Abstract
We present an automatabased algorithm for checking finite state systems for hyperproperties specified in HyperLTL and HyperCTL\(^*\). For the alternationfree fragments of HyperLTL and HyperCTL\(^*\) the automaton construction allows us to leverage existing model checking technology. Along several case studies, we demonstrate that the approach enables the verification of real hardware designs for properties that could not be checked before. We study information flow properties of an I2C bus master, the symmetric access to a shared resource in a mutual exclusion protocol, and the functional correctness of encoders and decoders for error resistant codes.
This work was partially supported by the Spanish Ministry of Economy under project “TIN201239391C0401 STRONGSOFT,” the Madrid Regional Government under the project “S2013/ICE2731 NGreens SoftwareCM,” the German Research Foundation (DFG) under the project SpAGAT in the Priority Program 1496 “Reliably Secure Software Systems  RS3,” and the Graduate School of Computer Science at Saarland University.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
HyperLTL and HyperCTL\(^*\) are recent extensions to LTL and CTL\(^*\) with the ability to express a wide range of hyperproperties [14]. Hyperproperties generalize trace properties and include properties from informationflow security such as noninterference [15]. Even though the complexity of model checking HyperLTL and HyperCTL\(^*\) has been determined, no efficient algorithms are known so far. In this paper, we thus study the automatic verification of finite state systems for hyperproperties specified in HyperLTL and HyperCTL\(^*\).
HyperLTL and HyperCTL\(^*\) allow us to specify relations over executions of the same system [14]. They introduce path quantifiers so computation paths can be referred to in the atomic propositions. For example, the following HyperLTL formula expresses noninterference [22] between input h and output o by requiring that all computation paths \(\pi \) and \(\pi '\) that only differ in h, have the same output o at all times:
Quantifiers in CTL\(^*\), in contrast, are of the form \(\mathsf {A}\varphi \) and \(\mathsf {E}\varphi \) where the subformula \(\varphi \) can only (implicitly) refer to a single path—the path introduced by \(\mathsf {A}\) and \(\mathsf {E}\) respectively. Hence, CTL\(^*\) cannot express noninterference [1, 20].
Noninterference between i and o implies that o contains no information about i, and is therefore an important building block for properties in security [22]. By embedding noninterference in a temporal context, HyperLTL and HyperCTL\(^*\) allow us to express a wide range of properties from informationflow security, including variants of declassification and quantitative information flow [3, 5, 16, 41]. The use cases of HyperLTL and HyperCTL\(^*\), however, extend far beyond security, as we demonstrate in this paper.
The main result of this paper is an automatatheoretic algorithm for the model checking problem of HyperLTL and HyperCTL\(^*\). The automata approach to model checking LTL properties [46] reduces the verification problem to automata operations and decision problems, like automata product and check for emptiness. Typically, the LTL specification is translated into a Büchi word automaton that captures all violations of the specification. The product of the system with this automaton reveals the system’s traces that violate the specification. We extend the approach based on Büchi word automata with the ability to quantify over new executions along the run, and thereby obtain an algorithm for HyperCTL\(^*\) (Sect. 3). The construction for a quantifier \(\exists \pi .~\varphi \) corresponds to a product of the system and the automaton for the subformula \(\varphi \). As in the classical approach, a final check of emptiness of the language of the automaton provides the answer to the model checking problem. The construction of the automaton involves the expensive nondeterminization of alternating automata [36] to handle quantifier alternations. For the rich class of alternationfree formulas, however, the algorithm is shown to be in NLOGSPACE in the size of the system. In Sect. 4 we use the alternating automaton construction to derive an approach to leverage existing model checking technology for model checking circuits for the alternationfree fragment of HyperCTL\(^*\).
We demonstrate the flexibility and the effectiveness of the proposed approach for the alternationfree fragment of HyperCTL\(^*\) along three case studies (Sect. 5). The first case study concerns the information flow analysis of an I2C bus master. The second case study concerns the analysis of the symmetries in a mutual exclusion protocol. The typical fairaccess properties against which mutual exclusion protocols are usually analyzed, such as accessibility and bounded overtaking [30], can be seen as abstractions of what is really expected from mutual exclusion protocols: symmetric access to the shared resource. HyperLTL enables a fine grained analysis of the symmetry between the processes, for example by expressing the property that switching the actions and roles between two components in a trace results in another legal trace, in which the access to the shared resource is switched accordingly. The third case study concerns the functional correctness of encoders and decoders of error resistant codes. The error resistance of a code is a property of its space of code words: all pairs of code words must have a certain minimum Hamming distance. We show that Hamming distance can be expressed in HyperLTL and demonstrate that this leads to an effective approach to the verification of encoders and decoders.
To summarize, our contributions are as follows:

We develop the first direct automaton construction for model checking HyperLTL and HyperCTL\(^*\) based on alternating automata.

We present the first practical approach for model checking hardware systems for alternationfree HyperCTL\(^*\) formulas.
Our evaluation shows that the approach enables the verification of industrial size hardware modules for hyperproperties. That is, we extend the state of the art in model checking hyperproperties from systems using only few (binary) variables [14, 34] to systems with over 20.000 variables.
Related Work. In this paper, we present an automatatheoretic model checking algorithm for HyperLTL and HyperCTL\(^*\), together with a practical approach to the verification of hardware circuits against alternationfree formulas. Previous automata constructions for the problem [14] are based on nondeterministic Büchi automata, whereas we present an algorithm based on alternating Büchi automata, which allows us to leverage modern hardware verification techniques like IC3 [10]/PDR [18], interpolation [32], and SAT [8]. Our model checker can therefore be applied to significantly more complex systems than the proofofconcept model checker for the onealternation fragment of HyperLTL [14], which is limited to small explicitly given models.
HyperLTL and HyperCTL\(^*\) are related to other logics for hyperproperties, such as variations of the \(\mu \)calculus, like the polyadic \(\mu \)calculus by Andersen [2], the higherdimensional \(\mu \)calculus [38], and holistic hyperproperties [35]. The model checking problem for these logics can be reduced to the model checking problem of the modal \(\mu \)calculus [2, 27] (or directly to parity games [34]) and involves, similar to our construction, an analysis of the product of several copies of the system. We are not aware, however, of any practical approaches that would allow the verification of complex hardware designs against specifications given in these logics. Another related class of logics are the epistemic temporal logics [19], which reason about the knowledge of agents and how it changes over time. While it has been shown that epistemic temporal logic can express certain information flow policies [4], most practical work with epistemic logics has focussed on applications from the area of multiagent systems [21, 28, 29, 33, 39].
Lastly, in the area of information flow security, there are several verification techniques that focus on specific information flow properties—rather than on a general logic like HyperLTL and HyperCTL\(^*\)—but use techniques that relate to our model checking algorithm. A construction based on the product of copies of a system, selfcomposition [6, 7], has been tailored for various tracebased security definitions [17, 23, 44].
2 Temporal Logics for Hyperproperties
We now introduce the temporal logics for hyperproperties, their semantics, and their model checking problem.
A Kripke structure is a tuple \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\) consisting of a set of states S, an initial state \(s_0\), a transition function \(\delta :S\rightarrow 2^{S}\), a set of atomic propositions \(\mathsf {AP} \), and a labeling function \(L:S\rightarrow 2^{\mathsf {AP} }\) decorating each state with a set of atomic propositions. We require that each state has a successor, that is \(\delta (s)\ne \emptyset \), to ensure that every execution of a Kripke structure can always be extended to an infinite execution. A path of a Kripke structure is an infinite sequence of states \(s_0s_1\ldots \in S^\omega \) such that \(s_0\) is the initial state of K and \(s_{i+1}\in \delta (s_i)\) for all \(i\in \mathbb {N}\). We denote by \( Paths (K,s)\) the set of all paths of K starting in state \(s\in S\) and by \( Paths ^*(K,s)\) the set of their suffixes. Given a path p and a number \(i\ge {}0\), \(p[i,\infty ]\) denotes the suffix path where the first i elements are removed.
HyperLTL and HyperCTL\(^*\) extend the standard temporal logics LTL and CTL\(^*\) by quantification over path variables. Their formulas are generated by the following grammar, where \(a\in \mathsf {AP} \) and \(\pi \) ranges over path variables:
Additionally, we define the derived operators
and \(\varphi _1\mathbin {\mathcal {W}}\varphi _2 =\varphi _1\mathbin {\mathcal {U}}\varphi _2 \vee \square \varphi _1\).
For HyperLTL and HyperCTL\(^*\) we require that temporal operators only occur inside the scope of path quantifiers. HyperLTL is the sublogic of formulas in prenex normal form. A formula is in prenex normal form, if it starts with a sequence of quantifiers, and is quantifierfree in the rest of the formula. The conceptual difference between HyperLTL and HyperCTL\(^*\), is that HyperLTL, like LTL, is a lineartime logic and that HyperCTL\(^*\), like CTL and CTL\(^*\), is a branchingtime logic [20]. A formula \(\varphi \) is in negation normal form if the only occurrences of \(\lnot \) occur in front of propositions \(a_\pi \).
Semantics. In the following we define the semantics for the operators \(a_\pi \), \(\lnot \varphi \), \(\varphi _1\vee \varphi _2\),
, \(\varphi _1\mathbin {\mathcal {U}}\varphi _2\), and \(\exists \pi .~\varphi \). The other operators are defined via the following equalities: \(\forall \pi .~\varphi = \lnot \exists \pi .~\lnot \varphi \), \(\varphi _1\wedge \varphi _2 = \lnot (\lnot \varphi _1\vee \lnot \varphi _2)\), and \(\varphi _1{\mathcal {R}}\varphi _2 = \lnot (\lnot \varphi _1{\mathcal {U}}\lnot \varphi _1)\). These derived operators are kept in the syntax to guarantee the existence of equivalent formulas in negation normal form.
Let K be a Kripke structure and let \(s_0\) be its initial state. The semantics of HyperLTL and HyperCTL\(^*\) is given in terms of assignments \(\varPi :N\rightarrow Paths ^*(K,s_0)\) of a set of path variables N to suffixes of paths. We use \(\varPi [i,\infty ]\) for the map that assigns to each path variable \(\pi \) the suffix \(\varPi (\pi )[i,\infty ]\). We use the reserved path variable \(\varepsilon \) to denote the most recently quantified path and define the validity of a formula as follows:
For the empty assignment \(\varPi =\{\}\), we define \(\varPi (\varepsilon )(0)\) to yield the initial state. Validity on states of a Kripke structure K, written \(s\models _K\varphi \), is defined as \(\{\}\models _K\varphi \). A Kripke structure \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\) satisfies formula \(\varphi \), denoted with \(K\models \varphi \) whenever \(s_0\models _K \varphi \).
3 AutomataTheoretic Model Checking of HyperCTL\(^*\)
In this section, we present an automatatheoretic construction for the verification of HyperCTL\(^*\) formulas. In Sect. 4 we will then use this construction to build a practical algorithm for the verification of circuits. We start with a brief review of alternating automata. Given a finite set Q, \(\mathbb B(Q)\) denotes the set of Boolean formulas over Q and \(\mathbb B^+(Q)\) the set of positive Boolean formulas, that is, formulas that do not contain negation. The satisfaction of a formula \(\theta \in \mathbb B(Q)\) by a set \(Q'\subseteq Q\) is denoted by \(Q'\models \theta \).
Definition 1
(Alternating Büchi Automata). An alternating Büchi automaton (on words) is a tuple \(\mathcal A = (Q,q_0,\varSigma ,\rho ,F)\), where Q is a finite set of states, \(q_0 \in Q\) is the initial state, \(\varSigma \) is a finite alphabet, \(\rho : Q\times \varSigma \rightarrow \mathbb B^+(Q)\) is a transition function that maps a state and a letter to a positive Boolean combination of states, and \(F\subseteq Q\) are the accepting states.
A run of an alternating automaton is a Qlabeled tree. A tree T is a subset of \(\mathbb N_{> 0}^*\) such that for every node \(\tau \in \mathbb N^*_{> 0}\) and every positive integer \(n \in \mathbb N_{> 0}\), (i) if \(\tau \cdot n \in T\) then \(\tau \in T\) (i.e., T is prefixclosed), and (ii) for every \(0 < m < n\), \(\tau \cdot m \in T\). The root of T is the empty sequence \(\varepsilon \) and for a node \(\tau \in T\), \(\vert \tau \vert \) is the length of the sequence \(\tau \), in other words, its distance from the root. A run of \(\mathcal A\) on an infinite word \(\pi \in \varSigma ^\omega \) is a Qlabeled tree (T, r) such that \(r(\varepsilon ) = q_0\) and for every node \(\tau \) in T with children \(\tau _1,\ldots ,\tau _k\) the following holds: \(1\le k \le \vert Q \vert \) and \(\{r(\tau _1),\ldots ,r(\tau _k)\} \models \rho (q,\pi [i])\), where \(q = r(\tau )\) and \(i = \vert \tau \vert \). A run r of \(\mathcal A\) on \(\pi \in \varSigma ^\omega \) is accepting whenever for every infinite path \(\tau _0\tau _1\ldots \) in T, there are infinitely many i with \(r(\tau _i) \in F\). We say that \(\pi \) is accepted by \(\mathcal A\) whenever there is an accepting run of \(\mathcal A\) on \(\pi \), and denote with \(\mathcal L_\omega (\mathcal A)\) the set of infinite words accepted by \(\mathcal A\).
If the transition function of an alternating automaton does not contain any conjunctions, we call the automaton nondeterministic. The transition function \(\rho \) of a nondeterministic automaton thus identifies a disjunction over a set of successor states. Such a transition function can also be stated as a function \(\rho : Q \times \varSigma \rightarrow 2^Q\) identifying the successors. Our model checking algorithm relies on the standard translation for alternation removal due to Miyano and Hayashi:
Theorem 1
([36]). Let \(\mathcal A\) be an alternating Büchi automaton with n states. There is a nondeterministic Büchi automaton \(\mathsf {MH}(\mathcal A)\) with \(2^{\mathcal O(n)}\) states that accepts the same language.
3.1 The AlternationFree Fragment
We present a model checking algorithm for the alternationfree fragment of HyperCTL\(^*\). This fragment is expressive enough to capture a broad range of other informationflow properties, like declassification mechanisms, quantitative noninterference, and informationflow requirements that change over time [14, 16]. The case studies in Sect. 5 illustrate that this fragment also captures properties in application domains beyond informationflow security.
Definition 2
(AlternationFree HyperCTL \(^*\) ). A HyperCTL\(^*\) formula \(\varphi \) in negation normal form is alternationfree, if \(\varphi \) contains only quantifiers of one type. Additionally, we require that no existential quantifier occurs in the left subformula of an until operator or in the right subformula of a release operator, and, symmetrically, that no universal quantifier occurs in the right subformula of an until operator or in the left subformula of a release operator.
Similar to the automatatheoretic approach to LTL properties [37, 45], we construct an alternating automaton bottom up from the formula, but handling multiple path quantifiers. For alternationfree HyperCTL\(^*\), the quantifiers may occur inside temporal operators (with the restrictions in Definition 2) as long as there is no quantifier alternation.
Let K be a Kripke structure \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\). To check the satisfaction of a HyperCTL\(^*\) formula \(\varphi \) by K, we translate \(\varphi \) into a Kequivalent alternating automaton \(\mathcal A_\varphi \). The construction of \(\mathcal A_\varphi \) proceeds inductively following the structure of \(\varphi \), as follows. Assume that \(\varphi \) is in negation normal form and starts with an existential quantifier, and consider a subformula \(\psi \) of \(\varphi \). Let n be the number of path quantifiers occurring on the path from the root of the syntax tree of \(\varphi \) to \(\psi \), and let these path quantifiers bind the variables \(\pi _1,\dots ,\pi _n\). The alphabet \(\varSigma \) of \(\mathcal A_{\psi }\) is \(S^n\), the set of ntuples of states of K. We say that a language \(L \subseteq (S^n)^\omega \) is Kequivalent to \(\psi \), if all sequences of state tuples \((s^0_0, \ldots , s^0_n)(s^1_0, \ldots , s^1_n) \ldots \) in L correspond to a path assignment \(\varPi \) satisfying \(\psi \). That is, for all \((s^0_0, \ldots , s^0_n)(s^1_0, \ldots , s^1_n) \ldots \in L\) it holds \(\varPi \models _{K}\psi \) for the path assignment \(\varPi (\pi _i) = s^0_i s^1_i\dots \) (for all \(i\le n\)). An automaton is Kequivalent to \(\psi \) if its language is Kequivalent to \(\psi \).
For atomic propositions, Boolean connectives, and temporal operators, our construction follows the standard translation from LTL to alternating automata [37, 45]. Let \(\mathcal A_{\psi _1}=(Q_1,q_{0,1},\varSigma _{1},\rho _1,F_1)\) and \(\mathcal A_{\psi _2}=(Q_2,q_{0,2},\varSigma _{2},\rho _2,F_2)\) be the alternating automata for the subformulas \(\psi _1\) and \(\psi _2\):
For a quantified subformula \(\psi = \exists \pi . \psi _1\), we have to reduce the alphabet \(\varSigma _{\psi _1}=S^{n+1}\) to \(\varSigma =S^n\). The language for formula \(\psi \) contains exactly those sequences \(\sigma \) of state tuples, such that there is a path p through the Kripke structure K for which \(\sigma \) extended by p is in \(\mathcal L(\mathcal A_{\psi _1})\). Let \(\mathcal N'_{\psi _1} = (Q',q_{0}',\varSigma ,\rho ',F')\) be the nondeterministic automaton \(\mathcal N'_{\psi _1}=\mathsf MH (\mathcal A_{\psi _1})\) constructed from \(\mathcal A_{\psi _1}\) by the construction in Theorem 1, and let \(\mathcal A_{\psi } = (Q'',q_{0}'',\varSigma _{\psi },\rho '',F'')\) be constructed from \(\mathcal {N}'_{\psi _1}\) and the Kripke structure \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\) as follows:
For the case that \(n=0\) we define that \(\mathbf {s}_n\) is the initial state \(s_0\) of K.
Since we consider the alternationfree fragment, there are no negated quantified subformulas and the construction is finished.
The correctness of the construction can be shown by structural induction.
Proposition 1
Let \(\varphi \) be a HyperCTL\(^*\) formula and \(\mathcal A_{\varphi }\) the alternating automaton obtained by the previous construction. Then, \(\varphi \) and \(\mathcal A_{\varphi }\) are Kequivalent.
So far, we only considered alternationfree formulas that start with existential quantifiers. To decide \(K \models \varphi \) for an arbitrary \(\varphi \), we first transform \(\varphi \) in a Boolean combination over a set X of quantified subformulas. Each element \(\psi '\) of X is now in the form \(\exists \pi .\varphi \) for which we apply the construction above. Since \(\psi '\) is of the form \(\exists \pi . \psi _1\), \(\mathcal A_{\psi '}\) is a nondeterministic Büchi automaton, for which we apply a standard nonemptiness test [47].
Theorem 2
The model checking problem for the alternationfree fragment of HyperCTL\(^*\) is PSPACEcomplete in the size of the formula and NLOGSPACEcomplete in the size of the Kripke structure.
Proof
The alternating automaton \(\mathcal A_{\psi _1}\) is a tree with selfloops, when we consider automata created for quantified subformulas as leafs of the tree. By structural induction, we show that the size of \(\mathcal A_{\psi '}\) for an alternationfree formula \(\psi '\) is polynomial in \(\psi '\) and in K and that subautomata for quantified subformulas are not reachable via actions that are selfloops with conjunctions.
Base Case: for atomic propositions and negated atomic propositions, the induction hypothesis is fulfilled.
Induction Step: Let \(\psi = \exists \pi .~\psi _1\). Only Until operators and Release operators in the formula lead to nodes that have two transitions, one with a selfloop and one without selfloops. By the restrictions in the definition of the alternationfree fragment, we guarantee that automata of quantified subformulas are not reachable via transitions with selfloops that contain conjunctions.
Conjunctive transitions that are not part of loops or selfloops only lead to a polynomial increase in size during nondeterminization. Emptiness of nondeterministic Büchi automata is in NLOGSPACE [47], so the upper bound of the theorem follows.
Since HyperCTL\(^{*}\) subsumes LTL, the lower bound for LTL model checking [42] implies the lower bound for HyperCTL\(^{*}\). \(\square \)
3.2 The Full Logic
The construction from the previous subsection can be extended to full HyperCTL\(^*\) by adding a construction for negated quantified subformulas. We compute an automaton for the complement language, based on the following theorem:
Theorem 3
([25]). For every alternating Büchi automaton \(\mathcal A = (Q,q_{0},\varSigma ,\rho ,F)\), there is an alternating Büchi automaton \(\overline{\mathcal A}\) with \(O(Q)^2\) states that accepts the complemented language: \(\mathcal L_\omega (\overline{\mathcal A}) = \overline{\mathcal L_\omega (\mathcal A)}\).
We extend the previous construction with the following case:
We capture the complexity of the resulting model checking algorithm in terms of the alternation depth of the HyperCTL\(^*\) formula. The formulas with alternation depth 0 are exactly the alternationfree formulas.
Definition 3
(Alternation Depth). A HyperCTL\(^*\) formula \(\varphi \) in negation normal form has alternation depth 0 plus the highest number of alternations from existential to universal and universal to existential quantifiers along any of the paths of the formula’s syntax tree. Existential quantifiers in the left subformula of an until operator or in the right subformula of a release operator, and, symmetrically, universal quantifiers in the right subformula of an until operator or in the left subformula of a release operator count as additional alternation.
For example, let \(\psi \) be a formula without additional quantifiers, then \(\exists \pi .~\psi \) has alternation depth 0, \(\forall \pi _1.\exists \pi .~\psi \) has alternation depth 1,
has alternation depth 0, \(\exists \pi .~\square \exists \pi '.~\psi \) has alternation depth 1, and \((\forall \pi .~\psi ) \wedge (\exists \pi .~\psi )\) has alternation depth 0.
Let \(g_c(k,n)\) be a tower of exponentiations of height k, defined simply as \(g_c(0,n)=n\) and \(g_c(k,n)= c^{g_c(k1,n)}\). We define NSPACE(g(k, n)) to be the languages that are accepted by a nondeterministic Turing machine that runs in SPACE \(O(g_c(k,n))\) for some \(c>1\). For convenience, we define NSPACE\((g(1,n))\) to be NLOGSPACE.
Proposition 2
Let K be a Kripke structure and \(\varphi \) a HyperCTL\(^*\) formula with alternation depth k. The alternating automaton \(\mathcal A_\varphi \) resulting from the previous construction has \(O(g(k+1,\varphi ))\) and O(g(k, K)) states and can be constructed in NSPACE\((g(k,\varphi ))\) and NSPACE\((g(k1,K))\).
Theorem 4
Given a Kripke structure K and a HyperCTL\(^*\) formula \(\varphi \) with alternation depth k, we can decide whether \(K\models \varphi \) in NSPACE\((g(k,\varphi ))\) and NSPACE\((g(k1,K))\).
The proof of Proposition 2 is an induction over the alternation depth. The proof of Theorem 4 uses that the nonemptiness problem for nondeterministic Büchi automata is in NLOGSPACE [47]. Theorem 4 subsumes the result for the alternationfree fragment:
Corollary 1
For alternation depth 0, the modelchecking problem \(K\models \varphi \) is in PSPACE in \(\varphi \) and in NLOGSPACE in K.
4 Symbolic Model Checking of Circuits
In this section we translate the automatonbased construction from Sect. 3 for alternationfree formulas into a practical verification approach for circuits. Given a circuit C and an alternationfree formula \(\varphi \) the algorithm produces a new circuit \(C_{\varphi }\) that is linear in the size of C and also linear in the size of \(\varphi \). The compactness of the encoding builds on the ability of circuits to describe systems of exponential size with a linear number of binary variables. The circuit \(C_{\varphi }\) is then checked for fair reachability to determine the validity of \(C\models \varphi \). This check can be done with oftheshelf model checkers leveraging modern hardware verification technology [8, 11, 12].
A circuit ^{Footnote 1} \(C=(X, init ,I,O,T)\) consists of a set X of binary variables (latches with unit delay), a condition \( init \in \mathbb {B}(X)\) characterizing a nonempty set of initial states of X, a set of input variables I, a set of output variables O, and a transition relation \(T\in \mathbb {B}(X \times I \times O \times X)\). We require that T is inputenabled and inputdeterministic, that is, for all \(x\subseteq X\), \(i\subseteq I\), there is exactly one \(o\subseteq O\) and one \(x'\subseteq X\) such that \(T(x,i,o,x')\) holds. We denote a subset of X as a state of circuit C, indicating exactly those latches that are set to 1. The size of a circuit C, denoted C, is defined as the number of latches X.
A circuit C can be interpreted as a finite Kripke structure \(K_C\) of potentially exponential size. The state space of \(K_C\) is \(S = s_0 ~\cup ~ 2^{X} \times 2^I \times 2^O \times 2^X\), where \(s_0\) is a fresh initial state. The transition relation distinguishes the initial step of the computation: \(s'\in \delta (s_0)\) iff there is a circuit state \(x\subseteq X\) with \( init (x)\) and \(x=s'_{X}\) such that \(T(x, s'_I,s'_O, s'_X)\), where \(s'_I\), \(s'_O\), \(s'_X\), and \(s'_{X'}\) are the projections to variables I, O, the first copy of X, and the second copy of X respectively. For subsequent steps of computation we define \(s'\in \delta (s)\) whenever \(T(s_X, s'_I, s'_O, s'_{X'})\) and \(s_{X'} = s'_{X}\). That is, the first copy X denotes the previous state, whereas \(X'\) denotes the current state. The labelling function of \(K_C\) maps each state s to the set . That is, the alphabet . The semantics of HyperCTL\(^*\) on a circuit C is defined using the associated Kripke structure \(K_C\). We write \(C\models \varphi \) whenever \(K_C\models \varphi '\), where \(\varphi '\) is obtained by replacing all atomic propositions
. This leads to a natural semantics on circuits: the atomic propositions always refer to the current value of the latches, the next input, and the next output.
Given a circuit C and an alternationfree HyperCTL\(^*\) formula \(\varphi \), we reduce the model checking problem \(C\models \varphi \) to finding a computation path in a circuit \(C_\varphi \) that does not visit a bad state and satisfies a conjunction of strong fairness (or compassion) constraints \(F=\{f_1,\dots ,f_k\}\). A strong fairness constraint f of a circuit consists of a tuple \((a_1,a_2)\) of atomic propositions and a path p satisfies f, if \(a_1\) holds only finitely often or \(a_2\) holds infinitely often on p. We build \(C_\varphi \) bottom up following the formula structure. Without loss of generality, we assume that \(\varphi \) contains only existential quantifiers and is in negation normal form. Let \(\psi \) be a subformula of \(\varphi \) that occurs under n quantifiers. Let \(C_{\psi _1}=(X_{\psi _1}, init _{\psi _1},I_{\psi _1},O_{\psi _1},T_{\psi _1})\), \(C_{\psi _2}=(X_{\psi _2}, init _{\psi _2},I_{\psi _2},O_{\psi _2},T_{\psi _2})\) be the circuits, and let \(F_{\psi _1}\) and \(F_{\psi _2}\) be the fairness constraints for the subformulas \(\psi _1\) and \(\psi _2\). For LTL operators, the construction resembles the standard translation from LTL to circuits [13, 24]. We construct \(C_\psi \) and \(F_\psi \) as follows:
Here ; \( init (X_{n})\) is the initial condition applied to copy \(X_n\) of the latches; and likewise \(T(X_{n})\) is the transition relation of C applied to the copy \(X_n\). We use \(X_n=X_{n1}\) to denote the expression that all latches in \(X_n\) are equal to their counterparts in \(X_{n1}\). We omitted the construction for the conjunction and the Release operator due to the space limits. It is easy to verify that the transition relation is inputenabled and inputdeterministic.
Proposition 3
Given a circuit C and an alternationfree formula \(\varphi \) with k quantifiers, the size of the circuit \(C_\varphi \) is at most \(C\cdot k + \varphi \).
For each subformula \(\psi \) of \(\varphi \), the output \(o_\psi \) in the circuit \(C_\varphi \) indicates that \(\psi \) must hold for the current computation path, and the latch \(x_\psi \) represent the requirements on the future of the computation that arise from the output \(o_\psi \). The output \(b_\psi \) indicates that the requirements for subformula \(\psi \) are violated and a bad state is entered.
Proposition 4
Let C be a circuit and let \(\varphi \) be an alternationfree HyperCTL\(^*\) formula. \(C\models \varphi \) holds iff the circuit \(C_\varphi \) admits a computation that shows output \(o_\varphi \) in the first step, that never outputs \(b_\psi \) for any of the subformulas \(\psi \) of \(\varphi \), and that satisfies the fairness constraints.
The proof of correctness proceeds again by structural induction on the structure of the formula. The search for paths of the form above can be performed by standard hardware model checkers.
5 Case Studies and Experimental Results
We have implemented the symbolic model checking approach from Sect. 4 as a transformation on Aiger circuits.^{Footnote 2} We rely on standard hardware synthesis tools to compile VHDL and Verilog files into a circuit to which we apply our tool to obtain a new circuit. As the backend engine, we use the ABC model checker [11], which provides many of the modern verification algorithms, including IC3 [10]/PDR [18], interpolation (INT) [32], and SATbased bounded model checking (BMC) [8]. All experiments ran on an Intel Core i5 processor (4278U) with 2.6 GHz. Table 1 shows the verification times for the circuits and properties considered in our case studies. We used the default settings of ABC in all runs, except the entry marked with \(^*\). The symbol \(\checkmark \) indicates that an invariant was found, and \(\times \) that a (counter)example was found.
The experiments show that our approach enables the verification of hyperproperties for hardware modules with hundreds or even thousands of latches. For finding counterexamples, bounded model checking was most effective, and for cases where an invariant was needed, the relative performance of IC3/PDR vs. interpolation was inconclusive. In addition to benchmarking, our goal for these case studies has been to explore the versatility of alternationfree HyperCTL\(^*\) modelchecking and the potential of our prototype tool. In the following subsections, we report on the setup and results of the case studies, as well as on the verification workflow from a user perspective. Our case studies come from three different areas: information flow, symmetry, and error resistant codes.
5.1 Case Study 1: Information Flow Properties of I2C
Our first case study investigates the information flow properties of an I2C bus master. I2C is a widely used bus protocol that connects multiple components in a masterslave topology. Even though the I2C bus has no security features, it has been used in securitycritical applications, such as the smart cards of the German public health insurance, which led to exploits [43]. We analyzed a I2C bus master implementation from the open source repository http://opencores.org. A typical setup consists of one master, one controller, and several slaves. The master communicates to the slaves via two physical wires, the clock line (SCL) and the data line (SDA). The interface of the master towards the controller consists of 8 bit wide words for input and output of data, a 3bit wide address to encode slave numbers, a system clock input, and several reset and control signals. We checked the I2C bus master implementation against the information flow properties shown in Table 2.
From the Controller to the Bus. Property (NI1) states that there is no information flow with respect to the address to which the I2C master intends to send data, and (NI2) with respect to the data words themselves. Both information flows are intended, and our tool reports the violation. We tried to bound the information flow between the first valuation of the 3 bit wide address input and the bus data by encoding [14] the quantitative informationflow property. While the information flow of 3 bit could be determined (QNI1), checking the upper bound of \(\log 9\approx 3.17\) bit (QNI2) led to a timeout. Property (NI3) states that when the write enable bit is not set, no information should flow from the controller inputs to the bus. This property is satisfied by the implementation.
From the Bus to the Controller. Property (NI4) claims the absence of information flow from the slaves to the controller, which is again legitimately violated by the implementation. Property (NI5) refines (NI4) to determine whether the flow can still happen when we only consider information received on SDA while the master sends data too. The branching time operator \(\mathcal {H}\) in (NI5), called the Hide operator \(\mathcal H_{I,O}\varphi \), is borrowed from the logic SecLTL [16] and expresses that information from the inputs I do not interfere with the outputs O. The Hide operator is easily expressible in HyperCTL\(^*\) [14]. Property (NI5) is violated by the implementation, because the concurrent transmission of data on the bus by multiple masters can bring I2C into arbitration mode and changes the interpretation of information sent over the bus later.
Longterm Information Flow: Properties (NI7) and (NI8) claim that the information flows from (NI1) and (NI4) cannot happen for an arbitrary delay. These properties are violated, which indicates that information may not be eventually forgotten by the I2C master.
All properties on the I2C Master were easily analyzed by the model checker. In order to determine if our approach scales to even larger designs, we checked an adapted version of property (NI2) on an Ethernet IP core with 21093 latches. The counterexample was still found within seconds.
5.2 Case Study 2: Symmetry in Mutual Exclusion Protocols
In our second case study, we investigate symmetry properties of mutual exclusion protocols. Mutual exclusion is a classical problem in distributed systems, for which several solutions have been proposed and analyzed. Violation of symmetry indicates that some clients have an unfair advantage over the other clients.
Our case study is based on a Verilog implementation of the Bakery protocol [26] from the VIS verification benchmark. The Bakery protocol works as follows. When a process wants to access the critical section it draws a “ticket”, i.e., it obtains a number that is incremented every time a ticket is drawn. If there is more than one process who wishes to enter the critical section, the process with the smallest ticket number goes first. When two processes draw tickets concurrently, they may receive tickets with the same number, so ties among processes with the same ticket must be resolved by a different mechanism, for example by comparing process IDs. The Verilog implementation has an input \( select \) to indicate the process ID that runs in the next step, and an input \( pause \) to indicate whether the step is stuttering. Each process n has a program counter pc(n). When process n is selected, the statement corresponding the program counter pc(n) is executed. We are interested in the following HyperLTL property:
where \( sym ( select _{\pi }, select _{\pi '})\) means that process 0 is selected on path \(\pi \) when process 1 is selected on path \(\pi '\) and vice versa. Property (S1) states that, for every execution, there is another execution in which the \( select \) inputs corresponding to processes 0 and 1 are swapped and the outcome (i.e., the sequence of program counters of the processes) is also swapped. It is well known that it is impossible to accomplish mutual exclusion in an entirely symmetric fashion [31]. It is therefore not surprising that the implementation indeed violates Property (S1).
Inspecting the counterexample revealed, however, that the symmetry is broken even before the critical section is reached: if a nonexisting process ID is selected by the variable select, process 0 proceeds instead. Property (S2) excludes paths on which a nonexisting process ID is selected. The modelchecker produced a counterexample in which processes 0 and 1 tried to access the critical section, but were treated differently.
Next, we parameterized the necessary symmetry breaking in the system. We introduced additional inputs indicating which process may move, in case of a tie of the tickets and extended the property by the assumption that the symmetry is broken symmetrically.
Property (S3) is still violated by the implementation: the order in which the processes were checked depends on the process IDs and causes delays in how the program counters evolve. After contracting the comparison of process IDs into a single step, property (S3) became satisfied.
In further experiments, we changed the structure of property from the form (S3) \(\forall \pi .\forall \pi '.~\square \varphi \Rightarrow \square \psi \) to (S7) \(\forall \pi .\forall \pi '.~ \psi \mathbin {\mathcal {W}}\lnot \varphi \), which removes the liveness part of the property, while maintaining the semantics (for inputdeterministic and inputenabled systems). This change significantly reduced the verification times and enabled the verification of the protocol for up to 7 participants.
5.3 Case Study 3: Error Resistant Codes
Error resistant codes enable the transmission of data over noisy channels. While the correct operation of encoder and decoders is crucial for communication systems, the formal verification of their functional correctness has received little attention. A typical model of errors bounds the number of flipped bits that may happen for a given code word length. Then, error correction coding schemes must guarantee that all code words have a minimal Hamming distance. Alternationfree HyperCTL\(^*\) can specify that all code words produced by an encoder have a minimal Hamming distance of d:
where I are the inputs denoting the data, O denote the code words, and the predicate \(\text {Ham}_{O}(d,\pi ,\pi ')\) is defined as \(\text {Ham}_{O}(1,\pi ,\pi ')=\mathsf {false}\) and:
We started with two simple encoders that are not intended to provide error resistance: a Huffman encoder from the VIS benchmarks, and an 8bit10bit encoder from http://opencores.org that guarantees that the difference between the number of 1 s and the number of 0 s in the codeword is bounded by 2. As expected, encoders provide a Hamming distance of 1 (Huff1and 8b10b_2), but not more (Huff2and 8b10b_3). The experiments on these simple encoders were useful to determine the configuration of the command signals that enable the transmission of data. For example, checking the plain property as specified above for the 8bit10bit encoder reveals that the reset signal must be set to false before sending data (8b10b_1). Similarly, for the 8bit10bit decoder, we checked whether all codewords of Hamming distance 1 produce different outputs (8b10b_4).
Next, we considered an encoder for the 74Hamming code, which encodes blocks of 4 bits into codewords of length 7, and guarantees a Hamming distance of 3. We started with finding out in which configuration the encoder actually sends encoded data (Hamm1to Hamm4). With Hamm3we discovered that the implementation deviates from the specification because the reset signal for the circuit is active high, instead of active low as specified. In Hamm3, we fixed the usage of the reset bit. We then scaled the specification to Hamming distances 2 and 3 (Hamm5to Hamm7).
6 Conclusions
We presented a novel automatabased automatic technique to modelcheck HyperLTL and HyperCTL\(^*\) specifications, and an implementation integrated with a stateoftheart hardware model checker. Our case studies show that the implementation scales to realistic hardware designs; in one case we successfully checked a design with more than 20.000 latches. The logics HyperLTL and HyperCTL\(^*\) proved to be versatile tools for the analysis of various kinds of properties.
References
Alur, R., Černý, P., Zdancewic, S.: Preserving secrecy under refinement. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 107–118. Springer, Heidelberg (2006)
Andersen, H.R.: A polyadic modal \(\mu \)calculus. Technical report (1994)
Askarov, A., Myers, A.: A semantic framework for declassification and endorsement. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 64–84. Springer, Heidelberg (2010)
Balliu, M., Dam, M., Le Guernic, G.: Epistemic temporal logic for information flow security. In: Proceedings of PLAS, ACM (2011)
Banerjee, A., Naumann, D.A., Rosenberg, S.: Expressive declassification policies and modular static enforcement. In: Proceedings of S & P, pp. 339–353, IEEE CS Press (2008)
Barthe, G., Crespo, J.M., Kunz, C.: Beyond 2safety: asymmetric product programs for relational program verification. In: Artemov, S., Nerode, A. (eds.) LFCS 2013. LNCS, vol. 7734, pp. 29–43. Springer, Heidelberg (2013)
Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by selfcomposition. In: Proceedings CSFW, pp. 100–114, June 2004
Biere, A., Clarke, E., Raimi, R., Zhu, Y.: Verifying safety properties of a PowerPC\(^{\rm TM}\) microprocessor using symbolic model checking without BDDs. In: Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 60–71. Springer, Heidelberg (1999)
Biere, A., Heljanko, K., Wieringa, S.: AIGER 1.9 and beyond. http://fmv.jku.at/hwmcc11/beyond1.pdf (2011). Accessed Feb 6 2015. Via website: http://fmv.jku.at/aiger/
Bradley, A.R.: SATbased model checking without unrolling. In: Jhala, R., Schmidt, D. (eds.) VMCAI 2011. LNCS, vol. 6538, pp. 70–87. Springer, Heidelberg (2011)
Brayton, R., Mishchenko, A.: ABC: an academic industrialstrength verification tool. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 24–40. Springer, Heidelberg (2010)
Burch, J.R., Clarke, E.M., McMillan, K.L., Dill, D.L.: Sequential circuit verification using symbolic model checking. In: Proceedings of DAC 1990, pp. 46–51, IEEE CS Press (1990)
Claessen, K., Eén, N., Sterin, B.: A circuit approach to LTL model checking. In: Proceedings of FMCAD, pp. 53–60 (2013)
Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014 (ETAPS 2014). LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014)
Clarkson, M.R., Schneider, F.B.: Hyperproperties.In: Proceedings IEEE Symposium on Computer Security Foundations, pp. 51–65, June 2008
Dimitrova, R., Finkbeiner, B., Kovács, M., Rabe, M.N., Seidl, H.: Model checking information flow in reactive systems. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 169–185. Springer, Heidelberg (2012)
D’Souza, D., Holla, R., Raghavendra, K.R., Sprick, B.: Modelchecking tracebased information flow properties. J. Comput. Secur. 19(1), 101–138 (2011)
Eén, N., Mishchenko, A., Brayton, R.K.: Efficient implementation of property directed reachability. In: Proceedings of FMCAD, pp. 125–134 (2011)
Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning About Knowledge. MIT Press, Cambridge (1995)
Finkbeiner, B., Rabe, M.N.: The linearhyperbranching spectrum of temporal logics. IT Inf. Technol. 56, 273–279 (2014)
Gammie, P., van der Meyden, R.: MCK: model checking the logic of knowledge. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 479–483. Springer, Heidelberg (2004)
Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings IEEE Symposium on Security and Privacy, pp. 11–20, IEEE CS Press (1982)
Huisman, M., Worah, P., Sunesen, K.: A temporal logic characterisation of observational determinism. In: Proceedings of CSFW, IEEE CS Press (2006)
Kesten, Y., Pnueli, A., Raviv, L.: Algorithmic verification of linear temporal logic specifications. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 1–16. Springer, Heidelberg (1998)
Kupferman, O., Vardi, M.Y.: Weak alternating automata are not that weak. ACM TOCL 2(3), 408–429 (2001)
Lamport, L.: A new solution of Dijkstra’s concurrent programming problem. Commun. ACM 17(8), 453–455 (1974)
Lange, M., Lozes, É.: Modelchecking the higherdimensional modal mucalculus. In: Proceedings of FICS, EPTCS, vol. 77, pp. 39–46 (2012)
Lomuscio, A., Pecheur, C., Raimondi, F.: Automatic verification of knowledge and time with NuSMV. In: Proceedings of IJCAI, pp. 1384–1389 (2007)
Lomuscio, A., Qu, H., Raimondi, F.: MCMAS: a model checker for the verification of multiagent systems. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 682–688. Springer, Heidelberg (2009)
Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems. Springer, New York (1992)
Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems: Safety. Springer, New York (1995)
McMillan, K.L.: Craig interpolation and reachability analysis. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, p. 336. Springer, Heidelberg (2003)
Meski, A., Penczek, W., Szreter, M., WoznaSzczesniak, B., Zbrzezny, A.: Bounded model checking for knowledge and linear time. In: Proceedings of AAMAS, pp. 1447–1448, IFAAMAS (2012)
Milushev, D.: Reasoning about hyperproperties. Ph.D thesis, Faculty of Engineering, Katholieke Universiteit Leuven, Celestijnenlaan 200A, box 2402, B3001 Heverlee, Belgium, 6 (2013)
Milushev, D., Clarke, D.: Towards incrementalization of holistic hyperproperties. In: Degano, P., Guttman, J.D. (eds.) Principles of Security and Trust. LNCS, vol. 7215, pp. 329–348. Springer, Heidelberg (2012)
Miyano, S., Hayashi, T.: Alternating finite automata on omegawords. Theor. Comput. Sci. 32, 321–330 (1984)
Muller, D.E., Saoudi, A., Schupp, P.E.: Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time. In: Proceedings of LICS, pp. 422–427, IEEE CS Press (1988)
Otto, M.: Bisimulationinvariant PTIME and higherdimensional \(\mu \)calculus. Theor. Comput. Sci. 224, 237–265 (1998)
Pencze, W., Lomuscio, A.: Verifying epistemic properties of multiagent systems via bounded model checking. In: Proceedings of AAMAS, pp. 209–216, IFAAMAS (2003)
Rabe, M.N.: MCHyper: a model checker for hyperproperties. http://www.react.unisaarland.de/tools/mchyper/ (2015). Accessed Feb 6 2015
Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004)
Sistla, P.A., Clarke, E.M.: The complexity of propositional linear temporal logics. J. ACM 32(3), 733–749 (1985)
Thielke, W.: Code geknackt. Link to article in media archive: http://www.focus.de/finanzen/news/krankenkassencodegeknackt_aid_148829.html (1994). Accessed Feb 6 2015
van der Meyden, R., Zhang, C.: Algorithmic verification of noninterference properties. Electr. Notes Theor. Comput. Sci. 168, 61–75 (2007)
Vardi, M.Y.: Alternating automata and program verification. In: van Leeuwen, J. (ed.) Computer Science Today. LNCS, vol. 1000, pp. 471–485. Springer, Heidelberg (1995)
Vardi, M.Y., Wolper, P.: An automatatheoretic approach to automatic program verification. In: Proceedings of LICS 1986, pp. 332–344, IEEE CS Press (1986)
Vardi, M.Y., Wolper, P.: Reasoning about infinite computations. Inf. Comput. 115(1), 1–37 (1994)
Acknowledgements
We thank HansJörg Peter for valuable discussions and for synthesizing models for the case studies, Heinrich Ody for joint work on an early prototype of the tool, and Heidy Khlaaf for insightful comments on the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Finkbeiner, B., Rabe, M.N., Sánchez, C. (2015). Algorithms for Model Checking HyperLTL and HyperCTL\(^*\) . In: Kroening, D., Păsăreanu, C. (eds) Computer Aided Verification. CAV 2015. Lecture Notes in Computer Science(), vol 9206. Springer, Cham. https://doi.org/10.1007/9783319216904_3
Download citation
DOI: https://doi.org/10.1007/9783319216904_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783319216898
Online ISBN: 9783319216904
eBook Packages: Computer ScienceComputer Science (R0)