Model Checking Quantitative Hyperproperties
 12 Citations
 8.1k Downloads
Abstract
Hyperproperties are properties of sets of computation traces. In this paper, we study quantitative hyperproperties, which we define as hyperproperties that express a bound on the number of traces that may appear in a certain relation. For example, quantitative noninterference limits the amount of information about certain secret inputs that is leaked through the observable outputs of a system. Quantitative noninterference thus bounds the number of traces that have the same observable input but different observable output. We study quantitative hyperproperties in the setting of HyperLTL, a temporal logic for hyperproperties. We show that, while quantitative hyperproperties can be expressed in HyperLTL, the running time of the HyperLTL model checking algorithm is, depending on the type of property, exponential or even doubly exponential in the quantitative bound. We improve this complexity with a new model checking algorithm based on modelcounting. The new algorithm needs only logarithmic space in the bound and therefore improves, depending on the property, exponentially or even doubly exponentially over the model checking algorithm of HyperLTL. In the worst case, the new algorithm needs polynomial space in the size of the system. Our Max#Satbased prototype implementation demonstrates, however, that the counting approach is viable on systems with nontrivial quantitative information flow requirements such as a passcode checker.
1 Introduction
Model checking algorithms [17] are the cornerstone of computeraided verification. As their input consists of both the system under verification and a logical formula that describes the property to be verified, they uniformly solve a wide range of verification problems, such as all verification problems expressible in lineartime temporal logic (LTL), computationtree logic (CTL), or the modal \(\mu \)calculus. Recently, there has been a lot of interest in extending model checking from standard trace and tree properties to information flow policies like observational determinism or quantitative information flow. Such policies are called hyperproperties [21] and can be expressed in HyperLTL [18], an extension of LTL with trace quantifiers and trace variables. For example, observational determinism [47], the requirement that any pair of traces that have the same observable input also have the same observable output, can be expressed as the following HyperLTL formula: Open image in new window For many information flow policies of interest, including observational determinism, there is no longer a need for propertyspecific algorithms: it has been shown that the standard HyperLTL model checking algorithm [26] performs just as well as a specialized algorithm for the respective property.
The class of hyperproperties studied in this paper is one where, by contrast, the standard model checking algorithm performes badly. We are interested in quantitative hyperproperties, i.e., hyperproperties that express a bound on the number of traces that may appear in a certain relation. A prominent example of this class of properties is quantitative noninterference [43, 45], where we allow some flow of information but, at the same time, limit the amount of information that may be leaked. Such properties are used, for example, to describe the correct behavior of a password check, where some information flow is unavoidable (“the password was incorrect”), and perhaps some extra information flow is acceptable (“the password must contain a special character”), but the information should not suffice to guess the actual password. In HyperLTL, quantitative noninterference can be expressed [18] as the formula Open image in new window The formula states that there do not exist \(2^c+1\) traces (corresponding to more than c bits of information) with the same observable input but different observable output. The bad performance of the standard model checking algorithm is a consequence of the fact that the \(2^{c}+1\) traces are tracked simultaneously. For this purpose, the model checking algorithm builds and analyzes a \((2^c+1)\)fold selfcomposition of the system.
The viability of our countingbased model checking algorithm is demonstrated on a SATbased prototype implementation. For quantitative hyperproperties of intrest, such as bounded leakage of a password checker, our algorithm shows promising results, as it significantly outperforms existing model checking approaches.
1.1 Related Work
Quantitative informationflow has been studied extensively in the literature. See, for example, the following selection of contributions on this topic: [1, 14, 19, 32, 34, 43]. Multiple verification methods for quantitative informationflow were proposed for sequential systems. For example, with static analysis techniques [15], approximation methods [35], equivalence relations [3, 22], and randomized methods [35]. Quantitative informationflow for multithreaded programs was considered in [11].
The study of quantitative informationflow in a reactive setting gained a lot of attention recently after the introduction of hyperproperties [21] and the idea of verifying the selfcomposition of a reactive system [6] in order to relate traces to each other. There are several possibilities to measure the amount of leakage, such as Shannon entropy [15, 24, 37], guessing entropy [3, 34], and minentropy [43]. A classification of quantitative informationflow policies as safety and liveness hyperproperties was given in [46]. While several verification techniques for hyperproperties exists [5, 31, 38, 42], the literature was missing general approaches to quantitative informationflow control. SecLTL [25] was introduced as first general approach to model check (quantitative) hyperproperties, before HyperLTL [18], and its corresponding model checker [26], was introduced as a temporal logic for hyperproperties, which subsumes the previous approaches.
Using counting to compute the number of solutions of a given formula is studied in the literature as well and includes many probabilistic inference problems, such as Bayesian net reasoning [36], and planning problems, such as computing robustness of plans in incomplete domains [40]. Stateoftheart tools for propositional model counting are Relsat [33] and c2d [23]. Algorithms for counting models of temporal logics and automata over infinite words have been introduced in [27, 28, 44]. The counting of projected models, i.e., when some parts of the models are irrelevant, was studied in [2], for which tools such as #CLASP [2] and DSharp_P [2, 41] exist. Our SATbased prototype implementation is based on a reduction to a Max#SAT [29] instance, for which a corresponding tool exists.
Among the already existing tools for computing the amount of information leakage, for example, QUAIL [8], which analyzes programs written in a specific whilelanguage and LeakWatch [12], which estimates the amount of leakage in Java programs, MopedQLeak [9] is closest to our approach. However, their approach of computing a symbolic summary as an Algebraic Decision Diagram is, in contrast to our approach, solely based on model counting, not maximum model counting.
2 Preliminaries
2.1 HyperLTL
HyperLTL [18] extends lineartime temporal logic (LTL) with trace variables and trace quantifiers. Let \( AP \) be a set of atomic propositions. A trace t is an infinite sequence over subsets of the atomic propositions. We define the set of traces Open image in new window . A subset \(T \subseteq TR \) is called a trace property and a subset \(H \subseteq 2^ TR \) is called a hyperproperty. We use the following notation to manipulate traces: let \(t \in TR \) be a trace and \(i \in \mathbb {N}\) be a natural number. t[i] denotes the ith element of t. Therefore, t[0] represents the starting element of the trace. Let \(j \in \mathbb {N}\) and \(j \ge i\). t[i, j] denotes the sequence \(t[i]~t[i+1]\ldots t[j1]~t[j]\). \(t[i, \infty ]\) denotes the infinite suffix of t starting at position i.
2.2 System Model
A Kripke structure is a tuple \(K=(S,s_0,\delta , AP ,L)\) consisting of a set of states S, an initial state \(s_0 \in S\), a transition function \(\delta : S \rightarrow 2^S\), a set of atomic propositions \( AP \), and a labeling function \(L : S \rightarrow 2^ AP \), which labels every state with a set of atomic propositions. We assume that each state has a successor, i.e., \(\delta (s) \not = \emptyset \). This ensures that every run on a Kripke structure can always be extended to an infinite run. We define a path of a Kripke structure as an infinite sequence of states \(s_0s_1\dots \in S^\omega \) such that \(s_0\) is the initial state of K and \(s_{i+1} \in \delta (s_i)\) for every \(i \in \mathbb {N}\). We denote the set of all paths of K that start in a state s with \( Paths (K,s)\). Furthermore, \( Paths ^*(K,s)\) denotes the set of all path prefixes and \( Paths ^\omega (K,s)\) the set of all path suffixes. A trace of a Kripke structure is an infinite sequence of sets of atomic propositions \(L(s_0),L(s_1),\dots \in (2^ AP )^\omega \), such that \(s_0\) is the initial state of K and \(s_{i+1} \in \delta (s_i)\) for every \(i \in \mathbb {N}\). We denote the set of all traces of K that start in a state s with \( TR (K,s)\). We say that a Kripke structure K satisfies a HyperLTL formula \(\varphi \) if its set of traces satisfies \(\varphi \), i.e., if \(\varPi \models _{ TR (K,s_0)} \varphi \), where \(\varPi \) is the empty trace assignment.
2.3 Automata over Infinite Words
In our construction we use automata over infinite words. A Büchi automaton is a tuple \(\mathcal B = (Q,Q_0,\delta ,\varSigma ,F)\), where Q is a set of states, \(Q_0\) is a set of initial states, \(\delta : Q \times \varSigma \rightarrow 2^Q\) is a transition relation, and \(F\subset Q\) are the accepting states. A run of \(\mathcal B\) on an infinite word \(w = \alpha _1 \alpha _2 \dots \in \varSigma ^\omega \) is an infinite sequence \(r = q_0 q_1 \dots \in Q^\omega \) of states, where \(q_0 \in Q_0\) and for each \(i \ge 0\), \(q_{i+1} = \delta (q_i,\alpha _{i+1})\). We define \(\mathbf{Inf }(r)=\{q \in Q \mid \forall i \exists j>i.~r_j = q\}\). A run r is called accepting if \(\mathbf{Inf }(r) \cap F \not = \emptyset \). A word w is accepted by \(\mathcal B\) and called a model of \(\mathcal B\) if there is an accepting run of \(\mathcal B\) on w.
Furthermore, an alternating automaton, whose runs generalize from sequences to trees, is a tuple \(\mathcal A = (Q,Q_0,\delta ,\varSigma ,F)\). \(Q,Q_0, \varSigma \), and F are defined as above and \(\delta : Q \times \varSigma \rightarrow \mathbb {B}^+{Q}\) being a transition function, which maps a state and a symbol into a Boolean combination of states. Thus, a run(tree) of an alternating Büchi automaton \(\mathcal A\) on an infinite word w is a Qlabeled tree. A word w is accepted by \(\mathcal {A}\) and called a model if there exists a runtree T such that all paths p trough T are accepting, i.e., \(\mathbf{Inf }(p) \cap F \not = \emptyset \).
A strongly connected component (SCC) in \(\mathcal A\) is a maximal strongly connected component of the graph induced by the automaton. An SCC is called accepting if one of its states is an accepting state in \(\mathcal A\).
3 Quantitative Hyperproperties
For a given set of traces T and a valuation of the trace variables \(\pi _1,\dots ,\pi _k\), the term \(\# \sigma : A.\, \psi \) computes the number of traces \(\sigma \) in T that differ in their valuation of the atomic propositions in A and satisfy \(\psi \). The expression \(\# \sigma : A.\, \psi \triangleleft n\) is \( true \) iff the resulting number satisfies the comparison with n. Finally, the complete expression \(\forall \pi _1,\dots ,\pi _k.\,\varphi \rightarrow (\# \sigma : A.\, \psi \triangleleft n)\) is \( true \) iff for all combinations \(\pi _1,\dots ,\pi _k\) of traces in T that satisfy \(\varphi \), the comparison \(\# \sigma : A.\, \psi \triangleleft n\) is satisfied.
Example 1
Example 2
4 Model Checking Quantitative Hyperproperties
We present a model checking algorithm for quantitative hyperproperties based on model counting. The advantage of the algorithm is that its runtime complexity is independent of the bound n and thus avoids the nfold selfcomposition necessary for any encoding of the quantitative hyperproperty in HyperLTL.
Before introducing our novel countingbased algorithm, we start by a translation of quantitative hyperproperties into formulas in HyperLTL and establishing an exponential lower bound for its representation.
4.1 Standard Model Checking Algorithm: Encoding Quantitative Hyperproperties in HyperLTL
The idea of the reduction is to check a lower bound of n traces by existentially quantifying over n traces, and to check an upper bound of n traces by universally quantifying over \(n+1\) traces. The resulting HyperLTL formula can be verified using the standard model checking algorithm for HyperLTL [18].
Theorem 1
Every quantitative hyperproperty \( \forall \pi _1,\dots ,\pi _k.\ \psi _\iota \rightarrow (\# \sigma : A.\ \psi \triangleleft n) \) can be expressed as a HyperLTL formula. For \(\triangleleft \in \{\le \} (\{<\})\), the HyperLTL formula has \(n+k+1 (\text {resp. } n+k)\) universal trace quantifiers in addition to the quantifiers in \(\psi _\iota \) and \(\psi \). For \(\triangleleft \in \{\ge \} (\{>\})\), the HyperLTL formula has k universal trace quantifiers and n \((\text {resp. } n+1)\) existential trace quantifiers in addition to the quantifiers in \(\psi _\iota \) and \(\psi \). For \(\triangleleft \in \{=\}\), the HyperLTL formula has \(k+n+1\) universal trace quantifiers and n existential trace quantifiers in addition to the quantifiers in \(\psi _\iota \) and \(\psi \).
Proof
Example 3
Model checking quantitative hyperproperties via the reduction to HyperLTL is very expensive. In the best case, when \(\triangleleft \in \{\le , < \}\), \(\psi _\iota \) does not contain existential quantifiers, and \(\psi \) does not contain universal quantifiers, we obtain an HyperLTL formula without quantifier alternations, where the number of quantifiers grows linearly with the bound n. For m quantifiers, the HyperLTL model checking algorithm [26] constructs and analyzes the mfold selfcomposition of the Kripke structure. The running time of the model checking algorithm is thus exponential in the bound. If \(\triangleleft \in \{\ge , >, = \}\), the encoding additionally introduces a quantifier alternation. The model checking algorithm checks quantifier alternations via a complementation of Büchi automata, which adds another exponent, resulting in an overall doubly exponential running time.
The model checking algorithm we introduce in the next section avoids the nfold selfcomposition needed in the model checking algorithm of HyperLTL and its complexity is independent of the bound n.
4.2 CountingBased Model Checking Algorithm
4.3 Büchi Automata for Quantitative Hyperproperties
4.4 Counting Models of \(\omega \)Automata
In the following, we define the maximum model counting problem over automata and give an algorithm for solving the problem. We show how to use the algorithm for model checking quantitative hyperproperties.
Definition 1
As a first step in our algorithm, we show how to check whether the maximum model count is equal to infinity.
Definition 2
(Doubly Pumped Lasso). For a graph G, a doubly pumped lasso in G is a subgraph that entails a cycles \(C_1\) and another different cycle \(C_2\) that is reachable from \(C_1\).
In general, we distinguish between two types of doubly pumped lassos as shown in Fig. 3. We call the lassos with periods \(C_1\) and \(C_2\) the lassos of the doubly pumped lasso. A doubly pumped lasso of a Büchi automaton B is one in the graph structure of B. The doubly pumped lasso is called accepting when \(C_2\) has an accepting state. A more generalized formalization of this idea is given in the following theorem.
Theorem 2
Let \(B=(Q,q_0,\delta , 2^\textit{AP}, F)\) be a Büchi automaton for some set of atomic propositions \(\textit{AP}= X \cup Y \cup Z\) and let \(\sigma ' \in ( 2^{Y})^\omega \). The automaton B has infinitely many \(X \cup Y\)projected models \(\sigma \) with \(\sigma =_{Y} \sigma '\) if and only if B has an accepting doubly pumped lasso with lassos \(\rho \) and \(\rho '\) such that: (1) \(\rho \) is an accepting lasso (2) \(\textit{tr}(\rho )=_{Y} \textit{tr}(\rho ')=_{Y}\sigma '\) (3) The period of \(\rho '\) shares at least one state with \(\rho \) and (4) \(\textit{tr}(\rho )\not =_X\textit{tr}(\rho ')\).
To check whether there is a sequence \(\sigma ' \in (2^Y)^\omega \) such that the number of \(X\cup Y\)projected models \(\sigma \) of B with \(\sigma =_Y \sigma '\) is infinite, we search for a doubly pumped lasso satisfying the constraints given in Theorem 2. This can be done by applying the following procedure:
Given a Büchi automaton \(B=(Q,q_0,2^\textit{AP},\delta ,F)\) and sets \(X,Y,Z \subseteq ~\textit{AP}\), we construct the following product automaton \(B_\times =(Q_\times ,q_{\times ,0},2^\textit{AP}\times 2^\textit{AP}, \delta _\times , F_\times )\) where: \(Q_\times = Q \times Q\), \(q_{\times ,0} = (q_0,q_0)\), \(\delta _\times = \{(s_1,s_2) \xrightarrow {(\alpha ,\alpha ')} (s'_1,s_2') \mid s_1 \xrightarrow {\alpha } s_2, s'_1 \xrightarrow {\alpha '} s'_2, \alpha =_{Y} \alpha '\}\) and \(F_\times = Q\times F\). The automaton B has infinitely many models \(\sigma '\) if there is an accepting lasso \(\rho = (q_0,q_0)(\alpha _1,\alpha '_1) \dots ((q_j,q_j')(\alpha _{j+1},\alpha '_{j+1})\) \(\dots (q_k,q'_k) (\alpha _{k+1},\alpha '_{k+1}))\) in \(B_\times \) such that: \(\exists h\le j.~ q'_h = q_j\), i.e., B has lassos \(\rho _1\) and \(\rho _2\) that share a state in the period of \(\rho _1\) and \(\exists h>j.~ \alpha _h \not =_X \alpha '_h\), i.e., the lassos differ in the evaluation of X in a position after the shared state and thus allows infinitely many different sequence over X for the a sequence over Y. The lasso \(\rho \) simulates a doubly pumped lasso in B satisfying the constraints of Theorem 2.
Theorem 3
Given an alternating Büchi automaton \(A=(Q,q_0,\delta , 2^\textit{AP}, F)\) for a set of atomic propositions \(\textit{AP}= X\cup Y\cup Z\), the problem of checking whether there is a sequence \(\sigma ' \in ( 2^{Y})^\omega \) such that A has infinitely many \(X\cup Y\)projected models \(\sigma \) with \(\sigma =_Y \sigma '\) is Pspacecomplete.
The lower and upper bound for the problem can be given by a reduction from and to the satisfiability problem of LTL [4]. Due to the finite structure of Büchi automata, if the number of models of the automaton exceed the exponential bound \(2^{Q}\), where Q is the set of states, then the automaton has infinitely many models.
Lemma 1
For any Büchi automaton B, the number of models of B is less or equal to \(2^{Q}\) otherwise it is \(\infty \).
Proof
Assume the number of models is larger than \(2^{Q}\) then there are more than \(2^{Q}\) accepting lassos in B. By the pigeonhole principle, two of them share the same \(2^{Q}\)prefix. Thus, either they are equal or we found doubly pumped lasso in B.
Corollary 1
Let a Büchi automaton B over a set of atomic propositions \(\textit{AP}\) and sets \(X,Y \subseteq \textit{AP}\). For each sequence \(\sigma _Y \in (2^{Y})^\omega \) the number of \(X\cup Y\)projected models \(\sigma \) with \(\sigma =_Y \sigma _Y \) is less or equal than \(2^{Q}\) otherwise it is \(\infty \).
Algorithm 2 describes the procedure. An algorithm for the minimum model counting problem is defined in similar way. The algorithm works in a backwards fashion starting with states of accepting strongly connected components. In each iteration i, the algorithm maps each state of the automaton with \(X \cup Y\)projected words of length i that reach an accepting strongly connected component. After Q iterations, the algorithm determines from the mapping of initial state \(q_0\) a Yprojected word of length Q with the maximum number of matching \(X\cup Y\)projected words (Fig. 4).
Theorem 4
The decisional version of the maximum model counting problem over automata (MMCA), i.e. the question whether the maximum is greater than a given natural number n, is in \( NP ^{\#P}\).
Proof
Let a Büchi automaton over an alphabet \(2^ AP \) for a set of atomic propositions \( AP \) and sets \(\textit{AP}_X,\textit{AP}_Y,\textit{AP}_Z \subseteq \textit{AP}\) and a natural number n be given. We construct a nondeterministic Turing Machine M with access to a \(\#P\)oracle as follows: M guesses a sequence \(\sigma _Y \in 2^ AP_Y \). It then queries the oracle, to compute a number c, such that \(c = \{\sigma _X \in (2^{\textit{AP}_X})^\omega \mid \exists \sigma _Z \in (2^{\textit{AP}_Z})^\omega .~ \sigma _X\cup \sigma _Y\cup \sigma _Z \in L(B)\}\), which is a \(\#P\) problem [27]. It remains to check whether \(n>c\). If so, M accepts.
The following theorem summarizes the main findings of this section, which establish, depending on the property, an exponentially or even doubly exponentially better algorithm (in the quantitative bound) over the existing model checking algorithm for HyperLTL.
Theorem 5
Given a Kripke structure K and a quantitative hyperproperty \(\varphi \) with bound n, the problem whether \(K \models \varphi \) can be decided in logarithmic space in the quantitative bound n and in polynomial space in the size of K.
5 A Max#SatBased Approach
For existential HyperLTL formulas \(\psi _\iota \) and \(\psi \), we give a more practical model checking approach by encoding the automatonbased construction presented in Sect. 4 into a propositional formula.
Given a Kripke structure \(K=(S,s_0, \tau , \textit{AP}_K, L)\) and a quantitative hyperproperty \(\varphi =\forall \pi _1, \dots , \pi _k.~ \psi _\iota \rightarrow (\#\sigma :A.~ \psi ) \triangleleft n \) over a set of atomic propositions \(\textit{AP}_\varphi \subseteq \textit{AP}_K\) and bound \(\mu \), our algorithm constructs a propositional formula \(\phi \) such that, every satisfying assignment of \(\phi \) uniquely encodes a tuple of lassos \((\pi _1, \dots , \pi _k,\sigma )\) of length \(\mu \) in K, where \((\pi _1, \dots , \pi _k)\) satisfies \(\psi _\iota \) and \((\pi _1, \dots , \pi _k,\sigma )\) satisfies \(\psi \). To compute the values \(\max \limits _{(\pi _1,\dots ,\pi _k)}\{\sigma _A \mid (\pi _1,\dots ,\pi _k,\sigma ) \models \psi _\iota \wedge \psi \}\) (in case \(\triangleleft \in \{\le , <\}\)) or \(\min \limits _{(\pi _1,\dots ,\pi _k)}\{\sigma _A \mid (\pi _1,\dots ,\pi _k,\sigma ) \models \psi _\iota \wedge \psi \}\) (in case \(\triangleleft \in \{\ge , >\}\)), we pass \(\phi \) to a maximum model counter, respectively, to a minimum model counter with the appropriate sets of counting and maximization, respectively, minimization propositions. From Lemma 1 we know that it is enough to consider lasso of length exponential in the size of \(\varphi \). The size of \(\phi \) is thus exponential in the size of \(\varphi \) and polynomial in the size of K.

\(\mu \) is length of considered lassos and is equal to \(\mu = 2^{\psi '_\iota \wedge \psi ''}*S^{k+k'+k''+1}+1\) which is one plus the size of the product automaton constructed from the \(k+k'+k''+1\) selfcomposition and the automaton for \(\psi _\iota \wedge \psi \). The “plus one” is to additionally check whether the number of models is infinite.

\(\llbracket K \rrbracket _\pi ^k\) is the encoding of the transition relation of the copy of K where atomic propositions are indexed with \(\pi \) and up to an unrolling of length k. Each state of K can be encoded as an evaluation of a vector of \(\log {S}\) unique propositional variables. The encoding is given by the propositional formula Open image in new window which encodes all paths of K of length k. The formula Open image in new window defines the assignment of the initial state. The formulas Open image in new window define valid transitions in K from the ith to the \((i+1)\)st state of a path.
 \( \llbracket \psi _\iota \rrbracket _{k}^0\) and \(\llbracket \psi \rrbracket _{k}^0\) are constructed using the following rules^{3}: in case of an existential quantifier over a trace variable \(\pi \), we add a copy of the encoding of K with new variables distinguished by \(\pi \):
We define sets \(X= \{a^i_\sigma \mid a \in A , i \le k\}\), \(Y= \{a^i \mid a \in \textit{AP}_\psi \setminus A, i\le k\}\) and \(Z = P\setminus X \cup Y\), where P is the set of all propositions in \(\phi \). The maximum model counting problem is then \(\textit{MMC}(\phi , X,Y,Z)\).
5.1 Experiments
Comparison between the expansionbased approach (MCHyper) and the Max#Satbased approach (MCQHyper). #max is the number of maximization variables (set Y). #count is the number of the counting variables (set X). TO indicates a timeout after 1 h.
Benchmark  Specification  MCHyper  MCQHyper  

#Latches  #Gates  Time(sec)  #var  #max  #count  Time(sec)  
Pwd_8bit  1bit_leak  9  55  0.3  97  16  2  1 
2bit_leak  0.4  176  32  4  1  
3bit_leak  1.3  336  64  8  2  
4bit_leak  97  656  128  16  4  
5bit_leak  TO  1296  256  32  8  
6bit_leak  TO  2576  512  64  335  
8bit_leak  TO  10256  2048  256  TO 
Table 1 shows the results on a parameterized benchmark obtained from the implementation of an 8bit passcode checker. The parameter of the benchmark is the bound on the number of bits that is leaked to an adversary, who might, for example, enter passcodes in a bruteforce manner. In all instances, a violation is found. The results show that the Max#Satbased approach scales significantly better than the expansionbased approach.
6 Conclusion
We have studied quantitative hyperproperties of the form \(\forall \pi _1,\dots ,\pi _k.\ \varphi \rightarrow (\# \sigma : A.\ \psi \triangleleft n)\), where \(\varphi \) and \(\psi \) are HyperLTL formulas, and \(\#\sigma :A. \varphi \triangleleft n\) compares the number of traces that differ in the atomic propositions A and satisfy \(\psi \) to a threshold n. Many quantitative information flow policies of practical interest, such as quantitative noninterference and deniability, belong to this class of properties. Our new countingbased model checking algorithm for quantitative hyperproperties performs at least exponentially better in both time and space in the bound n than a reduction to standard HyperLTL model checking. The new counting operator makes the specifications exponentially more concise in the bound, and our model checking algorithm solves the concise specifications efficiently.
We also showed that the model checking problem for quantitative hyperproperties can be solved with a practical Max#SATbased algorithm. The SATbased approach outperforms the expansionbased approach significantly for this class of properties. An additional advantage of the new approach is that it can handle properties like deniability, which cannot be checked by MCHyper because of the quantifier alternation.
Footnotes
 1.
We write \(\pi =_A \pi '\) short for \(\pi _A = \pi '_A\) where \(\pi _A\) is the Aprojection of \(\pi \).
 2.
The construction follows the one presented in [26] with a slight modification on the labeling of transitions. Labeling over atomic proposition instead of the states of the Kripke structure suffices, as any nondeterminism in the Kripke structure is inherently resolved, because we quantify over trace not paths.
 3.
We omitted the rules for boolean operators for the lack of space.
References
 1.Alvim, M.S., Andrés, M.E., Palamidessi, C.: Quantitative information flow in interactive systems. J. Comput. Secur. 20(1), 3–50 (2012)CrossRefGoogle Scholar
 2.Aziz, R.A., Chu, G., Muise, C.J., Stuckey, P.J.: #\(\exists \)sat: projected model counting. In: Proceedings of the 18th International Conference on Theory and Applications of Satisfiability Testing  SAT 2015, Austin, TX, USA, 24–27 September 2015, pp. 121–137 (2015)Google Scholar
 3.Backes, M., Köpf, B., Rybalchenko, A.: Automatic discovery and quantification of information leaks. In: 30th IEEE Symposium on Security and Privacy (S&P 2009), Oakland, California, USA, 17–20 May 2009, pp. 141–153 (2009)Google Scholar
 4.Baier, C., Katoen, J.P.: Principles of Model Checking (Representation and Mind Series). The MIT Press, Cambridge (2008)zbMATHGoogle Scholar
 5.Banerjee, A., Naumann, D.A.: Stackbased access control and secure information flow. J. Funct. Program. 15(2), 131–177 (2005)MathSciNetCrossRefGoogle Scholar
 6.Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by selfcomposition. Math. Struct. Comput. Sci. 21(6), 1207–1252 (2011)MathSciNetCrossRefGoogle Scholar
 7.Bindschaedler, V., Shokri, R., Gunter, C.A.: Plausible deniability for privacypreserving data synthesis. PVLDB 10(5), 481–492 (2017)Google Scholar
 8.Biondi, F., Legay, A., Traonouez, L.M., Wąsowski, A.: QUAIL: a quantitative security analyzer for imperative code. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 702–707. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_49CrossRefGoogle Scholar
 9.Chadha, R., Mathur, U., Schwoon, S.: Computing information flow using symbolic modelchecking. In: 34th International Conference on Foundation of Software Technology and Theoretical Computer Science, FSTTCS 2014, New Delhi, India, 15–17 December 2014, pp. 505–516 (2014)Google Scholar
 10.Chakraborti, A., Chen, C., Sion, R.: Datalair: efficient block storage with plausible deniability against multisnapshot adversaries. PoPETs 2017(3), 179 (2017)Google Scholar
 11.Chen, H., Malacaria, P.: Quantitative analysis of leakage for multithreaded programs. In: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, PLAS 2007, San Diego, California, USA, 14 June 2007, pp. 31–40 (2007)Google Scholar
 12.Chothia, T., Kawamoto, Y., Novakovic, C.: LeakWatch: estimating information leakage from Java programs. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 219–236. Springer, Cham (2014). https://doi.org/10.1007/9783319112121_13CrossRefGoogle Scholar
 13.Clark, D., Hunt, S., Malacaria, P.: Quantified interference for a while language. Electr. Notes Theor. Comput. Sci. 112, 149–166 (2005)CrossRefGoogle Scholar
 14.Clark, D., Hunt, S., Malacaria, P.: Quantitative information flow, relations and polymorphic types. J. Log. Comput. 15(2), 181–199 (2005)MathSciNetCrossRefGoogle Scholar
 15.Clark, D., Hunt, S., Malacaria, P.: A static analysis for quantifying information flow in a simple imperative language. J. Comput. Secur. 15(3), 321–371 (2007)CrossRefGoogle Scholar
 16.Clarke, E., Biere, A., Raimi, R., Zhu, Y.: Bounded model checking using satisfiability solving. Form. Methods Syst. Des. 19(1), 7–34 (2001)CrossRefGoogle Scholar
 17.Clarke, E.M., Emerson, E.A.: Design and synthesis of synchronization skeletons using branching time temporal logic. In: Kozen, D. (ed.) Logic of Programs 1981. LNCS, vol. 131, pp. 52–71. Springer, Heidelberg (1982). https://doi.org/10.1007/BFb0025774CrossRefGoogle Scholar
 18.Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642547928_15CrossRefGoogle Scholar
 19.Clarkson, M.R., Myers, A.C., Schneider, F.B.: Belief in information flow. In: 18th IEEE Computer Security Foundations Workshop, (CSFW18 2005), AixenProvence, France, 20–22 June 2005, pp. 31–45 (2005)Google Scholar
 20.Clarkson, M.R., Myers, A.C., Schneider, F.B.: Quantifying information flow with beliefs. J. Comput. Secur. 17(5), 655–701 (2009)CrossRefGoogle Scholar
 21.Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)CrossRefGoogle Scholar
 22.Cohen, E.S.: Information transmission in sequential programs. In: Foundations of Secure Computation, pp. 297–335 (1978)Google Scholar
 23.Darwiche, A.: New advances in compiling CNF into decomposable negation normal form. In: Proceedings of the 16th European Conference on Artificial Intelligence, ECAI 2004, including Prestigious Applicants of Intelligent Systems, PAIS 2004, Valencia, Spain, 22–27 August 2004, pp. 328–332 (2004)Google Scholar
 24.Denning, D.E.: Cryptography and Data Security. AddisonWesley, Boston (1982)zbMATHGoogle Scholar
 25.Dimitrova, R., Finkbeiner, B., Kovács, M., Rabe, M.N., Seidl, H.: Model checking information flow in reactive systems. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 169–185. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642279409_12CrossRefzbMATHGoogle Scholar
 26.Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\(^*\). In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 30–48. Springer, Cham (2015). https://doi.org/10.1007/9783319216904_3CrossRefGoogle Scholar
 27.Finkbeiner, B., Torfah, H.: Counting models of lineartime temporal logic. In: Dediu, A.H., MartínVide, C., SierraRodríguez, J.L., Truthe, B. (eds.) LATA 2014. LNCS, vol. 8370, pp. 360–371. Springer, Cham (2014). https://doi.org/10.1007/9783319049212_29CrossRefGoogle Scholar
 28.Finkbeiner, B., Torfah, H.: The density of lineartime properties. In: D’Souza, D., Narayan Kumar, K. (eds.) ATVA 2017. LNCS, vol. 10482, pp. 139–155. Springer, Cham (2017). https://doi.org/10.1007/9783319681672_10CrossRefGoogle Scholar
 29.Fremont, D.J., Rabe, M.N., Seshia, S.A.: Maximum model counting. In: Proceedings of the ThirtyFirst AAAI Conference on Artificial Intelligence, San Francisco, California, USA, 4–9 February 2017, pp. 3885–3892 (2017)Google Scholar
 30.Gray III, J.W.: Toward a mathematical foundation for information flow security. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 210–234, May 1991Google Scholar
 31.Hammer, C., Snelting, G.: Flowsensitive, contextsensitive, and objectsensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8(6), 399–422 (2009)CrossRefGoogle Scholar
 32.Gray III, J.W.: Toward a mathematical foundation for information flow security. In: IEEE Symposium on Security and Privacy, pp. 21–35 (1991)Google Scholar
 33.Bayardo Jr., R.J., Schrag, R.: Using CSP lookback techniques to solve realworld SAT instances. In: Proceedings of the Fourteenth National Conference on Artificial Intelligence and Ninth Innovative Applications of Artificial Intelligence Conference, AAAI 1997, Providence, Rhode Island, 27–31 July 1997, pp. 203–208 (1997)Google Scholar
 34.Köpf, B., Basin, D.A.: An informationtheoretic model for adaptive sidechannel attacks. In: Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, 28–31 October 2007, pp. 286–296 (2007)Google Scholar
 35.Köpf, B., Rybalchenko, A.: Approximation and randomization for quantitative informationflow analysis. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, Edinburgh, United Kingdom, 17–19 July 2010, pp. 3–14 (2010)Google Scholar
 36.Littman, M.L., Majercik, S.M., Pitassi, T.: Stochastic boolean satisfiability. J. Autom. Reason. 27(3), 251–296 (2001)MathSciNetCrossRefGoogle Scholar
 37.Malacaria, P.: Assessing security threats of looping constructs. In: Proceedings of the 34th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL 2007, Nice, France, 17–19 January 2007, pp. 225–235 (2007)Google Scholar
 38.Milushev, D., Clarke, D.: Incremental hyperproperty model checking via games. In: Riis Nielson, H., Gollmann, D. (eds.) NordSec 2013. LNCS, vol. 8208, pp. 247–262. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642414886_17CrossRefGoogle Scholar
 39.Miyano, S., Hayashi, T.: Alternating finite automata on \(\omega \)words. Theoret. Comput. Sci. 32(3), 321–330 (1984)Google Scholar
 40.Morwood, D., Bryce, D.: Evaluating temporal plans in incomplete domains. In: Proceedings of the TwentySixth AAAI Conference on Artificial Intelligence, 22–26 July 2012, Toronto, Ontario, Canada (2012)Google Scholar
 41.Muise, C.J., McIlraith, S.A., Beck, J.C., Hsu, E.I.: Dsharp: fast dDNNF compilation with sharpSAT. In: Kosseim, L., Inkpen, D. (eds.) AI 2012. LNCS (LNAI), vol. 7310, pp. 356–361. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642303531_36CrossRefGoogle Scholar
 42.Myers, A.C.: JFlow: practical mostlystatic information flow control. In: Proceedings of the 26th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL 1999, San Antonio, TX, USA, 20–22 January 1999, pp. 228–241 (1999)Google Scholar
 43.Smith, G.: On the foundations of quantitative information flow. In: de Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 288–302. Springer, Heidelberg (2009). https://doi.org/10.1007/9783642005961_21CrossRefGoogle Scholar
 44.Torfah, H., Zimmermann, M.: The complexity of counting models of lineartime temporal logic. Acta Informatica 55(3), 191–212 (2016)MathSciNetCrossRefGoogle Scholar
 45.Yasuoka, H., Terauchi, T.: On bounding problems of quantitative information flow. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 357–372. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642154973_22CrossRefGoogle Scholar
 46.Yasuoka, H., Terauchi, T.: Quantitative information flow as safety and liveness hyperproperties. Theor. Comput. Sci. 538, 167–182 (2014)MathSciNetCrossRefGoogle Scholar
 47.Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: Proceedings of CSF, p. 29. IEEE Computer Society (2003)Google Scholar
Copyright information
<SimplePara><Emphasis Type="Bold">Open Access</Emphasis>This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License(http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.</SimplePara><SimplePara>The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.</SimplePara>