The Hyperproperties Verification Issue

Setting the execution denotations domain Den, then programs representations, i.e. the base semantics, and hyperproperties lie in different domains, the first are in ℘(Den), whilst the latter are in ℘(℘(Den)). In fact, a hyperproperty is modeled as the set of all programs (repre- sentations) satisfying it. Suppose that SP

baseis an element of the hierarchy of4.1, correspond-

ing to the execution denotations domain Den. Then the collecting semantics is SP coll, {S

P base},

which is indeed the strongest program hyperproperty of P. The set of all possible hyper- properties is GENH_{, ℘(℘(Den)). Then we have that P satisfies a hyperproperty Hp ∈ GEN}H_, as usual written P |= Hp, if and only if SP

coll⊆ P or, equivalently, if and only if S P base∈ Hp. Remark. This is exactly the definition of system interpretations, system specifications and

systems strongest specification, as introduced in Chapter3. Indeed, hyperproperties are (mathematical) properties of programs, in the more general sense.

M. Pasqua 6.1. Hyper Static Analysis A SP base ⊆ P ⇑ O ⊇ SP base ⊆ P B ∈ SP base Hp ⇔ ⊆ {SP base} Hp c ⇑ ∈ O ⊇ SP base Hp ⇔ ⇑ ⊆ O ⊇ {SP base} Hp

Figure 6.1: Over-approximation of trace properties A _{and hyperproperties}B

An example of a (generic) hyperproperty for Den = Σ∞~ _{is generalized non-interference} GNI_{, {X ⊆ Den | ∀¯}σ, ¯σ0 ∈ X ∃¯σi ∈ X . (¯σ<sub>`</sub>i =Hσ¯`∧ ¯σi ≈L σ¯0)}[Clarkson and Schneider,

2010], stating that, for each pair ¯σ, ¯σ0of executions there exists an interleaving one ¯σiwhich agrees with ¯σon private variables (H) in input (`) and with ¯σ0 on public variables (L)1_.

The program in Example7(Chapter5) does not satisfy GNI, since {τ∞~_{} 6⊆ GNI.} In the classic static analysis framework, since SP

coll= S P

base, we can compute a sound over-

approximation O ⊇ SP

baseof the base semantics allowing sound verification of trace proper-

ties (Figure6.1, part A). This is obtained by means of an abstraction of the concrete domain TRCP, where the abstract (base) semantics plays the role of the over-approximation. Let P be a program, TRCP

] an abstract domain of TRC

P_{, P ∈ TRC}P_{a trace property and S}P

] an abstract interpretation of SP basein TRC P ], i.e. S P base⊆ γ(S P ]), then: hTRCP , ⊆i −−→←−−_αγ hTRCP ], ⊆ ] i and γ(SP ]) ⊆ P implies P |= P

Recall that, by under-approximation we can improve decidability of the confutation of a trace property, since if U ⊆ SP

baseand U 6⊆ P then we have that S P

base 6|= P. At this point,

we can note, as expected, that trace hyperproperties can be verified in the classic analysis framework based on abstract interpretation:

hTRCP , ⊆i −−→←−−_αγ hTRCP ], ⊆ ] i and γ(SP ]) ⊆ [ tHp implies P |= tHp

Hence, we can still use classic methods based on over-approximation for verifying trace hyperproperties. Moreover, when dealing with confutation of specifications, also in this case we can use under-approximations in the usual way, since if we have U ⊆ SP

base and

U 6⊆S tHp then still we can derive that P 6|= tHp.

Unfortunately, when we do not have restrictions on hyperproperties, the base semantics, in general, does not provide enough information for approximating verification, since O ⊇ SP

base∧ O ∈ Hp 6⇒ S P

base ∈ Hp (Figure 6.1, part B on the left). Over-approximations do

not work properly because we are approximating on the wrong domain or, better, we are approximating the wrong object. Indeed, if we move towards GENH_{, then O ⊇ {S}P

base} ∧ O ⊆

Hp ⇒ {SP

base} ⊆ Hp, i.e. S P

base ∈ Hp (Figure6.1, part B on the right). The problem is due

to the fact that the specification is defined on the domain GENH_{, different from the domain} 1_{Here =His an equivalence on states while ≈Lis on traces.}

74 74

Chapter 6. Hyper Program Analysis M. Pasqua

TRCP, where the base semantics is computed. The solution is clearly to approximate the collecting semantics. In this way, we can exploit the abstract interpretation framework even for approximating hyperproperties verification. Hence, our goal is to define a program P semantics on the hyperlevel, similar to what has been done in [Assaf et al.,2017], i.e. we define the hypersemantics SP

collsuch that S P coll= {S

P base}.

An over-approximation of SP

collclearly leads to a sound verification mechanism for hy-

perproperties. In fact, let P be a program, GENH

] be an abstract domain of GEN

H_{, Hp ∈ GEN}H_be a hyperproperty and SP ] be an abstract interpretation of S P collin GEN H ], i.e. S P coll⊆ γ H_(SP ]), then: hGENH_{, ⊆i −−−→←−−−} αH γH hGENH ], v ]_{i and γ}H_(SP ]) ⊆ Hp imply P |= Hp

Hence, we build a hypersemantics of the program, and then we can over-approximate it in some abstraction of the domain GENH_{. This is depicted in Figure6.2, where inA we have the} classic case and inB the hyper case.

Now we can use abstract interpretation in order to compute sound over-approximations of the collecting semantics. The problem here is that {SP

base} is hard to define in such a way

that it could fit in the abstract interpretation framework, namely in a constructive way (as defined in Chapter2). Classic verification methods for trace properties rely on the fact that base and collecting semantics coincide. Hence, the fact that we are able, by definition, to compute the base semantics implies that we are able to compute the collecting semantics as well. This does not hold for hyperproperties verification. In this case, there is a further layer of complexity, other than the one of making the computation feasible (i.e. the verification check decidable). So the first problem is to define the concrete semantics, which will be abstracted in the approximation phase. Indeed, we can follow different approaches.

The first one, which is the more intuitive, but also the more complicated to follow, is to try and apply the abstract interpretation “as it is”. This means to find a way to compute SP

coll,

defining this latter on a suitable computational domain. Then we can abstract it as shown in Chapter2, in order to make the verification check feasible.

Another approach is to define a hypersemantics HP_{, computing at the level of sets of sets}

which is not the collecting semantics. In this approach we can follow two paths. The first is general, and it requires that the hypersemantics is correct, namely that it is an approxi- mation of the collecting semantics. Formally, SP

coll⊆ H

P_{. Ideally, we should adapt the base}

semantics, lifting its semantic operator to sets of sets. The second is specifications-centric, and it requires that the hypersemantics is equisatisfying to the collecting semantics, w.r.t. a given set of specifications. Given a set of hyperproperties {Hpi}i∈∆⊆ GENH, we say that HP

A abstraction verification of P∈ TRCP hTRCP_{, ⊆i} −− →←−− α γ hTRCP ], ⊆ ]_i B concretization abstraction verification of Hp∈ GENH hTRCP_{, ⊆i} −−−− → −→ ←−−− −− α? γ? hGENH_{, ⊆i} −−−−←−−_{−−−−−−→} αH γH hGENH ], ⊆ ]_i

M. Pasqua 6.1. Hyper Static Analysis

is {Hpi}i∈∆equisatisfying to ScollP when: ∀i ∈ ∆ . S P

coll ⊆ Hpi ⇔ HP ⊆ Hpi. Then, again, we can abstract the hypersemantics as shown in Chapter2, in order to make the verification check feasible.

Finally, as a last resort, we can use the base semantics, setting again SP coll = S

P

baseas for

trace properties, and verify a stronger trace property. Given a hyperproperty Hp, a stronger trace property is P ∈ TRCP_{such ℘(P) ⊆ Hp, namely the trace hyperproperty correspond-} ing to P implies Hp. Clearly this method works only for the verification of subset-closed hyperproperties.

In this chapter we reason about these approaches, in order to distill pros and cons of each one. In Subsection6.1.2we inspect the case of a stronger trace property and in Subsec- tion6.1.3the case of an equisatisfying hyperproperty. Finally, in Subsection6.1.4, we deal with correct hypersemantics. Note that, SP

collis a correct hypersemantics, so we present the

case of computing exactly the collecting semantics as a particular case of correct hyperse- mantics.