Hypra: A Deductive Program Verifier for Hyper Hoare Logic
Article No.: 316, Pages 1279 - 1308
Abstract
Hyperproperties relate multiple executions of a program and are useful to express common correctness properties (such as determinism) and security properties (such as non-interference). While there are a number of powerful program logics for the deductive verification of hyperproperties, their automation falls behind. Most existing deductive verification tools are limited to safety properties, but cannot reason about the existence of executions, for instance, to prove the violation of a safety property. Others support more flexible hyperproperties such as generalized non-interference, but have limitations in terms of the programs and proof structures they support. In this paper, we present the first deductive verification technique for arbitrary hyperproperties over multiple executions of the same program. Our technique automates the generation of verification conditions for Hyper Hoare Logic. Our key insight is that arbitrary hyperproperties and the corresponding proof rules can be encoded into a standard intermediate verification language by representing sets of states of the input program explicitly in the states of the intermediate program. Verification is then automated using an existing SMT-based verifier for the intermediate language. We implement our technique in a tool called Hypra and demonstrate that it can reliably verify complex hyperproperties.
References
[1]
Alejandro Aguirre, Gilles Barthe, Marco Gaboardi, Deepak Garg, and Pierre-Yves Strub. 2017. A relational logic for higher-order programs. Proceedings of the ACM on Programming Languages, 1, ICFP (2017), 1–29.
[2]
Torben Amtoft, Sruthi Bandhakavi, and Anindya Banerjee. 2006. A Logic for Information Flow in Object-Oriented Programs. SIGPLAN Not., 41, 1 (2006), jan, 91–102. issn:0362-1340 https://doi.org/10.1145/1111320.1111046
[3]
Timos Antonopoulos, Eric Koskinen, Ton Chanh Le, Ramana Nagasamudram, David A. Naumann, and Minh Ngo. 2023. An Algebra of Alignment for Relational Verification. Proc. ACM Program. Lang., 7, POPL (2023), Article 20, jan, 31 pages. https://doi.org/10.1145/3571213
[4]
Mounir Assaf, David A Naumann, Julien Signoles, Eric Totel, and Frédéric Tronel. 2017. Hypercollecting semantics and its application to static analysis of information flow. ACM SIGPLAN Notices, 52, 1 (2017), 874–887.
[5]
Gilles Barthe, Pedro R D’argenio, and Tamara Rezk. 2011. Secure information flow by self-composition. Mathematical Structures in Computer Science, 21, 6 (2011), 1207–1252.
[6]
Gilles Barthe, Renate Eilers, Pamina Georgiou, Bernhard Gleiss, Laura Kovács, and Matteo Maffei. 2019. Verifying relational properties using trace logic. In 2019 Formal Methods in Computer Aided Design (FMCAD). 170–178.
[7]
Nick Benton. 2004. Simple Relational Correctness Proofs for Static Analyses and Program Transformations. In Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’04). Association for Computing Machinery, New York, NY, USA. 14–25. isbn:158113729X https://doi.org/10.1145/964001.964003
[8]
Raven Beutner and Bernd Finkbeiner. 2022. Software Verification of Hyperproperties Beyond k-Safety. In Computer Aided Verification, Sharon Shoham and Yakir Vizel (Eds.). Cham. 341–362. isbn:978-3-031-13185-1
[9]
Raven Beutner and Bernd Finkbeiner. 2023. AutoHyper: Explicit-State Model Checking for HyperLTL. In Tools and Algorithms for the Construction and Analysis of Systems, Sriram Sankaranarayanan and Natasha Sharygina (Eds.). Springer Nature Switzerland, Cham. 145–163. isbn:978-3-031-30823-9
[10]
Nikolaj Bjørner, Arie Gurfinkel, Ken McMillan, and Andrey Rybalchenko. 2015. Horn Clause Solvers for Program Verification. Springer International Publishing, Cham. 24–51. isbn:978-3-319-23534-9 https://doi.org/10.1007/978-3-319-23534-9_2
[11]
Sam Blackshear, Nikos Gorogiannis, Peter W. O’Hearn, and Ilya Sergey. 2018. RacerD: Compositional Static Race Detection. Proc. ACM Program. Lang., 2, OOPSLA (2018), Article 144, oct, 28 pages. https://doi.org/10.1145/3276514
[12]
Roberto Bruni, Roberto Giacobazzi, Roberta Gori, and Francesco Ranzato. 2021. A Logic for Locally Complete Abstract Interpretations. In 2021 36th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS). 1–13. https://doi.org/10.1109/LICS52264.2021.9470608
[13]
Edmund M Clarke. 1997. Model checking. In Foundations of Software Technology and Theoretical Computer Science: 17th Conference Kharagpur, India, December 18–20, 1997 Proceedings 17. 54–56.
[14]
Michael R Clarkson, Bernd Finkbeiner, Masoud Koleini, Kristopher K Micinski, Markus N Rabe, and César Sánchez. 2014. Temporal logics for hyperproperties. In International Conference on Principles of Security and Trust. 265–284.
[15]
Michael R. Clarkson and Fred B. Schneider. 2008. Hyperproperties. In 21st IEEE Computer Security Foundations Symposium. 51–65. https://doi.org/10.1109/CSF.2008.7
[16]
Norine Coenen, Bernd Finkbeiner, César Sánchez, and Leander Tentrup. 2019. Verifying hyperliveness. In International Conference on Computer Aided Verification. 121–139.
[17]
David Costanzo and Zhong Shao. 2014. A Separation Logic for Enforcing Declarative Information Flow Control Policies. In Principles of Security and Trust, Martín Abadi and Steve Kremer (Eds.). 179–198. isbn:978-3-642-54792-8
[18]
Patrick Cousot and Radhia Cousot. 1977. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages. 238–252.
[19]
Thibault Dardinier, Anqi Li, and Peter Müller. 2024. Hypra: A Deductive Program Verifier for Hyperproperties (artifact). https://doi.org/10.5281/zenodo.12671562
[20]
Thibault Dardinier and Peter Müller. 2024. Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties. Proc. ACM Program. Lang., 8, PLDI (2024), Article 207, jun, 25 pages. https://doi.org/10.1145/3656437
[21]
Leonardo de Moura and Nikolaj Bjørner. 2008. Z3: An Efficient SMT Solver. In Tools and Algorithms for the Construction and Analysis of Systems, C. R. Ramakrishnan and Jakob Rehof (Eds.). 337–340. isbn:978-3-540-78800-3
[22]
Edsko de Vries and Vasileios Koutavas. 2011. Reverse Hoare Logic. In Software Engineering and Formal Methods, Gilles Barthe, Alberto Pardo, and Gerardo Schneider (Eds.). 155–171. isbn:978-3-642-24690-6
[23]
David Detlefs, Greg Nelson, and James B. Saxe. 2005. Simplify: a theorem prover for program checking. J. ACM, 52, 3 (2005), 365–473. https://doi.org/10.1145/1066100.1066102
[24]
Robert Dickerson, Qianchuan Ye, Michael K. Zhang, and Benjamin Delaware. 2022. RHLE: Modular Deductive Verification of Relational ∀ ∃ Properties. In Programming Languages and Systems: 20th Asian Symposium, APLAS 2022, Auckland, New Zealand, December 5, 2022, Proceedings. 67–87. isbn:978-3-031-21036-5 https://doi.org/10.1007/978-3-031-21037-2_4
[25]
Dino Distefano, Manuel Fähndrich, Francesco Logozzo, and Peter W. O’Hearn. 2019. Scaling Static Analyses at Facebook. Commun. ACM, 62, 8 (2019), jul, 62–70. issn:0001-0782 https://doi.org/10.1145/3338112
[26]
Emanuele D’Osualdo, Azadeh Farzan, and Derek Dreyer. 2022. Proving Hypersafety Compositionally. Proc. ACM Program. Lang., 6, OOPSLA2 (2022), Article 135, oct, 26 pages. https://doi.org/10.1145/3563298
[27]
Marco Eilers, Thibault Dardinier, and Peter Müller. 2023. CommCSL: Proving Information Flow Security for Concurrent Programs Using Abstract Commutativity. Proc. ACM Program. Lang., 7, PLDI (2023), Article 175, jun, 26 pages. https://doi.org/10.1145/3591289
[28]
Marco Eilers, Peter Müller, and Samuel Hitz. 2019. Modular product programs. ACM Transactions on Programming Languages and Systems (TOPLAS), 42, 1 (2019), 1–37.
[29]
Gidon Ernst and Toby Murray. 2019. SecCSL: Security Concurrent Separation Logic. In Computer Aided Verification, Isil Dillig and Serdar Tasiran (Eds.). Cham. 208–230. isbn:978-3-030-25543-5
[30]
Azadeh Farzan and Anthony Vandikas. 2019. Automated Hypersafety Verification. In Computer Aided Verification, Isil Dillig and Serdar Tasiran (Eds.). Springer International Publishing, Cham. 200–218. isbn:978-3-030-25540-4
[31]
Jean-Christophe Filliâtre and Andrei Paskevich. 2013. Why3—where programs meet provers. In Programming Languages and Systems: 22nd European Symposium on Programming, ESOP 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013, Rome, Italy, March 16-24, 2013. Proceedings 22. 125–128.
[32]
Bernd Finkbeiner, Markus N Rabe, and César Sánchez. 2015. Algorithms for model checking HyperLTL and HyperCTL. In International Conference on Computer Aided Verification. 30–48.
[33]
Robert W. Floyd. 1967. Assigning Meanings to Programs. Proceedings of Symposium in Applied Mathematics, 19–32.
[34]
Vladimir Gladshtein, Qiyuan Zhao, Willow Ahrens, Saman Amarasinghe, and Ilya Sergey. 2024. Mechanised Hypersafety Proofs about Structured Data. Proc. ACM Program. Lang., 8, PLDI (2024), Article 173, jun, 24 pages. https://doi.org/10.1145/3656403
[35]
Nikos Gorogiannis, Peter W. O’Hearn, and Ilya Sergey. 2019. A True Positives Theorem for a Static Race Detector. Proc. ACM Program. Lang., 3, POPL (2019), Article 57, jan, 29 pages. https://doi.org/10.1145/3290370
[36]
David Harel. 1979. First-order dynamic logic. Springer.
[37]
C. A. R. Hoare. 1969. An Axiomatic Basis for Computer Programming. Commun. ACM, 12, 10 (1969), oct, 576–580. issn:0001-0782 https://doi.org/10.1145/363235.363259
[38]
Tzu-Han Hsu, César Sánchez, and Borzoo Bonakdarpour. 2021. Bounded Model Checking for Hyperproperties. In Tools and Algorithms for the Construction and Analysis of Systems, Jan Friso Groote and Kim Guldstrand Larsen (Eds.). Springer International Publishing, Cham. 94–112. isbn:978-3-030-72016-2
[39]
Shachar Itzhaky, Sharon Shoham, and Yakir Vizel. 2024. Hyperproperty Verification as CHC Satisfiability. arxiv:2304.12588.
[40]
Dexter Kozen. 1997. Kleene algebra with tests. ACM Trans. Program. Lang. Syst., 19, 3 (1997), may, 427–443. issn:0164-0925 https://doi.org/10.1145/256167.256195
[41]
Quang Loc Le, Azalea Raad, Jules Villard, Josh Berdine, Derek Dreyer, and Peter W. O’Hearn. 2022. Finding Real Bugs in Big Programs with Incorrectness Logic. Proc. ACM Program. Lang., 6, OOPSLA1 (2022), Article 81, apr, 27 pages. https://doi.org/10.1145/3527325
[42]
K. Rustan M. Leino. 2008. This is Boogie 2. June, https://www.microsoft.com/en-us/research/publication/this-is-boogie-2-2/
[43]
K Rustan M Leino. 2010. Dafny: An automatic program verifier for functional correctness. In International conference on logic for programming artificial intelligence and reasoning. 348–370.
[44]
K. Rustan M. Leino and Rosemary Monahan. 2009. Reasoning about comprehensions with first-order SMT solvers. In Proceedings of the 2009 ACM Symposium on Applied Computing (SAC ’09). Association for Computing Machinery, New York, NY, USA. 615–622. isbn:9781605581668 https://doi.org/10.1145/1529282.1529411
[45]
Kenji Maillard, Cătălin Hriţcu, Exequiel Rivas, and Antoine Van Muylder. 2019. The next 700 Relational Program Logics. Proc. ACM Program. Lang., 4, POPL (2019), Article 4, dec, 33 pages. https://doi.org/10.1145/3371072
[46]
Petar Maksimović, Caroline Cronjäger, Andreas Lööw, Julian Sutherland, and Philippa Gardner. 2023. Exact Separation Logic: Towards Bridging the Gap Between Verification and Bug-Finding. In 37th European Conference on Object-Oriented Programming (ECOOP 2023). 263, 19:1–19:27. isbn:978-3-95977-281-5 issn:1868-8969 https://doi.org/10.4230/LIPIcs.ECOOP.2023.19
[47]
Daryl McCullough. 1987. Specifications for multi-level security and a hook-up. In 1987 IEEE Symposium on Security and Privacy. 161–161.
[48]
John McLean. 1996. A general theory of composition for a class of" possibilistic" properties. IEEE Transactions on Software Engineering, 22, 1 (1996), 53–67.
[49]
P. Müller, M. Schwerhoff, and A. J. Summers. 2016. Viper: A Verification Infrastructure for Permission-Based Reasoning. In Verification, Model Checking, and Abstract Interpretation (VMCAI), B. Jobstmann and K. R. M. Leino (Eds.) (LNCS, Vol. 9583). Springer-Verlag, 41–62. https://doi.org/10.1007/978-3-662-49122-5_2
[50]
Toby Murray. 2020. An Under-Approximate Relational Logic: Heralding Logics of Insecurity, Incorrect Implementation and More. https://doi.org/10.48550/ARXIV.2003.04791
[51]
Ramana Nagasamudram, Anindya Banerjee, and David A. Naumann. 2023. The WhyRel Prototype for Modular Relational Verification of Pointer Programs. In Tools and Algorithms for the Construction and Analysis of Systems, Sriram Sankaranarayanan and Natasha Sharygina (Eds.). Springer Nature Switzerland, Cham. 133–151. isbn:978-3-031-30820-8
[52]
David A. Naumann and Minh Ngo. 2019. Whither Specifications as Programs. In Unifying Theories of Programming, Pedro Ribeiro and Augusto Sampaio (Eds.). Springer International Publishing, Cham. 39–61. isbn:978-3-030-31038-7
[53]
Tobias Nipkow, Markus Wenzel, and Lawrence C. Paulson. 2002. Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Springer-Verlag, Berlin, Heidelberg. isbn:3540433767
[54]
Peter W. O’Hearn. 2019. Incorrectness Logic. Proc. ACM Program. Lang., 4, POPL (2019), Article 10, dec, 32 pages. https://doi.org/10.1145/3371078
[55]
J.C. Reynolds. 2002. Separation logic: a logic for shared mutable data structures. In Proceedings 17th Annual IEEE Symposium on Logic in Computer Science. 55–74. https://doi.org/10.1109/LICS.2002.1029817
[56]
Marcelo Sousa and Isil Dillig. 2016. Cartesian Hoare Logic for Verifying K-Safety Properties. In Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI ’16). Association for Computing Machinery, New York, NY, USA. 57–69. isbn:9781450342612 https://doi.org/10.1145/2908080.2908092
[57]
Tachio Terauchi and Alex Aiken. 2005. Secure information flow as a safety problem. In International Static Analysis Symposium. 352–367.
[58]
Hiroshi Unno, Tachio Terauchi, and Eric Koskinen. 2021. Constraint-Based Relational Verification. In Computer Aided Verification, Alexandra Silva and K. Rustan M. Leino (Eds.). Springer International Publishing, Cham. 742–766. isbn:978-3-030-81685-8
[59]
Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. 1996. A sound type system for secure flow analysis. Journal of computer security, 4, 2-3 (1996), 167–187.
[60]
D. Volpano and G. Smith. 1997. Eliminating covert flows with minimum typings. In Proceedings 10th Computer Security Foundations Workshop. 156–168. https://doi.org/10.1109/CSFW.1997.596807
[61]
Hongseok Yang. 2007. Relational separation logic. Theoretical Computer Science, 375, 1 (2007), 308–334. issn:0304-3975 https://doi.org/10.1016/j.tcs.2006.12.036
[62]
Noam Zilberstein, Derek Dreyer, and Alexandra Silva. 2023. Outcome Logic: A Unifying Foundation for Correctness and Incorrectness Reasoning. Proc. ACM Program. Lang., 7, OOPSLA1 (2023), Article 93, April, 29 pages. https://doi.org/10.1145/3586045
Index Terms
- Hypra: A Deductive Program Verifier for Hyper Hoare Logic
Recommendations
Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties
Hoare logics are proof systems that allow one to formally establish properties of computer programs. Traditional Hoare logics prove properties of individual program executions (such as functional correctness). Hoare logic has been generalized to prove ...
A Correctness and Incorrectness Program Logic
Abstract interpretation is a well-known and extensively used method to extract over-approximate program invariants by a sound program analysis algorithm. Soundness means that no program errors are lost and it is, in principle, guaranteed by construction. ...
On the limits of refinement-testing for model-checking CSP
AbstractRefinement-checking, as embodied in tools like FDR, PAT and ProB, is a popular approach for model-checking refinement-closed predicates of CSP processes. We consider the limits of this approach to model-checking these kinds of predicates. By ...
Comments
Information & Contributors
Information
Published In
October 2024
2691 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 October 2024
Published in PACMPL Volume 8, Issue OOPSLA2
Check for updates
Badges
Author Tags
Qualifiers
- Research-article
Funding Sources
- Swiss National Science Foundation
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 178Total Downloads
- Downloads (Last 12 months)178
- Downloads (Last 6 weeks)78
Reflects downloads up to 30 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in