Bounded Model Checking for Hyperproperties

This paper introduces a bounded model checking (BMC) algorithm for hyperproperties expressed in HyperLTL, which — to the best of our knowledge — is the first such algorithm. Just as the classic BMC technique for LTL primarily aims at finding bugs, our approach also targets identifying counterexamples. BMC for LTL is reduced to SAT solving, because LTL describes a property via inspecting individual traces. Our BMC approach naturally reduces to QBF solving, as HyperLTL allows explicit and simultaneous quantification over multiple traces. We report on successful and efficient model checking, implemented in our tool called HyperQube, of a rich set of experiments on a variety of case studies, including security, concurrent data structures, path planning for robots, and mutation testing.


Introduction
Hyperproperties [10] have been shown to be a powerful framework for specifying and reasoning about important classes of requirements that were not possible with trace-based languages such as the classic temporal logics. Examples include information-flow security, consistency models in concurrent computing [6], and robustness models in cyber-physical systems [5,35]. The temporal logic Hyper-LTL [9] extends LTL by allowing explicit and simultaneous quantification over execution traces, describing the property of multiple traces. For example, the security policy observational determinism can be specified by the following Hy-perLTL formula: ∀π A .∀π B .(o π A ↔ o π B ) W ¬(i π A ↔ i π B ) which stipulates that every pair of traces π A and π B have to agree on the value of the (public) output o as long as they agree on the value of the (secret) input i, where ' W ' denotes the weak until operator.
There has been a recent surge of model checking techniques for HyperLTL specifications [9,12,22,24]. These approaches employ various techniques (e.g., alternating automata, model counting, strategy synthesis, etc) to verify hyperproperties. However, they generally fall short in proposing a general push-button method to deal with identifying bugs with respect to HyperLTL formulas involving quantifier alternation. Indeed, quantifier alternation has been shown to generally elevate the complexity class of model checking HyperLTL specifications in This work was funded in part by the United States NSF SaTC Award 2100989, the Madrid Regional Government under project "S2018/TCS-4339 (BLOQUES-CM)", and by Spanish National Project "BOSCO (PGC2018-102210-B-100)". different shapes of models [2,9]. For example, consider the simple Kripke structure K in Fig. 1 and HyperLTL formulas ϕ 1 = ∀π A .∀π B . (p π A ↔ p π B ) and ϕ 2 = ∀π A .∃π B .
(p π A ↔ p π B ). Proving that K |= ϕ 1 (where traces for π A and π B are taken from K) can be reduced to building the self-composition of K and applying standard LTL model checking, resulting in worst-case complexity |K| 2 in the size of the system. On the contrary, proving that K |= ϕ 2 is not as straightforward. In the worst case, this requires a subset generation to encode the existential quantifier within the Kripke structure, resulting in |K| · 2 |K| blow up. In addition, the quantification is over traces rather than states, adding to the complexity of reasoning. Following the great success of bounded model checking (BMC) for LTL specifications [8], in this paper, we propose a BMC algorithm for HyperLTL. To the best of our knowledge this is the first such algorithm. Just as BMC for LTL is reduced to SAT solving to search for a counterexample trace whose length is bounded by some integer k, we reduce BMC for HyperLTL to QBF solving to be able to deal with quantified counterexample traces in the input model. More formally, given a HyperLTL formula, e.g., ϕ = ∀π A .∃π B .ψ, and a family of Kripke structures K = (K A , K B ) (one per trace variable), the reduction involves three main components. First, the transition relation of K π (for every π) is represented by a Boolean encoding K π . Secondly, the inner LTL subformula ψ is translated to a Boolean representation ψ in a similar fashion to the BMC unrolling technique for LTL. This way, the QBF encoding for a bound k ≥ 0 roughly appears as: where the vector of Boolean variables x A (respectively, x B ) are used to represent the states and propositions of K A (resp. K B ) for steps from 0 to k. Formulas K A k and K B k are the unrollings K A (using x A ) and K B (using x B ), and ¬ψ (that uses both x A and x B ) is the fixpoint Boolean encoding of ¬ψ. The proposed technique in this paper does not incorporate a loop condition, as implementing such a condition for multiple traces is not straightforward. This, of course, comes at the cost of lack of a completeness result. While our QBF encoding is a natural generalization of BMC for HyperLTL, the first contribution of this paper is a more refined view of how to interpret the behavior of the formula beyond the unrolling depth k. Consider LTL formula ∀π. p π . BMC for LTL attempts to find a counterexample by unrolling the model and check for satisfiability of ∃π. ¬p π up-to bound k. Now consider LTL formula ∀π. p π whose negation is ∃π. ¬p π . In the classic BMC, due to its pessimistic handling of , the unsatisfiability of the formula cannot be established in the finite unrolling (handling these formulas requires either a looping condition or to reach the diameter of the system). This is because ¬p π is not sometimes finitely satisfiable (SFS), in the terminology introduced by Havelund and Peled [27], meaning that not all satisfying traces of p π have a finite prefix that witness the satisfiability.
We propose a method that allows to interpret a wide range of outcomes of the QBF solver and relate these to the original model checking decision problem. To this end, we propose the following semantics for BMC for HyperLTL: -Pessimistic semantics (like in LTL BMC) under which pending eventualities are considered to be unfulfilled. This semantics works for SFS temporal formulas and paves the way for bug hunting. -Optimistic semantics considers the dual case, where pending eventualities are assumed to be fulfilled at the end of the trace. This semantics works for sometimes finitely refutable (SFR) formulas, and allows us to interpret unsatisfiability of QBF as proof of correctness even with bounded traces. -Halting variants of the optimistic and pessimistic semantics, which allow sound and complete decision on a verdict for terminating models.
We have fully implemented our technique in the tool HyperQube. Our experimental evaluation includes a rich set of case studies, such as information-flow security, linearizability in concurrent data structures, path planning in robotic applications, and mutation testing. Our evaluation shows that our technique is effective and efficient in identifying bugs in several prominent examples. We also show that our QBF-based approach is certainly more efficient than a brute-force SAT-based approach, where universal and existential quantifiers are eliminated by combinatorial expansion to conjunctions and disjunctions. We also show that in some cases our approach can also be used as a tool for synthesis. Indeed, a witness to an existential quantifier in a HyperLTL formula is an execution path that satisfies the formula. For example, our experiments on path planning for robots showcase this feature of HyperQube.
In summary, the contributions of this paper are as follows. We (1) propose a QBF-based BMC approach for verification and falsification of HyperLTL specifications; (2) introduce complementary semantics that allow proving and disproving formulas, given a finite set of finite traces, and (3) rigorously analyze the performance of our technique by case studies from different areas of computing.

Kripke Structures
Let AP be a finite set of atomic propositions and Σ = 2 AP be the alphabet. A letter is an element of Σ. A trace t ∈ Σ ω over alphabet Σ is an infinite sequence of letters: t = t(0)t(1)t(2) · · · Definition 1. A Kripke structure is a tuple K = S, S init , δ, L , where -S is a finite set of states; -S init ⊆ S is the set of initial states; -δ ⊆ S × S is a transition relation, and -L : S Σ is a labeling function on the states of K. We require that for each s ∈ S, there exists s ∈ S, such that (s, s ) ∈ δ. The size of the Kripke structure is the number of its states. A loop in K is a finite sequence s(0)s(1) · · · s(n), such that (s(i), s(i + 1)) ∈ δ, for all 0 ≤ i < n, and (s(n), s(0)) ∈ δ. We call a Kripke frame acyclic, if the only loops are self-loops on otherwise terminal states, i.e., on states that have no other outgoing transition. Since Definition 1 does not allow terminal states, we only consider acyclic Kripke structures with such added self-loops. We also label such states by atomic proposition halt.
A path of a Kripke structure is an infinite sequence of states s(0)s(1) · · · ∈ S ω , such that s(0) ∈ S init , and (s(i), s(i + 1)) ∈ δ, for all i ≥ 0. A trace of a Kripke structure is a trace t(0)t(1)t(2) · · · ∈ Σ ω , such that there exists a path s(0)s(1) · · · ∈ S ω with t(i) = L(s(i)) for all i ≥ 0. We denote by Traces(K, s) the set of all traces of K with paths that start in state s ∈ S, and use Traces(K) as a shorthand for s∈Sinit Traces(K, s).

The Temporal Logic HyperLTL
Syntax. HyperLTL [9] is an extension of the linear-time temporal logic (LTL) for hyperproperties. The syntax of HyperLTL formulas is defined inductively by the following grammar: where a ∈ AP is an atomic proposition and π is a trace variable from an infinite supply of variables V. The Boolean connectives ¬, ∨, and ∧ have the usual meaning, U is the temporal until operator, R is the temporal release operator, and is the temporal next operator. We also consider other derived Boolean connectives, such as , and ↔, and the derived temporal operators eventually ϕ ≡ true U ϕ and globally ϕ ≡ ¬ ¬ϕ. Even though the set of operators presented is not minimal, we have introduced this set to uniform the treatment with the variants in Section 3. The quantified formulas ∃π and ∀π are read as "along some trace π" and "along all traces π", respectively. A formula is closed (i.e., a sentence) if all trace variables used in the formula are quantified. We assume, without loss of generality, that no variable is quantified twice. We use Vars(ϕ) for the set of path variables used in formula ϕ.
Semantics. An interpretation T = T π π∈Vars(ϕ) of a formula ϕ consists of a tuple of sets of traces, with one set T π per trace variable π in Vars(ϕ), denoting the set of traces assigned to π. Note that we allow quantifiers to range over different models. We will use this feature in the verification of hyperproperties such as linearizability, where different quantifiers are associated with different sets of executions (in this case one for the concurrent implementation and one for the sequential implementation). That is, each set of traces comes from a Kripke structure and we use K = K π π∈Vars(ϕ) to denote a family of Kripke structures, so T π = Traces(K π ) is the traces that π can range over, which comes from K π . Abusing notation, we write T = Traces(K). Note that picking a single K and letting K π = K for all π is a particular case, which leads to the original semantics of HyperLTL [9].
Our semantics of HyperLTL is defined with respect to a trace assignment, which is a partial map Π : Vars(ϕ) Σ ω . The assignment with the empty domain is denoted by Π ∅ . Given a trace assignment Π, a trace variable π, and a concrete trace t ∈ Σ ω , we denote by Π[π t] the assignment that coincides with Π everywhere but at π, which is mapped to trace t. The satisfaction of a HyperLTL formula ϕ is a binary relation |= that associates a formula to the models (T , Π, i) where i ∈ Z ≥0 is a pointer that indicates the current evaluating position. The semantics is defined as follows: This semantics is slightly different from the definition in [9], but equivalent (see [30]). We say that an interpretation T satisfies a sentence ϕ, denoted by T |= ϕ, if (T , Π ∅ , 0) |= ϕ. We say that a family of Kripke structures K satisfies a sentence ϕ, denoted by K |= ϕ, if Traces(K π ) π∈Vars(ϕ) |= ϕ. When the same Kripke structure K is used for all path variables we write K |= ϕ. For example, the Kripke structure in Fig. 1 satisfies HyperLTL for-

Bounded Semantics for HyperLTL
We introduce now the bounded semantics of HyperLTL, used in Section 4 to generate queries to a QBF solver to aid solving the model checking problem.

Bounded Semantics
We assume the HyperLTL formula is closed and of the form ∃} and it has been converted into negation-normal form (NNF) so that the negation symbol only appears in front of atomic propositions, e.g., ¬a π A . Without loss of generality and for the sake of clarity from other numerical indices, we use roman alphabet as indices of trace variables. Thus, we assume that Vars(ϕ) ⊆ {π A , π B , . . . , π Z }. The main idea of BMC is to perform incremental exploration of the state space of the systems by unrolling the systems and the formula up-to a bound. Let k ≥ 0 be the unrolling bound and let T = T A . . . T Z be a tuple of sets of traces, one per trace variable. We start by defining a satisfaction relation between HyperLTL formulas for a bounded exploration k and models (T , Π, i), where T is the tuple of set of traces, Π is a trace assignment mapping (as defined in Section 2), and i ∈ Z ≥0 that points to the position of traces. We will define different finite satisfaction relations for general models (for * = pes, opt, hpes, hopt): -|= * k , the common satisfaction relation among all semantics, -|= pes k , called pessimistic semantics, -|= opt k , called optimistic semantics, and -|= hpes k and |= hopt k , variants of |= pes k and |= opt k for Kripke structures that encode termination of traces (modeled as self-loops to provide infinite traces). All these semantics coincide in the interpretation of quantifiers, Boolean connectives, and temporal operators up-to instant k − 1, but differ in their assumptions about unseen future events after the bound of observation k.
Quantifiers. The satisfaction relation for the quantifiers is the following: Boolean operators. For every i ≤ k, we have: Temporal connectives. The case where (i < k) is common between the optimistic and pessimistic semantics: For (i = k), in the pessimistic semantics the eventualities (including ) are assumed to never be fulfilled in the future, so the current instant k is the last chance: On the other hand, in the optimistic semantics the eventualities are assumed to be fulfilled in the future: To capture the halting semantics, we use the predicate halt that is true if the state corresponds to a halting state (self-loop), and define halted def = πVars(ϕ) halt π which holds whenever all traces have halted (and their final state will be repeated ad infinitum). Then, the halted semantics of the temporal case for i = k in the pessimistic case consider the halting case to infer the actual value of the temporal operators on the (now fully known) trace: Dually, in the halting optimistic case: Complete semantics. We are now ready to define the four semantics:

The Logical Relation between Different Semantics
Observe that the pessimistic semantics is the semantics in the traditional BMC for LTL.In the pessimistic semantics a formula is declared false unless it is witnessed to be true within the bound explored. In other words, formulas can only get "truer" with more information obtained by a longer unrolling. Dually, the optimistic semantics considers a formula true unless there is evidence within the bounded exploration on the contrary. Therefore, formulas only get "falser" with further unrolling. For example, formula p always evaluates to false in the pessimistic semantics. In the optimistic semantics, it evaluates to true up-to bound k if p holds in all states of the trace up-to and including k. However, if the formula evaluates to false at some point before k, then it evaluates to false for all j ≥ k. The following lemma formalizes this intuition in HyperLTL.
In turn, the verdict obtained from the exploration up-to k can (in some cases) be used to infer the verdict of the model checking problem. As in classical BMC, if the pessimistic semantics find a model, then it is indeed a model. Dually, if our optimistic semantics fail to find a model, then there is no model. The next lemma formally captures this intuition.
Lemma 2 (Infinite inference). The following hold for every k, Example 1. Consider the Kripke structure in Fig. 1, bound k = 3, and formula It is easy to see that instantiating π A with trace s 0 s 1 s 2 s 4 falsifies ϕ 1 in the pessimistic semantics. By Lemma 2, this counterexample shows that the Kripke structure is a model of ¬ϕ 1 in the infinite semantics as well. That is, K |= pes 3 ¬ϕ 1 and, hence, K |= ¬ϕ 1 , so K |= ϕ 1 . Consider again the same Kripke structure, bound k = 3, and formula ϕ 2 = ∀π A .∃π B . (p π A ↔ q π B ). To disprove ϕ 2 , we need to find a trace π A such that for all other π B , proposition q in π B always disagrees with p in π A . It is straightforward to observe that such a trace π A does not exist. By Lemma 2, proving the formula is not satisfiable up-to bound 3 in the optimistic semantics implies that K is not a model of ¬ϕ 2 in the infinite semantics. That is, K |= opt 3 ¬ϕ 2 implies K |= ¬ϕ 2 . Hence, we conclude K |= ϕ 2 .
Consider again the same Kripke structure which has two terminating states, s 3 and s 4 , labeled by atomic proposition halt with only a self-loop. Let k = 3, and ϕ 3 = ∀π A .∃π B .(¬q π B U ¬p π A ). Instantiating π A by trace s 0 s 1 s 3 , which is of the form {p} ω satisfies ¬ϕ 3 . By Lemma 2, the fulfillment of formula implies that in infinite semantics it will be fulfilled as well. That is, K |= hpes Consider again the same Kripke structure with halting states and formula ϕ 4 = ∀π A .∃π B .
(p π A ↔ p π B ). A counterexample is an instantiation of π A such that for all π B , both traces will always eventually agree on p. Trace s 0 s 1 s 2 s 4 , which is of the form {p}{p}{p}{q, halt} ω with k = 3. This trace never agrees with a trace that ends in state s 3 (which is of the form {p} ω ) and vice versa. By Lemma 2, the absence of counterexample up-to bound 3 in the halting optimistic semantics implies that K is not a model of ¬ϕ 4 in the infinite semantics. That is, K |= hopt 3 ¬ϕ 4 implies K |= ¬ϕ 4 . Hence, we conclude K |= ϕ 4 .

Reducing BMC to QBF Solving
Given a family of Kripke structures K, a HyperLTL formula ϕ, and bound k ≥ 0, our goal is to construct a QBF formula K, ϕ k whose satisfiability can be used to infer whether or not K |= ϕ.
In the following paragraphs, we first describe how to encode the model and the formula, and then how to combine the two to generate the QBF query. We will illustrate the constructions using formula ϕ 1 in Example 1 in Section 3, whose negation is Encoding the models. The unrolling of the transition relation of a Kripke structure K A = S, S init , δ, L up to bound k is analogous to the BMC encoding for LTL [8]. First, note that the state space S can be encoded with a (logarithmic) number of bits in |S|. We introduce additional variables n 0 , n 1 , . . . to encode the state of the Kripke structure and use AP * = AP ∪ {n 0 , n 1 , . . .} for the extended alphabet that includes the encoding of S. In this manner, the set of initial states of a Kripke structure is a Boolean formula over AP * . For example, for the Kripke structure K A in Fig. 1 the set of initial states (in this case S init = {s 0 }) corresponds to the following Boolean formula: assuming that (¬n 0 ∧ ¬n 1 ∧ ¬n 2 ) represents state s 0 (we need three bits to encode five states.) Similarly, R A is a binary relation that encodes the transition relation δ of K A (representing the relation between a state and its successor). The encoding into QBF works by introducing fresh Boolean variables (a new copy of AP * for each Kripke structure K A and position), and then producing a Boolean formula that encodes the unrolling up-to k. We use x i A for the set of fresh copies of the variables AP * of K A corresponding to position i ∈ [0, k]. Therefore, there are k|x A | = k|AP * A | Boolean variables to represent the unrolling of K A . We use I A (x) for the Boolean formula (using variables from x) that encodes the initial states, and R A (x, x ) (for two copies of the variables x and x ) for the Boolean formula whether x encodes a successor states of x. For example, for k = 3, we unroll the transition relation up-to 3 as follows, which is the Boolean formula representing valid traces of length 4, using four copies of the variables AP * A that represent the Kripke structure K A .
Encoding the inner LTL formula. The idea of the construction of the inner LTL formula is analogous to standard BMC as well, except for the choice of different semantics described in Section 3. In particular, we introduce the following inductive construction and define four different unrollings for a given k: · pes i,k , · opt i,k , · hpes i,k , and · hopt i,k .
-Inductive Case: Since the semantics only differ on the temporal operators at the end of the unrolling, the inductive case is common to all unrollings and we use · * i,k to mean any of the choices of semantic (for * = pes, opt, hpes, hopt). For all i ≤ k: Note that, for a given path variable π A , the atom p i πA that results from p π A * i,k is one of the Boolean variables in x i A . -For the base case, the formula generated is different depending on the intended semantics: Note that the base case defines the value to be assumed for the formula after the end k of the unrolling, which is spawned in the temporal operators in the inductive case at k. The pessimistic semantics assume the formula to be false, and the optimistic semantics assume the formula to be true. The halting cases consider the case at which the traces have halted (using in this case the evaluation at k) and using the unhalting choice otherwise.

Example 2.
Consider again the formula ¬ψ = (p π A ↔ p π B ) U q π A . Using the pessimistic semantics ¬ψ pes 0,3 with three steps is In this encoding, the collection x 2 A , contains all variables of AP * of K A (that is {p 2 πA , q 2 πA , . . .}) connecting to the corresponding valuation for p π A in the trace of K A at step 2 in the unrolling of K A . In other words, the formula ¬ψ pes 0,3 uses variables from x 0 Combining the encodings. Now, let ϕ be a HyperLTL formula of the form Combining all the components, the encoding of the HyperLTL BMC problem in QBF is the following (for * = pes, opt, hpes, hopt): Example 3. Consider again Example 2. To combine the model description with the encoding of the HyperLTL formula, we use two identical copies of the given Kripke structure to represent different paths π A and π B on the model, denoted as K A and K B . The final resulting formula is: The sequence of assignments (¬n 2 , ¬n 1 , ¬n 0 , p, ¬q, ¬halt) 0 (¬n 2 , ¬n 1 , n 0 , p, ¬q, ¬halt) 1 (¬n 2 , n 1 , ¬n 0 , p, ¬q, ¬halt) 2 (n 2 , ¬n 1 , ¬n 0 , ¬p, q, halt) 3 on K A , corresponding to the path s 0 s 1 s 2 s 4 , satisfies ¬ϕ pes 0,3 for all traces on K B . The satisfaction result shows that K, ¬ϕ pes 3 is true, indicating that a witness of violation is found. Theorem 1, by a successful detection of a counterexample witness, and the use of the pessimistic semantics, allows to conclude that K |= ϕ.
The main result of this section is Theorem 1 that connects the output of the solver to the original model checking problem. We first show an auxiliary lemma.

Lemma 3. Let ϕ be a closed HyperLTL formula and T = Traces(K) be an interpretation. For * = pes, opt, hpes, hopt, it holds that
Proof (sketch). The proof proceeds in two steps. First, let ψ be the largest quantifier-free sub-formula of ϕ. Then, every tuple of traces of length k (one for each π) is in one-to-one correspondence with the collection of variables p i π , that satisfies that the tuple is a model of ψ (in the choice semantics) if and only if the corresponding assignment makes ψ * 0 . Then, the second part shows inductively in the stack of quantifiers that each subformula obtained by adding a quantifier is satisfiable if and only if the semantics hold.
Lemma 3, together with Lemma 2, allows to infer the outcome of the model checking problem from satisfying (or unsatisfying) instances of QBF queries, summarized in the following theorem.  Table 1 illustrates what Theorem 1 allows to soundly conclude from the output of the QBF solver about the model checking problem of formulas from Example 1 in Section 3.

Evaluation and Case Studies
We now evaluate our approach by a rich set of case studies on information-flow security, concurrent data structures, path planning for robots, and mutation testing. In this section, we will refer to each property in HyperLTL as in Table 2.

Semantics
Formula Bound pessimistic optimistic halting We have implemented the technique described in Section 4 in our tool HyperQube. Given a transition relation, the tool automatically unfolds it up to k ≥ 0 by a home-grown procedure written in Ocaml, called genqbf. Given the choice of the semantics (pessimistic, optimistic, and halting variants) the unfolded transition relation is combined with the QBF encoding of the input HyperLTL formula to form a complete QBF instance which is then fed to the QBF solver QuAbS [28]. All experiments in this section are run on an iMac desktop with Intel i7 CPU @3.4 GHz and 32 GB of RAM. A full description of the systems and formulas used can be accessed in the longer version of this paper [30].
Case Study 1: Symmetry in Lamport's Bakery algorithm [12]. Symmetry states that no specific process has special privileges in terms of a faster access to the critical section (see different symmetry formulas in Table 2). In these formulas, each process P n has a program counter denoted by pc(P n ), select indicates which process is selected to process next, pause if both processes are not selected, sym_break is which process is selected after a tie, and sym(select π A , select π B ) indicates if two traces are selecting two opposite processes. The Bakery algorithm does not satisfy symmetry (i.e. ϕ sym 1 ), because when two or more processes are trying to enter the critical section with the same ticket number, the algorithm always gives priority to the process with the smaller process ID. HyperQube returns SAT using the pessimistic semantics, indicating that there exists a counterexample in the form of a falsifying witness to π A in formula ϕ sym 1 . Table 3 includes our result on other symmetry formulas presented in Table 2.
Case Study 2: Linearizability in SNARK [14]. SNARK implements a concurrent double-ended queue using double-compare-and-swap (DCAS) and a doubly linked-list that stores values in each node. Linearizability [29] requires that any history of execution of a concurrent data structure (i.e., sequence of invocation and response by different threads) matches some sequential order of invocations and responses (see formula ϕ lin in Table 2). SNARK is known to have two linearizability bugs and HyperQube returns SAT using the pessimistic semantics, identifying both bugs as two counterexamples. The bugs we identified are precisely the same as the ones reported in [14].

Property Property in HyperLTL
Symmetry Case Study 3: Non-interference in multi-threaded Programs. Noninterference [25] states that low-security variables are independent from the high-security variables, thus preserving secure information flow. We consider the concurrent program example in [32], where PIN is high security input and Result is low security output. HyperQube returns SAT in the halting pessimistic semantics, indicating that there is a trace that we can detect the difference of a high-variable by observing a low variable, that is, violating non-interference. We also verified the correctness of a fix to this algorithm, proposed in [32] as well. HyperQube uses the UNSAT results from the solver (with halting optimistic semantics) to infer the absence of violation, that is, verification of non-interference.
Case Study 4: Fairness in non-repudiation protocols. A non-repudiation protocol ensures that a receiver obtains a receipt from the sender, called nonrepudiation of origin (NRO), and the sender ends up having an evidence, named non-repudiation of receipt (NRR), through a trusted third party. A non-repudiation protocol is fair if both NRR and NRO are either received or not received by the parties (see formula ϕ fair in Table 2). We verified two different protocols from [31], namely, T incorrect that chooses not to send out NRR after receiving NRO, and a correct implementation T correct which is fair. For T correct (respectively, T incorrect ), HyperQube returns UNSAT in the halting optimistic semantics (respectively, SAT in the halting pessimistic semantics), which indicates that the protocol satisfies (respectively, violates) fairness. Case Study 5: Path planning for robots. We have used HyperQube beyond verification, to synthesize strategies for robotic planning [34]. Here, we focus on producing a strategy that satisfies two control requirements for a robot to reach a goal in a grid. First, the robot should take the shortest path (see formula ϕ sp in Table 2). Fig. 2 shows a 10 × 10 grid, where the red, green, and black cells are initial, goal, and blocked cells, respectively. HyperQube returns SAT and the synthesized path is shown by the blue arrows. We also used HyperQube to solve the path robustness problem, meaning that starting from an arbitrary initial state, a robot reaches the goal by following a single strategy (see formula ϕ rb in Table 2). Again, HyperQube returns SAT for the grid shown in Fig. 3.
Case Study 6: Mutation testing. We adopted the model from [15] and apply the original formula that describes a good test mutant together with the model (see formula ϕ mut in Table 2). HyperQube returns SAT, indicating successful finding of a qualified mutant. We note that in [15] the authors were not able to generate test cases via ϕ mut , as the model checker MCHyper is not able to handle quantifier alternation in pushbutton fashion.
Results and analysis. Table 3 summarizes our results including running times, the bounded semantics applied, the output of the QBF solver, and the resulting infinite inference conclusion using Theorem 1. As can be seen, our case studies range over model checking of different fragments of HyperLTL. It is important to note that HyperQube run time consists of generating a QBF formula by genqbf and then checking its satisfiability by QuAbS. It is remarkable that in some cases, QBF formula generation takes longer than checking its satisfiability. The models in our experiments also have different sizes. The most complex case study is arguably the SNARK algorithm, where we identify both bugs in the algorithm in 472 and 1497 seconds. In cases 5.1 -6.2, we also demonstrate the ability of HyperQube to solve synthesis problems by leveraging the existential quantifier in a HyperLTL formula. Finally, we elaborate more on scalability of the path planning problem for robots. This problem was first studied in [34], where the authors reduce the problem to SMT solving using Z3 [13] and by eliminating the trace quantifiers through a combinatorial enumeration of conjunctions and disjunctions. Table 4 compares our approach with the brute-force technique employed in [34] for different grid sizes. Our QBF-based approach clearly outperforms the solution in [34], in some cases by an order of magnitude.   Table 4: Path planning for robots and comparison to [34]. All cases use the halting pessimistic semantics and QBF solver returns SAT, meaning successful path synthesis.

Related Work
There has been a lot of recent progress in automatically verifying [12,[22][23][24] and monitoring [1,6,7,20,21,26,33] HyperLTL specifications. HyperLTL is also supported by a growing set of tools, including the model checker MCHyper [12,24], the satisfiability checkers EAHyper [19] and MGHyper [17], and the runtime monitoring tool RVHyper [20]. The complexity of model checking for HyperLTL for treeshaped, acyclic, and general graphs was rigorously investigated in [2]. The first algorithms for model checking HyperLTL and HyperCTL * using alternating automata were introduced in [24]. These techniques, however, were not able to deal in practice with alternating HyperLTL formulas in a fully automated fashion. We also note that previous approaches that reduce model checking HyperLTLtypically of formulas without quantifier alternations-to model checking LTL can use BMC in the LTL model checking phase. However, this is a different approach than the one presented here, as these approaches simply instruct the model checker to use a BMC after the problem has been fully reduced to an LTL model checking problem while we avoid this translation. These algorithms were then extended to deal with hyperliveness and alternating formulas in [12] by finding a winning strategy in ∀∃ games. In this paper, we take an alternative approach by reducing the model checking problem to QBF solving, which is arguably more effective for finding bugs (in case a finite witness exists).
The satisfiability problem for HyperLTL is shown to be undecidable in general but decidable for the ∃ * ∀ * fragment and for any fragment that includes a ∀∃ quantifier alternation [16]. The hierarchy of hyperlogics beyond HyperLTL were studied in [11]. The synthesis problem for HyperLTL has been studied in [3] in the form of program repair, in [4] in the form of controller synthesis, and in [18] for the general case.

Conclusion and Future Work
We introduced the first bounded model checking (BMC) technique for verification of hyperproperties expressed in HyperLTL. To this end, we proposed four different semantics that ensure the soundness of inferring the outcome of the model checking problem. To handle trace quantification in HyperLTL, we reduced the BMC problem to checking satisfiability of quantified Boolean formulas (QBF). This is analogous to the reduction of BMC for LTL to the simple propositional satisfiability problem. We have introduced different classes of semantics, beyond the pessimistic semantics common in LTL model checking, namely optimistic semantics that allow to infer full verification by observing only a finite prefix and halting variations of these semantics that additionally exploit the termination of the execution, when available. Through a rich set of case studies, we demonstrated the effectiveness and efficiency of our approach in verification of information-flow properties, linearizability in concurrent data structures, path planning in robotics, and fairness in non-repudiation protocols.
As for future work, our first step is to solve the loop condition problem. This is necessary to establish completeness conditions for BMC and can help cover even more examples efficiently. The application of QBF-based techniques in the framework of abstraction/refinement is another unexplored area. Success of BMC for hyperproperties inherently depends on effectiveness of QBF solvers. Even though QBF solving is not as mature as SAT/SMT solving techniques, recent breakthroughs on QBF have enabled the construction of our tool HyperQube, and more progress in QBF solving will improve its efficiency.