Equisatisfying Hyperproperty

Since, as we will se in a moment, the collecting semantics is hard to define in a construc- tive way, we may use an equisatisfying hypersemantics, easier to define. This latter is spe- cific to the hyperproperties we want to verify, hence we lose generality. Given a set of hy- perproperties {Hpi}i∈∆ ⊆ GENH, we say that HP is {Hpi}i∈∆ equisatisfying to ScollP when:

∀i ∈ ∆ . SP

coll⊆ Hpi⇔ HP⊆ Hpi. The intuition here is that defining a hypersemantics which works for every hyperproperty is hard. Instead, defining a hypersemantics driven by the particular hyperproperties we want to verify is easier, clearly losing the capability to verify other hyperproperties.

Remark. Note that an equisatisfying hypersemantics is a slightly different concept compared

to a collecting semantics. Both are complete verification methods for a particular set of specifications but the second implies that the set of specifications is an abstraction of GENH while the first does not.

As the limit case, we have that the set of specifications is a singleton, meaning that the hypersemantics can be used only for verifying one hyperproperty. In this latter case, we fix the hyperproperty we want to verify to a given Hp ∈ GENH_{. Suppose to have a hyperseman-} tics HP_{which is {Hp} equisatisfying, namely, such that:}

HP_{⊆ Hp ⇔ S}P

coll⊆ Hp (6.1)

The hypersemantics must be related to the base semantics in some way, so suppose we have an abstraction function αH ∈ TRCP −→ GENH, such that HP = αH(SbaseP ). Suppose

M. Pasqua 6.1. Hyper Static Analysis

now that the base semantics is computed by means of the computational fixpoint defini- tion hF, O, ⊥i, where O = hTRCP_{, v, ti, i.e. S}P

base= lfp v

⊥Fand the hypersemantics by means

of hFH, OH, ⊥Hi, where OH = hGENH, vH, tHi, i.e. HP = lfpvH⊥HFH. Suppose that αH, F

and FH satisfy the condition of the Kleenian Fixpoint Transfer theorem6. Then we have HP _{= lfp}vH

⊥HFH = αH(lfp v

⊥F ) = αH(S P

base). The abstraction αH is justified by the fact that

the hypersematics definition is guided by αH. All information for the verification process is contained in SP

base, the problem is how this information is represented in the base semantics.

The abstraction highlights the relations between traces needed for the verification of Hp. This could not be done approximating a semantics at the level of sets, but could be done approximating a semantics at the level of sets of sets. An example of this approach could be found in [Urban and M ¨uller,2018], where αH is defined by partitioning the execution denotations domain Den. Instead, in Chapter7we will define a hypersemantics equisat- isfying w.r.t. particular kinds of subset-closed hyperproperties, simplifying the verification process.

Remark. Here, the abstraction function is on the computational domains, not on the ap-

proximation domain. Indeed, the only correctness criterion (on the approximation order) needed is the one of Equation6.1.

Then, as usual, we can define an abstract hypersemantics HP

], approximating H

P_{, which is}

effectively computable. This is done applying the abstract interpretation framework where the concrete semantics is HP_{. Indeed, a sound over-approximation of this latter could be}

safely used for verifying Hp, namely: γ(HP

]) ⊆ Hp ⇒ S P coll⊆ Hp

Example 8.In [Urban and M ¨uller,2018], the authors define the hyperproperty called input

data usage expressing the fact that the outcome of a program does not depend on part of

its input data. For a program P we can identify two sets of variables OPand IPidentifying input and output data, respectively. Given a trace ¯σ ∈ Σ∞~ _{we denote, as usual, with ¯σ}

`its initial state and with ¯σaits final state. If ¯σis infinite then ¯σa = . The input variables at the initial states store the values of a program input data and the output variables at the final states store the values of a program outcome. Following [Urban and M ¨uller,2018], we denote with σ(i) the value of the input data stored in the input variable i in the state σ. Similarly, we denote with σ(o) the value of the outcome stored in the output variable o in the state σ. The relation 6≈i⊆ Σ × Σ denotes the fact that two states disagree on the value of the input variable i but agree on the values of all others variables. An input variable i ∈ IP is unused w.r.t. a program with maximal trace semantics τ∞~ _when:

unusedi(τ∞~) ,  ∀¯σ ∈ τ∞~_{, n ∈ Z . ¯σ} `(i) 6= n ⇒ ∃¯σ0∈ τ∞~ <sub>. ¯σ</sub>0 `6≈iσ`∧ ¯σ0`(i) = n ∧ ¯σa= ¯σa0  (6.2)

This basically means that the outcome of the program does not depend on the initial value of the input variable i. The input data usage hyperproperty N can be formally defined as:

IDU, {τ∞~ ⊆ Σ∞~ _{| ∀i ∈ I}

P.unusedi(τ∞~)}

IDUexpresses the fact that the outcome of a program does not depend on any input data.

78 78

Chapter 6. Hyper Program Analysis M. Pasqua

In practice, weaker forms of input data usage hyperproperties could be useful, namely restricting the check to subsets J ⊆ IPof input variables, namely IDUJ , {τ∞~ ∈ Σ∞~ | ∀i ∈ J .unusedi(τ∞~)}.

In order to verify this hyperproperty with abstract interpretation, in [Urban and M ¨uller,

2018] the authors define a hypersemantics, called outcome semantics, serving as concrete se- mantics. They derive this semantics abstracting the maximal trace semantics by partition- ing. Given a partition Q ∈ ℘(℘(Σ∞~_{))of programs traces, the abstraction α}

Q∈ ℘(Σ∞~) −→ ℘(℘(Σ∞~_{))is defined as α}

Q(X) , {X ∩ Y | Y ∈ Q}. In particular, they define the outcome

partition O, parametric in a set of output variables o1, o2, . . . om, as: O ,{¯σ ∈ Σ+~ | ∀k ∈ [0, m] . ¯σa(ok) = vk}

v1, v2, . . . vk∈ Z ∪ {Σ~ω}

The partition contains all sets of finite traces that agree on the values of the output variables in their outcome, and all infinite traces. Then, the outcome abstraction is:

α•, λX .{¯σ ∈ X ~ +_{| ∀k ∈ [0, m] . ¯σ} a(ok) = vk}  v1, v2, . . . vk ∈ Z ∪ {X~ω} Finally, the outcome semantics is obtained as abstraction of the maximal trace semantics: τ•_{= α}

•(τ∞~) ∈ ℘(℘(Σ∞~)). The authors show also how to compute this semantics in a con-

structive way, with a suitable computational fixpoint definition (see [Urban and M ¨uller,

2018] for the details). This latter semantics computes at the level of sets of sets and it is proven to be complete w.r.t. the input data usage hyperproperty: P |= IDUJ ⇔ τ•⊆ IDUJ. Hence, the outcome semantics is an example of an equisatisfying hypersemantics w.r.t. {IDUJ}: it could be used to verify (precisely) IDU but it cannot be used for other hyper- properties.