall /\exists )^+\textsf{A}/\textsf{E}]^k\)’ is defined similarly, where \(k=0\) is the universal alternation-free fragment ‘\(\forall ^+\textsf{A}^+\)’.

  • Fragments ‘\([\exists (\exists /\forall )^+(\textsf{E}^+\textsf{A}^+/\textsf{A}^+\textsf{E}^+/\textsf{E}\textsf{E}^+/\textsf{A}\textsf{A}^+)]^k\)’, for \(k \ge 1\) denotes the fragment with a lead existential trace quantifier, multiple outermost trajectory quantifiers with at most one alternation, and k quantifier alternations (counting all quantifiers), where \(k=1\) means fragment ‘\(\exists \textsf{E}\textsf{A}\)’. Fragment ‘\([\forall (\forall /\exists )^+(\textsf{E}^+\textsf{A}^+/\textsf{A}^+\textsf{E}^+/\textsf{E}\textsf{E}^+/\textsf{A}\textsf{A}^+)]^k\)’ is defined similarly, where \(k=1\) means fragment ‘\(\forall \textsf{A}\textsf{E}\)’.

The Complexity of A-HLTL Model Checking. We first show the A-HLTL model checking problem for the alternation-free fragment with only one trajectory quantifier is NL-complete. For example, verification of information leak in speculative execution in sequential programs renders a formula of the form \(\forall ^4\textsf{A}\), which belongs to the alternation-free fragment (more details in Section 5).

Theorem 2

\(\textsf{MC}{\big [\exists ^+\textsf{E}\big ]}\) and \(\textsf{MC}{\big [\forall ^+\textsf{A}\big ]}\) are NL-complete.

We now switch to formulas with alternating trace quantifiers. The significance of the next theorem is that a single trajectory quantifier does not change the complexity of model checking as compared to the classic HyperLTL verification [2]. It is noteworthy to mention that several important classes of formulas belong to this fragment. For example, according to Theorem 3 while model checking observational determinism [19] (\(\forall \forall \textsf{E}\)), generalized noninference [16] (\(\forall \forall \exists \textsf{E}\)), and non-inference [5] (\(\forall \exists \textsf{E}\)) with a single initial input are all coNP-complete.

Theorem 3

\(\textsf{MC}{\big [\exists (\exists /\forall )^{+}(\textsf{A}/\textsf{E})\big ]^{k}}\) is \({\varSigma ^p_{k}}\) -complete and \(\textsf{MC}{\big [\forall (\forall /\exists )^{+}(\textsf{E}/\textsf{A})\big ]^{k}}\) is \({\varPi ^p_{k}}\) -complete in the size of the Kripke structure.

We now focus on formulas with multiple trajectory quantifiers. We first show that alternation-free multiple trajectory quantifiers bumps the class of complexity by one step in the polynomial hierarchy.

Theorem 4

\(\textsf{MC}{\big [\exists (\exists /\forall )^{+}\textsf{E}\textsf{E}^+\big ]^{k}}\) is \({\varSigma ^p_{k+1}}\) -complete and \(\textsf{MC}{\big [\forall (\forall /\exists )^{+}\textsf{A}\textsf{A}^+\big ]^{k}}\) is \({\varPi ^p_{k+1}}\) -complete in the Kripke structure.

Theorem 5

For \(k \ge 1\), \(\textsf{MC}{\big [\exists (\exists /\forall )^{+}\textsf{A}^+\textsf{E}^+\big ]^{k}}\) is \({\varSigma ^p_{k+1}}\) -complete and \(\textsf{MC}{\big [\forall (\forall /\exists )^{+}\textsf{E}^+\textsf{A}^+\big ]^{k}}\) is \({\varPi ^p_{k+1}}\) -complete in the size of the Kripke structure.

Finally, Theorems 34, and 5 imply that the model checking problem for acyclic Kripke structures and A-HLTL formulas with an arbitrary number of trace quantifier alternation and only one trajectory quantifier is in PSPACE.

5 Case Studies and Evaluation

We now evaluate our technique. The encoding in Section 3 is implemented on top of the open-source bounded model checker HyperQB  [15]. All experiments are executed on a MacBook Pro with 2.2GHz processor and 16GB RAM (https://github.com/TART-MSU/async_hltl_tacas23).

Fig. 6.
figure 6

Program with nondeterministic sequence of inputs.

Full size image

Non-interference in Concurrent Programs. We first consider the programs presented earlier in Figs. 1 and 3 together with A-HLTL formulas \(\varphi _ \textsf {NI}\) and \(\varphi _ {\textsf {NI}_\textsf {nd}} \) from Section 1. We receive UNSAT (for the original formula and not its negation), which indicates that violations have been spotted. Indeed, our implementation successfully finds a counterexample with a specific trajectory that prints out ‘acdb’ when the high-security value h is equal to zero (entries of \(\texttt {ACDB}\) and \(\texttt {ACDB}_\texttt {ndet}\) in Table 3). Our other experiment is an extension of the example in [10] for multiple asynchronous channels (see Fig. 6) and the following formula: . The results for this case are entries of \(\texttt {ConcLeak}\) and \(\texttt {ConcLeak}_\texttt {ndet}\) in Table 3. Details of the counterexample can be found in [13].

Speculative Information Flow. Speculative execution is a standard optimization technique that allows branch prediction by the processor. Speculative non-interference (SNI) [9] requires that two executions with the same policy \(\textsf{p}\) (i.e., initial configuration) can be observed differently in speculative semantics (e.g., a possible branch), if and only if their non-speculative semantics with normal condition checks are also observed differently; i.e., the following A-HLTL formula:

figure h

where \(\textsf{obs}\) is the memory footprint, traces \(\pi _1\) and \(\pi _2\) range over the (nonspeculative) C code and traces \(\pi '_1\) and \(\pi '_2\) range over the corresponding (speculative) assembly code. We evaluate SNI on the translation from a C program (details in [13]), where y is the input policy \(\textsf{p}\) and multiple versions of x86 assembly code [9]. The results of model checking speculative execution are in Table 3 (see entries from \(\texttt {SpecExcu}_{V1}\) to \(\texttt {SpecExcu}_{V7}\)). Additional versions from \(\texttt {SpecExcu}_{V3}\) to \(\texttt {SpecExcu}_{V7}\) are under different compilation options. Our method correctly identify all the insecure and secure ones as stated in [9].

Compiler Optimization Security. Secure compiler optimization [17] aims at preserving input-output behaviors of a source program (original implementation) and a target program (after applying optimization), including security policies. We investigate the following optimization strategies: Dead Branch Elimination (DBE), Loop Peeling (LP), and Expression Flattening (EF). To verify a secure optimization, we consider two scenarios: (1) one single I/O event (one trajectory, similar to [1]), and (2) a sequences of I/O events (two trajectories):

figure i

where in  is the set of inputs and out  is the set of outputs. Table 3 (cases \(\texttt {DBE}\)\(\texttt {EFLP}_\texttt {ndet}\)) shows the verification results of each optimization strategy and different combination of the strategies (details in [13]).

Cache-Based Timing Attacks. Asynchrony also leads to attacks when system executions are confined to a single CPU and its cache [18]. A cache-based timing attack happens when an attacker is able to guess the values of high-security variables when cache operations (i.e., evict, fetch) influence the scheduling of different threads. Our case study is inspired by the cache-based timing attack example in [18] and we use the formula of observational determinism \(\varphi _{\textsf {OD}_\textsf {nd}} \) introduced earlier in this section to find the potential attacks (see cases of \(\texttt {CacheTA}\) and \(\texttt {CacheTA}_\texttt {ndet}\) in Table 3 with details in [13]).

5.1 Analysis of Experimental Results

Table 3 presents the diameter of the transition relation, length of trajectories m, state spaces, and the number of trajectory variables. We also present the total solving time of our algorithm as well as the break down: generating models (genQBF), building trajectory encodings (buildTr), and final QBF solving (solveQBF). Our two most complex cases are concurrent leak (\(\texttt {ConcLeak}_\texttt {ndet}\)) and loop peeling (\(\texttt {LP}_\texttt {ndet}\)). For concurrent leak, it is because there are three threads with many interleavings (i.e., asynchronous composition), takes longer time to build. For loop peeling, although there is no need to consider interleavings except for the nondeterministic inputs; however, the diameters of traces (\(D_{\mathcal {K}_1}\), \(D_{\mathcal {K}_2}\)) are longer than other cases, which makes the length and size of trajectory variables (i.e., m and |T|) grow and increases the total solving time. Our encoding is able to handle a variety of cases with one or more trajectories, depending on whether multiple sources of non-determinism is present. To see efficiency, we compare the solving time for cases of compiler optimization with one trajectory with the results in [1]. This method reduces A-HLTL model checking to HyperLTL model checking for limited fragments and utilizes the model checker MCHyper. On the other hand, we directly handle asynchrony by trajectory encoding. Table 2 shows our algorithm considerably outperforms the approach in [1] in larger cases.

Table 2. Comparison of model checking compiler optimization with [1].
Full size table
Table 3. Case studies break down for Kripke structures: \(\mathcal {K}_1, \mathcal {K}_2\) (all case studies have two, e.g.,one for high-level and one for assembly code), formula: \(\varphi \), diameter: D, state space: |S|, trajectory depth: m, and size of trajectory variables: |T|.
Full size table

6 Conclusion and Future Work

In this paper, we focused on the problem of A-HLTL model checking for terminating programs. We generalized A-HLTL to allow nested trajectory quantification, where a trajectory determines how different traces may advance and stutter. We rigorously analyzed the complexity of A-HLTL model checking for acyclic Kripke structures. The complexity grows in the polynomial hierarchy with the number of quantifier alternations, and, it is either aligned with that of HyperLTL or is one step higher in the polynomial hierarchy. We also proposed a BMC algorithm for A-HLTL based on QBF-solving and reported successful experimental results on verification of information flow security in concurrent programs, speculative execution, compiler optimization, and cache-based timing attacks.

Asynchronous hyperproperties enable logic-based verification for software programs. Thus, future work includes developing different abstraction techniques such as predicate abstraction, abstraction-refinement, etc, to develop software model checking techniques. We also believe developing synthesis techniques for A-HLTL creates opportunities to automatically generate secure programs and assist in areas such as secure compilation.