Abstract

We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or hbox {CTL}^*. Furthermore, HyperLTL subsumes many classical extensions of the LTL realizability problem, including realizability under incomplete information, distributed synthesis, and fault-tolerant synthesis. We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the exists ^*, exists ^*forall ^1, and the {{ linear }};forall ^* fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information flow.

Highlights

  • Hyperproperties [9] generalize trace properties in that they check the correctness of individual computation traces in isolation, but relate multiple computation traces to each other

  • A is equivalent to the HyperLTL realizability of φ as the architecture A represents exactly the input-determinism represented by formula oi ∈O DπJi,→π {oi }

  • We have studied the reactive realizability problem for specifications given in the temporal logic HyperLTL

Read more

Summary

Introduction

Hyperproperties [9] generalize trace properties in that they check the correctness of individual computation traces in isolation, but relate multiple computation traces to each other. The reactive synthesis problem asks for a strategy, that is a tree which branches on environment inputs and whose nodes are labeled by the system output. From a more practical point of view, the interesting question is whether semi-algorithms for distributed synthesis [16,28], which have been successful in constructing distributed systems from LTL specifications despite the undecidability of the general problem, can be extended to HyperLTL?. In order to detect realizability, we ask whether, for a universal HyperLTL formula φ and a given bound n on the number of states, there exists a representation of the strategy tree as a finite-state machine with no more than n states that satisfies φ. We show that both checks can be effectively reduced to SMT solving

Related work
Structure of this article
HyperLTL
Strategies
HyperLTL synthesis
Incomplete information
Distributed synthesis
Asynchronous distributed synthesis
Symmetric synthesis
Fault-tolerant synthesis
Deciding HyperLTL synthesis
Transition systems
Overview
Automata
Run graph
Self-composition
Synthesis
Bounded unrealizability
Evaluation
Symmetric mutual exclusion
Distributed and fault-tolerant systems
CAP Theorem
Long-term information flow
Dining cryptographers
Results
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.