Hyperproperty

Last updated January 26, 2024

In computer science, hyperproperties are a formalism for describing properties of computational systems. Hyperproperties generalize safety and liveness properties, and can express properties such as non-interference and observational determinism.^[1]

Elaborating on the example of non-interference: Non-interference can't be represented as a "property" in the formal sense because there's no inclusion-test that could be applied to a single program trace; non-interference is an assertion about how neighboring traces are similar to each other and it does no good to look at one trace at a time. "Hyperproperties" are the extension from properties as predicates on traces to properties as relations between traces.

Definitions

Traces and systems

Hyperproperties are defined in terms of traces of a computational system. A trace is a sequence of states; a system is a set of traces. Intuitively, a program corresponds to the set of all of its possible execution traces, given any inputs. Formally, the set of traces over a set of states $\Sigma$ is $\Phi \triangleq \Sigma ^{\omega }$ .

This representation is expressive enough to encompass several computational models, including labeled transition systems ^[2] and state machines.^[3]

Hyperproperties

A trace property is a set of traces. Safety and liveness properties are trace properties. Formally, a trace property is an element of $\mathbb {P} (\Phi )$ , where $\mathbb {P}$ is the powerset operator. A hyperproperty is a set of trace properties, that is, an element of $\mathbb {P} (\mathbb {P} (\Phi ))$ .

Trace properties may be divided into safety properties (intuitively, properties that ensure "bad things don't happen") and liveness properties ("good things do happen"), and every trace property is the intersection of a safety property and a liveness property.^[4] Analogously, hyperproperties may be divided into hypersafety and hyperliveness hyperproperties, and every hyperproperty is an intersection of a safety hyperproperty and a liveness hyperproperty.^[5]

$k$ -safety properties are safety hyperproperties such that every violation of the property can be witnessed by a set of at most $k$ traces.^[6]

Examples

Every safety property can be lifted to a 1-safety hyperproperty that expresses the same condition.^[7]
$k$ $Hyperproperty$ -safety hyperproperties:
- $k=1$ $Hyperproperty$ (lifts of safety properties):
  - false, defined to be the set containing the empty set. Formally, $\mathbf {false} \triangleq \{\emptyset \}$ . This hyperproperty is not satisfied by any system.^[8]
  - true, defined to be the set of all traces. Formally, $\mathbf {true} \triangleq \Phi$ . This hyperproperty is satisfied by all systems.^[9]
  - Access control ^[10]
- $k=2$ $Hyperproperty$ :
  - Monotonicity ^[11]
  - Injectivity ^[11]
  - Symmetry, anti-symmetry, and asymmetry ^[11]
  - Observational determinism^[12]
  - Noninterference
- $k=3$ $Hyperproperty$
  - Transitivity ^[11]
- $k=4$ $Hyperproperty$
  - Associativity ^[11]

Properties

Since hyperproperties are exactly the elements of the power set $\mathbb {P} (\mathbb {P} (\Phi ))$ , they are closed under intersection and union.

The lower Vietoris topology of a standard topology on trace properties yields a topology on the set of hyperproperties.^[13]

Applications

Several program logics^[14]^[11]^[15] have been developed for checking that a program conforms to a hyperproperty.

HyperLTL^[14] and some model checking algorithms ^[16]^[17] have been developed for checking that a finite state system conforms to a hyperproperty.

Related Research Articles

In computability theory, Rice's theorem states that all non-trivial semantic properties of programs are undecidable. A semantic property is one about the program's behavior, unlike a syntactic property. A property is non-trivial if it is neither true for every program, nor false for every program.

In the mathematical field of topology, a uniform space is a topological space with additional structure that is used to define uniform properties, such as completeness, uniform continuity and uniform convergence. Uniform spaces generalize metric spaces and topological groups, but the concept is designed to formulate the weakest axioms needed for most proofs in analysis.

In mathematics, weak topology is an alternative term for certain initial topologies, often on topological vector spaces or spaces of linear operators, for instance on a Hilbert space. The term is most commonly used for the initial topology of a topological vector space with respect to its continuous dual. The remainder of this article will deal with this case, which is one of the concepts of functional analysis.

Distributions, also known as Schwartz distributions or generalized functions, are objects that generalize the classical notion of functions in mathematical analysis. Distributions make it possible to differentiate functions whose derivatives do not exist in the classical sense. In particular, any locally integrable function has a distributional derivative.

In computability theory, Kleene's recursion theorems are a pair of fundamental results about the application of computable functions to their own descriptions. The theorems were first proved by Stephen Kleene in 1938 and appear in his 1952 book Introduction to Metamathematics. A related theorem, which constructs fixed points of a computable function, is known as Rogers's theorem and is due to Hartley Rogers, Jr.

In mathematics, a direct limit is a way to construct a object from many objects that are put together in a specific way. These objects may be groups, rings, vector spaces or in general objects from any category. The way they are put together is specified by a system of homomorphisms between those smaller objects. The direct limit of the objects $, where ranges over some directed set, is denoted by .$

In set theory and its applications to logic, mathematics, and computer science, set-builder notation is a mathematical notation for describing a set by enumerating its elements, or stating the properties that its members must satisfy.

In mathematics, group cohomology is a set of mathematical tools used to study groups using cohomology theory, a technique from algebraic topology. Analogous to group representations, group cohomology looks at the group actions of a group G in an associated G-moduleM to elucidate the properties of the group. By treating the G-module as a kind of topological space with elements of $representing n -simplices, topological properties of the space may be computed, such as the set of cohomology groups . The cohomology groups in turn provide insight into the structure of the group G and G -module M themselves. Group cohomology plays a role in the investigation of fixed points of a group action in a module or space and the quotient module or space with respect to a group action. Group cohomology is used in the fields of abstract algebra, homological algebra, algebraic topology and algebraic number theory, as well as in applications to group theory proper. As in algebraic topology, there is a dual theory called group homology . The techniques of group cohomology can also be extended to the case that instead of a G -module, G acts on a nonabelian G -group; in effect, a generalization of a module to non-Abelian coefficients.$

In logic, temporal logic is any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time. It is sometimes also used to refer to tense logic, a modal logic-based system of temporal logic introduced by Arthur Prior in the late 1950s, with important contributions by Hans Kamp. It has been further developed by computer scientists, notably Amir Pnueli, and logicians.

In mathematics, the Gelfand representation in functional analysis is either of two things:

Computation tree logic (CTL) is a branching-time logic, meaning that its model of time is a tree-like structure in which the future is not determined; there are different paths in the future, any one of which might be an actual path that is realized. It is used in formal verification of software or hardware artifacts, typically by software applications known as model checkers, which determine if a given artifact possesses safety or liveness properties. For example, CTL can specify that when some initial condition is satisfied, then all possible executions of a program avoid some undesirable condition. In this example, the safety property could be verified by a model checker that explores all possible transitions out of program states satisfying the initial condition and ensures that all such executions satisfy the property. Computation tree logic belongs to a class of temporal logics that includes linear temporal logic (LTL). Although there are properties expressible only in CTL and properties expressible only in LTL, all properties expressible in either logic can also be expressed in CTL*.

In quantum field theory, the Wightman distributions can be analytically continued to analytic functions in Euclidean space with the domain restricted to the ordered set of points in Euclidean space with no coinciding points. These functions are called the Schwinger functions and they are real-analytic, symmetric under the permutation of arguments, Euclidean covariant and satisfy a property known as reflection positivity. Properties of Schwinger functions are known as Osterwalder–Schrader axioms. Schwinger functions are also referred to as Euclidean correlation functions.

<span class="mw-page-title-main">Wigner's theorem</span> Theorem in the mathematical formulation of quantum mechanics

Wigner's theorem, proved by Eugene Wigner in 1931, is a cornerstone of the mathematical formulation of quantum mechanics. The theorem specifies how physical symmetries such as rotations, translations, and CPT transformations are represented on the Hilbert space of states.

In theoretical computer science, the modal μ-calculus is an extension of propositional modal logic by adding the least fixed point operator μ and the greatest fixed point operator ν, thus a fixed-point logic.

In symbolic dynamics and related branches of mathematics, a shift space or subshift is a set of infinite words that represent the evolution of a discrete system. In fact, shift spaces and symbolic dynamical systems are often considered synonyms. The most widely studied shift spaces are the subshifts of finite type and the sofic shifts.

In mathematics, near sets are either spatially close or descriptively close. Spatially close sets have nonempty intersection. In other words, spatially close sets are not disjoint sets, since they always have at least one element in common. Descriptively close sets contain elements that have matching descriptions. Such sets can be either disjoint or non-disjoint sets. Spatially near sets are also descriptively near sets.

In functional analysis and related areas of mathematics, a complete topological vector space is a topological vector space (TVS) with the property that whenever points get progressively closer to each other, then there exists some point $towards which they all get closer. The notion of "points that get progressively closer" is made rigorous by Cauchy nets or Cauchy filters, which are generalizations of Cauchy sequences, while "point towards which they all get closer" means that this Cauchy net or filter converges to The notion of completeness for TVSs uses the theory of uniform spaces as a framework to generalize the notion of completeness for metric spaces. But unlike metric-completeness, TVS-completeness does not depend on any metric and is defined for all TVSs, including those that are not metrizable or Hausdorff.$

In model checking, a subfield of computer science, a clock is a mathematical object used to model time. More precisely, a clock measures how much time passed since a particular event occurs, in this sense, a clock is more precisely an abstraction of a stopwatch. In a model of some particular program, the value of the clock may either be the time since the program was started, or the time since a particular event occurred in the program. Those clocks are used in the definition of timed automaton, signal automaton, timed propositional temporal logic and clock temporal logic. They are also used in programs such as UPPAAL which implement timed automata.

In geometry, a valuation is a finitely additive function from a collection of subsets of a set $to an abelian semigroup. For example, Lebesgue measure is a valuation on finite unions of convex bodies of Other examples of valuations on finite unions of convex bodies of are surface area, mean width, and Euler characteristic.$

In model checking, a branch of computer science, linear time properties are used to describe requirements of a model of a computer system. Example properties include "the vending machine does not dispense a drink until money has been entered" or "the computer program eventually terminates". Fairness properties can be used to rule out unrealistic paths of a model. For instance, in a model of two traffic lights, the liveness property "both traffic lights are green infinitely often" may only be true under the unconditional fairness constraint "each traffic light changes colour infinitely often".

References

Notes

↑ Clarkson & Schneider 2010, p. 1.
↑ Clarkson & Schneider 2010, p. 23: "A labeled transition system [...] can be encoded as a set of traces.".
↑ Clarkson & Schneider 2010, p. 25: "A state machine M [...] can be encoded as a set of traces.".
↑ Alpern, Bowen; Schneider, Fred B. (1985-10-07). "Defining liveness". Information Processing Letters. 21 (4): 181–185. doi:10.1016/0020-0190(85)90056-0. ISSN 0020-0190.
↑ Clarkson & Schneider 2010, p. 21.
↑ Finkbeiner, Bernd; Haas, Lennart; Torfah, Hazem (June 2019). "Canonical Representations of k-Safety Hyperproperties". 2019 IEEE 32nd Computer Security Foundations Symposium (CSF). pp. 17–1714. doi:10.1109/CSF.2019.00009. ISBN 978-1-7281-1407-1. S2CID 201848133.
↑ Clarkson & Schneider 2010, p. 11: "Safety properties lift to safety hyperproperties".
↑ Clarkson & Schneider 2010, p. 15: "The hyperproperty false, defined as \{\emptyset\}, is hypersafety but not hyperliveness"..
↑ Clarkson & Schneider 2010, p. 44.
↑ Clarkson & Schneider 2010.
1 2 3 4 5 6 Sousa & Dillig 2016.
↑ Clarkson & Schneider 2010, p. 13: "observational determinism OD (2.6) cannot be expressed as a 2-safety property, but it is a 2-safety hyperproperty".
↑ Clarkson & Schneider 2010, p. 19.
1 2 D'Osualdo; Farzan; Dreyer (2022). "Proving hypersafety compositionally". Proceedings of the ACM on Programming Languages. 6 (OOPSLA2): 289–314. arXiv: 2209.07448 . doi:10.1145/3563298. S2CID 252284134.
↑ Dardinier, Thibault; Müller, Peter (2023-01-24). "Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties (extended version)". arXiv: 2301.10037 [cs.LO].
↑ Finkbeiner, Bernd; Rabe, Markus N.; Sánchez, César (2015). "Algorithms for Model Checking HyperLTL and HyperCTL $$^*$$". In Kroening, Daniel; Păsăreanu, Corina S. (eds.). Computer Aided Verification. Lecture Notes in Computer Science. Vol. 9206. Cham: Springer International Publishing. pp. 30–48. doi: 10.1007/978-3-319-21690-4_3 . ISBN 978-3-319-21690-4.
↑ Hsu, Tzu-Han; Sánchez, César; Bonakdarpour, Borzoo (2021). "Bounded Model Checking for Hyperproperties". In Groote, Jan Friso; Larsen, Kim Guldstrand (eds.). Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science. Vol. 12651. Cham: Springer International Publishing. pp. 94–112. doi:10.1007/978-3-030-72016-2_6. ISBN 978-3-030-72016-2. PMC 7979203 .

Sources

Clarkson, Michael R.; Schneider, Fred B. (2010-09-20). Sabelfeld, Andrei (ed.). "Hyperproperties". Journal of Computer Security. 18 (6): 1157–1210. doi:10.3233/JCS-2009-0393. S2CID 218604768.
Sousa, Marcelo; Dillig, Isil (2016-06-02). "Cartesian hoare logic for verifying k-safety properties". Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation. PLDI '16. New York, NY, USA: Association for Computing Machinery. pp. 57–69. doi:10.1145/2908080.2908092. ISBN 978-1-4503-4261-2. S2CID 17433405.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[FOOTNOTEClarksonSchneider20101-1] Clarkson & Schneider 2010, p. 1.

[FOOTNOTEClarksonSchneider2010p._23:_"A_labeled_transition_system_[...]_can_be_encoded_as_a_set_of_traces."-2] Clarkson & Schneider 2010, p. 23: "A labeled transition system [...] can be encoded as a set of traces.".

[FOOTNOTEClarksonSchneider2010p._25:_"A_state_machine_M_[...]_can_be_encoded_as_a_set_of_traces."-3] Clarkson & Schneider 2010, p. 25: "A state machine M [...] can be encoded as a set of traces.".

[4] Alpern, Bowen; Schneider, Fred B. (1985-10-07). "Defining liveness". Information Processing Letters. 21 (4): 181–185. doi:10.1016/0020-0190(85)90056-0. ISSN 0020-0190.

[FOOTNOTEClarksonSchneider201021-5] Clarkson & Schneider 2010, p. 21.

[6] Finkbeiner, Bernd; Haas, Lennart; Torfah, Hazem (June 2019). "Canonical Representations of k-Safety Hyperproperties". 2019 IEEE 32nd Computer Security Foundations Symposium (CSF). pp. 17–1714. doi:10.1109/CSF.2019.00009. ISBN 978-1-7281-1407-1. S2CID 201848133.

[FOOTNOTEClarksonSchneider2010p._11:_"Safety_properties_lift_to_safety_hyperproperties"-7] Clarkson & Schneider 2010, p. 11: "Safety properties lift to safety hyperproperties".

[FOOTNOTEClarksonSchneider2010p._15:_"The_hyperproperty_false,_defined_as_\{\emptyset\},_is_hypersafety_but_not_hyperliveness".-8] Clarkson & Schneider 2010, p. 15: "The hyperproperty false, defined as \{\emptyset\}, is hypersafety but not hyperliveness"..

[FOOTNOTEClarksonSchneider201044-9] Clarkson & Schneider 2010, p. 44.

[FOOTNOTEClarksonSchneider2010-10] Clarkson & Schneider 2010.

[FOOTNOTESousaDillig2016-11] 1 2 3 4 5 6 Sousa & Dillig 2016.

[FOOTNOTEClarksonSchneider2010p._13:_"observational_determinism_OD_(2.6)_cannot_be_expressed_as_a_2-safety_property,_but_it_is_a_2-safety_hyperproperty"-12] Clarkson & Schneider 2010, p. 13: "observational determinism OD (2.6) cannot be expressed as a 2-safety property, but it is a 2-safety hyperproperty".

[FOOTNOTEClarksonSchneider201019-13] Clarkson & Schneider 2010, p. 19.

[:0-14] 1 2 D'Osualdo; Farzan; Dreyer (2022). "Proving hypersafety compositionally". Proceedings of the ACM on Programming Languages. 6 (OOPSLA2): 289–314. arXiv: 2209.07448 . doi:10.1145/3563298. S2CID 252284134.

[15] Dardinier, Thibault; Müller, Peter (2023-01-24). "Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties (extended version)". arXiv: 2301.10037 [cs.LO].

[16] Finkbeiner, Bernd; Rabe, Markus N.; Sánchez, César (2015). "Algorithms for Model Checking HyperLTL and HyperCTL $$^*$$". In Kroening, Daniel; Păsăreanu, Corina S. (eds.). Computer Aided Verification. Lecture Notes in Computer Science. Vol. 9206. Cham: Springer International Publishing. pp. 30–48. doi: 10.1007/978-3-319-21690-4_3 . ISBN 978-3-319-21690-4.

[17] Hsu, Tzu-Han; Sánchez, César; Bonakdarpour, Borzoo (2021). "Bounded Model Checking for Hyperproperties". In Groote, Jan Friso; Larsen, Kim Guldstrand (eds.). Tools and Algorithms for the Construction and Analysis of Systems. Lecture Notes in Computer Science. Vol. 12651. Cham: Springer International Publishing. pp. 94–112. doi:10.1007/978-3-030-72016-2_6. ISBN 978-3-030-72016-2. PMC 7979203 .

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]