Abstract
We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or CTL\(^*\). We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the \(\exists ^*\), \(\exists ^*\forall ^1\), and the \( linear \;\forall ^*\) fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information-flow.
Highlights
Hyperproperties [5] generalize trace properties in that they check the correctness of individual computation traces in isolation, but relate multiple computation traces to each other
The linear-time temporal logic (LTL) distributed realizability problem for collapse(φ) in the constructed architecture A is equivalent to the HyperLTL realizability of φ as the architecture A represents exactly the input-determinism represented by formula oi∈O DJi→{oi}
We have considered the reactive realizability problem for specifications given in the temporal logic HyperLTL
Summary
Hyperproperties [5] generalize trace properties in that they check the correctness of individual computation traces in isolation, but relate multiple computation traces to each other. For example, the well-studied distributed version of the reactive synthesis problem, where the system is split into a set of processes, that each only see a subset of the inputs. From a more practical point of view, the interesting question is whether semi-algorithms for distributed synthesis [7,14], which have been successful in constructing distributed systems from LTL specifications despite the undecidability of the general problem, can be extended to HyperLTL?. In order to detect realizability, we ask whether, for a universal HyperLTL formula φ and a given bound n on the number of states, there exists a representation of the strategy tree as a finite-state machine with no more than n states that satisfies φ. Information-flow in distributed systems is another example of hyperproperties, and the HyperLTL realizability problem subsumes both the distributed synthesis problem [13,21] as well as synthesis of fault-tolerant systems [16]. The semantic independence of circuit output signals on a certain set of inputs, enabling a range of potential optimizations, is a hyperproperty
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
