Abstract
We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or hbox {CTL}^*. Furthermore, HyperLTL subsumes many classical extensions of the LTL realizability problem, including realizability under incomplete information, distributed synthesis, and fault-tolerant synthesis. We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the exists ^*, exists ^*forall ^1, and the {{ linear }};forall ^* fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information flow.
Highlights
Hyperproperties [9] generalize trace properties in that they check the correctness of individual computation traces in isolation, but relate multiple computation traces to each other
A is equivalent to the HyperLTL realizability of φ as the architecture A represents exactly the input-determinism represented by formula oi ∈O DπJi,→π {oi }
We have studied the reactive realizability problem for specifications given in the temporal logic HyperLTL
Summary
Hyperproperties [9] generalize trace properties in that they check the correctness of individual computation traces in isolation, but relate multiple computation traces to each other. The reactive synthesis problem asks for a strategy, that is a tree which branches on environment inputs and whose nodes are labeled by the system output. From a more practical point of view, the interesting question is whether semi-algorithms for distributed synthesis [16,28], which have been successful in constructing distributed systems from LTL specifications despite the undecidability of the general problem, can be extended to HyperLTL?. In order to detect realizability, we ask whether, for a universal HyperLTL formula φ and a given bound n on the number of states, there exists a representation of the strategy tree as a finite-state machine with no more than n states that satisfies φ. We show that both checks can be effectively reduced to SMT solving
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
