canonical representations of k-safety hyperproperties · bernd finkbeiner, lennart haas, hazem...
TRANSCRIPT
Canonical Representations of k-Safety Hyperproperties
Bernd Finkbeiner, Lennart Haas, Hazem TorfahSaarland University
This paper
Representinghyperproperties such as noninterference, observational determinism etc.
canonically as automata
Foundation for automata-based analysis techniques such as monitoring,
and for constructive techniques such as learning.
{T ✓ Traces | 8t, t0 2 T. t =i t0 ) t =o t0}
<latexit sha1_base64="4rMrCXKxpoJ8iw75GEaLEYNQI6w=">AAADJXichVHLahRBFD3p+EjG1xiXbooEUVCGnmzUhRDiAzdClBkTmA5DdU9NTzH9sqomIQ7zLy79DX/AlQi6celW9y48XekIGiTVVN97z7331H3EVaatC8MvS8HyufMXLq6sti5dvnL1Wvv62mtbzkyi+kmZlWYvllZlulB9p12m9iqjZB5najeePq79uwfKWF0WPXdUqf1cpoUe60Q6QsP2IJqLnojsLLbKqTciyqWbaDfvGZkou6CtRyIal0ZmmXD3hLstIl2IXicSTjwaag+80unESWPKQw+WHly0hu2NsBP6I04r3UbZ2FqP7r4DsFO2vyLCCCUSzJBDoYCjnkHC8hugixAVsX3MiRlq2vsVFmgxd8YoxQhJdMp/SmvQoAXtmtP67ISvZLyGmQK3eJ95xpjR9auKuqX8xfvWY+l/X5h75rrCI8qYjKue8QVxhwkjzsrMm8iTWs7OrLtyGOOB70azvsojdZ/JH54n9BhiU+8ReOojU3LE3j7gBArKPiuop3zCIHzHI0rppfIsRcMoyWco6+mzHq65++9STyv9zc7DTvcl172N47OCm1jHHS71PrbwHDssI8EHfMcP/AzeBx+DT8Hn49Bgqcm5gb9O8O03zleyQw==</latexit><latexit sha1_base64="zpg5vPX5V+b/dw5pJSZy5mhIbnQ=">AAADJXichVFLixNBEK4dX7vxFfXopdlFFJQw8aIehOALL8IqibuQWULPpDNp0jM9dndWYsi/8Ef4N/wDnkRYLx696t2D39TOCrrI9tBTVV9VfV2PtDLahzg+WItOnT5z9tz6Ruv8hYuXLrevXH3t7dxlapBZY91uKr0yulSDoINRu5VTskiN2klnj2v/zr5yXtuyHxaV2itkXuqJzmQANGoPk6Xoi8TPU6+CeiOSQoapDsu+k5nyK9h6LJKJddIYEe6IcFMkuhT9TiKCeDjSDLzS+TRI5+xbBi2Dq9aovRV3Yj7iuNJtlK3eZnL7/UFvsW3bXymhMVnKaE4FKSopQDckyeMbUpdiqoDt0RKYg6bZr2hFLeTOEaUQIYHO8M9hDRu0hF1zes7O8IrBdcgUdAP3GTOmiK5fVdA95C/cd4zl/31hycx1hQvIFIwbzPgCeKApIk7KLJrIo1pOzqy7CjSh+9yNRn0VI3Wf2R+eJ/A4YDP2CHrKkTk4Urb3MYEScoAK6ikfMQjueAwpWSpmKRtGCT4HWU8f9WDN3X+XelwZ3O086HRfYt2P6PCs03XapFtY6j3q0XPaRhkZfaTv9IN+Rh+iT9Hn6MthaLTW5Fyjv0707TcupbPJ</latexit><latexit sha1_base64="zpg5vPX5V+b/dw5pJSZy5mhIbnQ=">AAADJXichVFLixNBEK4dX7vxFfXopdlFFJQw8aIehOALL8IqibuQWULPpDNp0jM9dndWYsi/8Ef4N/wDnkRYLx696t2D39TOCrrI9tBTVV9VfV2PtDLahzg+WItOnT5z9tz6Ruv8hYuXLrevXH3t7dxlapBZY91uKr0yulSDoINRu5VTskiN2klnj2v/zr5yXtuyHxaV2itkXuqJzmQANGoPk6Xoi8TPU6+CeiOSQoapDsu+k5nyK9h6LJKJddIYEe6IcFMkuhT9TiKCeDjSDLzS+TRI5+xbBi2Dq9aovRV3Yj7iuNJtlK3eZnL7/UFvsW3bXymhMVnKaE4FKSopQDckyeMbUpdiqoDt0RKYg6bZr2hFLeTOEaUQIYHO8M9hDRu0hF1zes7O8IrBdcgUdAP3GTOmiK5fVdA95C/cd4zl/31hycx1hQvIFIwbzPgCeKApIk7KLJrIo1pOzqy7CjSh+9yNRn0VI3Wf2R+eJ/A4YDP2CHrKkTk4Urb3MYEScoAK6ikfMQjueAwpWSpmKRtGCT4HWU8f9WDN3X+XelwZ3O086HRfYt2P6PCs03XapFtY6j3q0XPaRhkZfaTv9IN+Rh+iT9Hn6MthaLTW5Fyjv0707TcupbPJ</latexit><latexit sha1_base64="rNtFzNWJeSHVc8OvY3qyNf4Qs4Y=">AAACunichVJLS8NAEJ7GV1ur1rOXYBE8lcSLehN8IIJQwdhCLbJJt3FpXmy2xVr8A179dfpbPPjtmgpapBs2M/vNzDePXT+LRK4c571kLS2vrK6VK9X1WnVjc6teu8vTkQy4F6RRKjs+y3kkEu4poSLeySRnsR/xtj881fb2mMtcpMmtmmS8F7MwEQMRMAWo9VBvOE3HLHtecQulQcVK6x90T31KKaARxcQpIQU9IkY5vi655FAGrEdTYBKaMHZOL1RF7AheHB4M6BD/EKdugSY4a87cRAfIEmFLRNq0h31hGH1466wceg75if1ssPDfDFPDrCucQPpgrBjGa+CKHuGxKDIuPGe1LI7UXSka0JHpRqC+zCC6z+CH5wwWCWxoLDadG88QHL45jzGBBNJDBXrKMwbbdNyHZEZyw5IUjAx8ElJPH/Xglt2/dzqveAfN46Z741CZdmiX9nGXh3RCl9RC9gA5XunNurIya/z9GKxS8Sq26deynr4A86+MNw==</latexit><latexit sha1_base64="ABmmjfuEQ2uY3Gvje/X+/CJUtV4=">AAADGnichVLNbhMxEJ5u+WlDgdArF6sVKgcUbbgAByQkCuKCVKqEVspWkXfjbKx414vttCpR3ofX6Av0hJDgBbjSew98O2yRoKrqlXdmvpn5ZsZ2WhntQxx/X4qWb9y8dXtltXVn7e69++0Hax+9nblM9TNrrNtPpVdGl6ofdDBqv3JKFqlRe+n0de3fO1TOa1v2wnGlDgqZl3qsMxkADduDZC56IvGz1KugPomkkGGiw7znZKb8ArYeiWRsnTRGhCcibIlEl6LXSUQQL4eagV2dT4J0zh4xaBlctIbtzbgT8xKXlW6jbFKzdmz7ByU0IksZzaggRSUF6IYkeXwD6lJMFbADmgNz0DT7FS2ohdwZohQiJNAp/jmsQYOWsGtOz9kZqhhsh0xBj7DfMmOK6Lqqgu4hz7E/M5ZfWWHOzHWHx5ApGFeZ8T3wQBNEXJdZNJEXvVyfWU8VaEzPeRqN/ipG6jmzvzzb8DhgU/YIesOROThStg9xAiVkHx3Up3zBIHjiEaRkqZilbBgl+BxkffroB9fc/f9SLyv9p50Xne6HmFboIW3QY9zlM3pF72gH1TM6oZ/0i86iL9Fp9PXPe4iWmoexTv+s6NtvzvmvLQ==</latexit><latexit sha1_base64="ABmmjfuEQ2uY3Gvje/X+/CJUtV4=">AAADGnichVLNbhMxEJ5u+WlDgdArF6sVKgcUbbgAByQkCuKCVKqEVspWkXfjbKx414vttCpR3ofX6Av0hJDgBbjSew98O2yRoKrqlXdmvpn5ZsZ2WhntQxx/X4qWb9y8dXtltXVn7e69++0Hax+9nblM9TNrrNtPpVdGl6ofdDBqv3JKFqlRe+n0de3fO1TOa1v2wnGlDgqZl3qsMxkADduDZC56IvGz1KugPomkkGGiw7znZKb8ArYeiWRsnTRGhCcibIlEl6LXSUQQL4eagV2dT4J0zh4xaBlctIbtzbgT8xKXlW6jbFKzdmz7ByU0IksZzaggRSUF6IYkeXwD6lJMFbADmgNz0DT7FS2ohdwZohQiJNAp/jmsQYOWsGtOz9kZqhhsh0xBj7DfMmOK6Lqqgu4hz7E/M5ZfWWHOzHWHx5ApGFeZ8T3wQBNEXJdZNJEXvVyfWU8VaEzPeRqN/ipG6jmzvzzb8DhgU/YIesOROThStg9xAiVkHx3Up3zBIHjiEaRkqZilbBgl+BxkffroB9fc/f9SLyv9p50Xne6HmFboIW3QY9zlM3pF72gH1TM6oZ/0i86iL9Fp9PXPe4iWmoexTv+s6NtvzvmvLQ==</latexit><latexit sha1_base64="44QmUDT8Z0e0NZs1wUsGPUmMIBE=">AAADJXichVFLb9NAEJ6aR9vwCuXIZUWE4IAipxfggFRRQFyQCkraSnEVrZ2Ns8ra6+5uikqU/8Pf4A9wQkhw4cgV7hz4PHWRoEJdaz0z38x8O4+0MtqHOP6yEl24eOny6tp668rVa9dvtG9u7Ho7d5kaZNZYt59Kr4wu1SDoYNR+5ZQsUqP20tl27d87Us5rW/bDcaUOCpmXeqIzGQCN2sNkIfoi8fPUq6AORVLIMNVh0XcyU34JW49FMrFOGiPCAxHuiUSXot9NRBBPRpqBNzqfBumcfcugZXDZGrU7cTfmI84qvUbpUHN2bPsrJTQmSxnNqSBFJQXohiR5fEPqUUwVsANaAHPQNPsVLamF3DmiFCIk0Bn+Oaxhg5awa07P2RleMbgOmYLu4r5gxhTR9asKuof8hfuOsfy/LyyYua7wGDIF4zozvgIeaIqI8zKLJvK0lvMz664CTegRd6NRX8VI3Wf2h+cZPA7YjD2CnnNkDo6U7SNMoIQcoIJ6yqcMgjseQ0qWilnKhlGCz0HW00c9WHPv36WeVQab3cfd3uu4s/W02fca3aY7dB9LfUhb9JJ2UEZGH+g7/aCf0fvoY/Qp+nwSGq00ObforxN9+w1iYLC6</latexit><latexit sha1_base64="44QmUDT8Z0e0NZs1wUsGPUmMIBE=">AAADJXichVFLb9NAEJ6aR9vwCuXIZUWE4IAipxfggFRRQFyQCkraSnEVrZ2Ns8ra6+5uikqU/8Pf4A9wQkhw4cgV7hz4PHWRoEJdaz0z38x8O4+0MtqHOP6yEl24eOny6tp668rVa9dvtG9u7Ho7d5kaZNZYt59Kr4wu1SDoYNR+5ZQsUqP20tl27d87Us5rW/bDcaUOCpmXeqIzGQCN2sNkIfoi8fPUq6AORVLIMNVh0XcyU34JW49FMrFOGiPCAxHuiUSXot9NRBBPRpqBNzqfBumcfcugZXDZGrU7cTfmI84qvUbpUHN2bPsrJTQmSxnNqSBFJQXohiR5fEPqUUwVsANaAHPQNPsVLamF3DmiFCIk0Bn+Oaxhg5awa07P2RleMbgOmYLu4r5gxhTR9asKuof8hfuOsfy/LyyYua7wGDIF4zozvgIeaIqI8zKLJvK0lvMz664CTegRd6NRX8VI3Wf2h+cZPA7YjD2CnnNkDo6U7SNMoIQcoIJ6yqcMgjseQ0qWilnKhlGCz0HW00c9WHPv36WeVQab3cfd3uu4s/W02fca3aY7dB9LfUhb9JJ2UEZGH+g7/aCf0fvoY/Qp+nwSGq00ObforxN9+w1iYLC6</latexit><latexit sha1_base64="zpg5vPX5V+b/dw5pJSZy5mhIbnQ=">AAADJXichVFLixNBEK4dX7vxFfXopdlFFJQw8aIehOALL8IqibuQWULPpDNp0jM9dndWYsi/8Ef4N/wDnkRYLx696t2D39TOCrrI9tBTVV9VfV2PtDLahzg+WItOnT5z9tz6Ruv8hYuXLrevXH3t7dxlapBZY91uKr0yulSDoINRu5VTskiN2klnj2v/zr5yXtuyHxaV2itkXuqJzmQANGoPk6Xoi8TPU6+CeiOSQoapDsu+k5nyK9h6LJKJddIYEe6IcFMkuhT9TiKCeDjSDLzS+TRI5+xbBi2Dq9aovRV3Yj7iuNJtlK3eZnL7/UFvsW3bXymhMVnKaE4FKSopQDckyeMbUpdiqoDt0RKYg6bZr2hFLeTOEaUQIYHO8M9hDRu0hF1zes7O8IrBdcgUdAP3GTOmiK5fVdA95C/cd4zl/31hycx1hQvIFIwbzPgCeKApIk7KLJrIo1pOzqy7CjSh+9yNRn0VI3Wf2R+eJ/A4YDP2CHrKkTk4Urb3MYEScoAK6ikfMQjueAwpWSpmKRtGCT4HWU8f9WDN3X+XelwZ3O086HRfYt2P6PCs03XapFtY6j3q0XPaRhkZfaTv9IN+Rh+iT9Hn6MthaLTW5Fyjv0707TcupbPJ</latexit><latexit sha1_base64="zpg5vPX5V+b/dw5pJSZy5mhIbnQ=">AAADJXichVFLixNBEK4dX7vxFfXopdlFFJQw8aIehOALL8IqibuQWULPpDNp0jM9dndWYsi/8Ef4N/wDnkRYLx696t2D39TOCrrI9tBTVV9VfV2PtDLahzg+WItOnT5z9tz6Ruv8hYuXLrevXH3t7dxlapBZY91uKr0yulSDoINRu5VTskiN2klnj2v/zr5yXtuyHxaV2itkXuqJzmQANGoPk6Xoi8TPU6+CeiOSQoapDsu+k5nyK9h6LJKJddIYEe6IcFMkuhT9TiKCeDjSDLzS+TRI5+xbBi2Dq9aovRV3Yj7iuNJtlK3eZnL7/UFvsW3bXymhMVnKaE4FKSopQDckyeMbUpdiqoDt0RKYg6bZr2hFLeTOEaUQIYHO8M9hDRu0hF1zes7O8IrBdcgUdAP3GTOmiK5fVdA95C/cd4zl/31hycx1hQvIFIwbzPgCeKApIk7KLJrIo1pOzqy7CjSh+9yNRn0VI3Wf2R+eJ/A4YDP2CHrKkTk4Urb3MYEScoAK6ikfMQjueAwpWSpmKRtGCT4HWU8f9WDN3X+XelwZ3O086HRfYt2P6PCs03XapFtY6j3q0XPaRhkZfaTv9IN+Rh+iT9Hn6MthaLTW5Fyjv0707TcupbPJ</latexit><latexit sha1_base64="zpg5vPX5V+b/dw5pJSZy5mhIbnQ=">AAADJXichVFLixNBEK4dX7vxFfXopdlFFJQw8aIehOALL8IqibuQWULPpDNp0jM9dndWYsi/8Ef4N/wDnkRYLx696t2D39TOCrrI9tBTVV9VfV2PtDLahzg+WItOnT5z9tz6Ruv8hYuXLrevXH3t7dxlapBZY91uKr0yulSDoINRu5VTskiN2klnj2v/zr5yXtuyHxaV2itkXuqJzmQANGoPk6Xoi8TPU6+CeiOSQoapDsu+k5nyK9h6LJKJddIYEe6IcFMkuhT9TiKCeDjSDLzS+TRI5+xbBi2Dq9aovRV3Yj7iuNJtlK3eZnL7/UFvsW3bXymhMVnKaE4FKSopQDckyeMbUpdiqoDt0RKYg6bZr2hFLeTOEaUQIYHO8M9hDRu0hF1zes7O8IrBdcgUdAP3GTOmiK5fVdA95C/cd4zl/31hycx1hQvIFIwbzPgCeKApIk7KLJrIo1pOzqy7CjSh+9yNRn0VI3Wf2R+eJ/A4YDP2CHrKkTk4Urb3MYEScoAK6ikfMQjueAwpWSpmKRtGCT4HWU8f9WDN3X+XelwZ3O086HRfYt2P6PCs03XapFtY6j3q0XPaRhkZfaTv9IN+Rh+iT9Hn6MthaLTW5Fyjv0707TcupbPJ</latexit><latexit sha1_base64="zpg5vPX5V+b/dw5pJSZy5mhIbnQ=">AAADJXichVFLixNBEK4dX7vxFfXopdlFFJQw8aIehOALL8IqibuQWULPpDNp0jM9dndWYsi/8Ef4N/wDnkRYLx696t2D39TOCrrI9tBTVV9VfV2PtDLahzg+WItOnT5z9tz6Ruv8hYuXLrevXH3t7dxlapBZY91uKr0yulSDoINRu5VTskiN2klnj2v/zr5yXtuyHxaV2itkXuqJzmQANGoPk6Xoi8TPU6+CeiOSQoapDsu+k5nyK9h6LJKJddIYEe6IcFMkuhT9TiKCeDjSDLzS+TRI5+xbBi2Dq9aovRV3Yj7iuNJtlK3eZnL7/UFvsW3bXymhMVnKaE4FKSopQDckyeMbUpdiqoDt0RKYg6bZr2hFLeTOEaUQIYHO8M9hDRu0hF1zes7O8IrBdcgUdAP3GTOmiK5fVdA95C/cd4zl/31hycx1hQvIFIwbzPgCeKApIk7KLJrIo1pOzqy7CjSh+9yNRn0VI3Wf2R+eJ/A4YDP2CHrKkTk4Urb3MYEScoAK6ikfMQjueAwpWSpmKRtGCT4HWU8f9WDN3X+XelwZ3O086HRfYt2P6PCs03XapFtY6j3q0XPaRhkZfaTv9IN+Rh+iT9Hn6MthaLTW5Fyjv0707TcupbPJ</latexit><latexit sha1_base64="44QmUDT8Z0e0NZs1wUsGPUmMIBE=">AAADJXichVFLb9NAEJ6aR9vwCuXIZUWE4IAipxfggFRRQFyQCkraSnEVrZ2Ns8ra6+5uikqU/8Pf4A9wQkhw4cgV7hz4PHWRoEJdaz0z38x8O4+0MtqHOP6yEl24eOny6tp668rVa9dvtG9u7Ho7d5kaZNZYt59Kr4wu1SDoYNR+5ZQsUqP20tl27d87Us5rW/bDcaUOCpmXeqIzGQCN2sNkIfoi8fPUq6AORVLIMNVh0XcyU34JW49FMrFOGiPCAxHuiUSXot9NRBBPRpqBNzqfBumcfcugZXDZGrU7cTfmI84qvUbpUHN2bPsrJTQmSxnNqSBFJQXohiR5fEPqUUwVsANaAHPQNPsVLamF3DmiFCIk0Bn+Oaxhg5awa07P2RleMbgOmYLu4r5gxhTR9asKuof8hfuOsfy/LyyYua7wGDIF4zozvgIeaIqI8zKLJvK0lvMz664CTegRd6NRX8VI3Wf2h+cZPA7YjD2CnnNkDo6U7SNMoIQcoIJ6yqcMgjseQ0qWilnKhlGCz0HW00c9WHPv36WeVQab3cfd3uu4s/W02fca3aY7dB9LfUhb9JJ2UEZGH+g7/aCf0fvoY/Qp+nwSGq00ObforxN9+w1iYLC6</latexit>
Logic
HyperLTL= LTL + trace quantifiers
8⇡,⇡0. (o⇡ $ o⇡0) W-Until (i⇡ 6$ i⇡0)
8⇡,⇡0. (o⇡ $ o⇡0) W-Until (i⇡ 6$ i⇡0)
Hyperproperties
Automata
q1 q2i1↔i2⋀ o1↔o2
*i1↔i2 ⋀ o1↔o2
Sets
Hyperproperty= a set of sets of traces
[Clarkson & Schneider ’10]
{T ✓ ⌃! | 8t, t0 2 T. t =i t0 ) t =o t0}
<latexit sha1_base64="pDyQgIHg1oCAlHlgNaQKnph58Uo=">AAADI3ichVHLbtQwFD0Nr3Z4DbBkY7VCIIFGGTbAAqniJTZIBWZoUV1GTsaTWpPEwfEUlVH/hRW/wQ+wQmxAYskWfoAFJ26KBBWqI+den3vu8b2+SZWb2sfxl4Xo2PETJ08tLnVOnzl77nz3wsUXtZ25VA9Tm1u3kaha56bUQ298rjcqp1WR5Ho9md5v4us72tXGlgO/W+mtQmWlmZhUeUKj7ks5FwMh61lSa69fC/ncZIV6JW2hMyVkYcZCTqxTeS78DeGvCmlKMehJ4cXdkQnAM5Nte+WcfRNAG8C9zqi7EvfisMRhp986K6vL8vo7AGu2+xUSY1ikmKGARglPP4dCzW8TfcSoiG1hTszRMyGusYcOc2dkaTIU0Sn/GU+bLVry3GjWITvlLTm3Y6bAFe5HQTEhu7lV069pf3G/DVj23xvmQbmpcJc2oeJSUHxC3GObjKMyi5Z5UMvRmU1XHhPcDt0Y1lcFpOkz/aPzgBFHbBoiAg8DM6NGEs47fIGSdsgKmlc+UBCh4zGtClYHlbJVVNRztM3rsx6Ouf/vUA87w5u9O73+U477HvbXIi5jGdc41FtYxWOssYwUH/AdP/Azeh99jD5Fn/ep0UKbcwl/rejbb1DKsQI=</latexit><latexit sha1_base64="tr/DE/kdBeDskPKLNWUamvZDp5Q=">AAADI3ichVHNbhMxEJ4uf234C3DkYrVCIIGiTS/QQ6WIP3FBKpDQorpE3o2zteJdL16nKER9C56B1+AFOCEuReLIFV6AA99Ot0hQoXrlnfE333ye8SSlNVWI44OF6NTpM2fPLS61zl+4eOly+8rVl5Wb+lQPUmed30pUpa0p9CCYYPVW6bXKE6s3k8mDOr65p31lXNEPs1Lv5CorzNikKgAatl/JuegLWU2TSgf9RsgXJsvVa+lynSkhczMScuy8slaEOyLcFNIUot+RIoj1oWHgucl2g/LevWXQMbjfGrZX4k7MSxx3uo2z0luWt98f9GYbrv2VJI3IUUpTyklTQQG+JUUVvm3qUkwlsB2aA/PwDMc17VMLuVOwNBgK6AT/DKftBi1wrjUrzk5xi8X2yBR0A/sxKyZg17dq+BXsL+x3jGX/vWHOynWFM9gEikus+BR4oF0wTsrMG+ZRLSdn1l0FGtM97sagvpKRus/0j85DRDywCUcEPWJmBo2Ez3t4gQJ2gArqVz5SENzxCFax1axSNIoKeh62fn3UgzF3/x3qcWew2lnrdJ9h3PfpcC3SdVqmWxjqXerRE9pAGSl9pO/0g35GH6JP0efoyyE1WmhyrtFfK/r2G7EJsog=</latexit><latexit sha1_base64="tr/DE/kdBeDskPKLNWUamvZDp5Q=">AAADI3ichVHNbhMxEJ4uf234C3DkYrVCIIGiTS/QQ6WIP3FBKpDQorpE3o2zteJdL16nKER9C56B1+AFOCEuReLIFV6AA99Ot0hQoXrlnfE333ye8SSlNVWI44OF6NTpM2fPLS61zl+4eOly+8rVl5Wb+lQPUmed30pUpa0p9CCYYPVW6bXKE6s3k8mDOr65p31lXNEPs1Lv5CorzNikKgAatl/JuegLWU2TSgf9RsgXJsvVa+lynSkhczMScuy8slaEOyLcFNIUot+RIoj1oWHgucl2g/LevWXQMbjfGrZX4k7MSxx3uo2z0luWt98f9GYbrv2VJI3IUUpTyklTQQG+JUUVvm3qUkwlsB2aA/PwDMc17VMLuVOwNBgK6AT/DKftBi1wrjUrzk5xi8X2yBR0A/sxKyZg17dq+BXsL+x3jGX/vWHOynWFM9gEikus+BR4oF0wTsrMG+ZRLSdn1l0FGtM97sagvpKRus/0j85DRDywCUcEPWJmBo2Ez3t4gQJ2gArqVz5SENzxCFax1axSNIoKeh62fn3UgzF3/x3qcWew2lnrdJ9h3PfpcC3SdVqmWxjqXerRE9pAGSl9pO/0g35GH6JP0efoyyE1WmhyrtFfK/r2G7EJsog=</latexit><latexit sha1_base64="AbUJav80SWoLsP6T1IopHfJTk3U=">AAADI3ichVFNbxMxEJ0uX234CnDkYhEhOKBowwU4VKr4EhekAgktqkvk3ThbK9711naKStS/w9/gD3BCXEDiyBX+AAfeDlskqFC98s74zZvnGU9WWxNimn5eSk6cPHX6zPJK5+y58xcudi9dfhnc3Od6lDvr/Gamgram0qNootWbtdeqzKzeyGYPmvjGnvbBuGoY92u9XaqiMlOTqwho3H0lF2IoZJhnQUe9K+QLU5TqtXSlLpSQpZkIOXVeWSviLRFvCGkqMexLEcXq2DDw3BQ7UXnv3jDoGDzojLu9tJ/yEkedQev0qF3rrvuFJE3IUU5zKklTRRG+JUUB3xYNKKUa2DYtgHl4huOaDqiD3DlYGgwFdIZ/gdNWi1Y4N5qBs3PcYrE9MgVdx37MihnYza0afoD9if2WseK/NyxYualwHzaD4gorPgUeaQeM4zLLlnlYy/GZTVeRpnSXuzGor2ak6TP/o/MQEQ9sxhFBj5hZQCPj8x5eoIIdoYLmlQ8VBHc8gVVsNatUraKCnodtXh/1YMyDf4d61Bnd7t/rD56lvbX77byX6Spdo5sY6h1aoye0jjJyek/f6Dv9SN4lH5KPyaff1GSpzblCf63k6y/kxK95</latexit>
Monitoring
...
...
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
Automata provide an operational semantics for monitoring
MonitorAutomata
q1 q2i1↔i2⋀ o1↔o2
*i1↔i2 ⋀ o1↔o2
Learning
StudentDoes not know hyperproperty
Asks queries to teacherLearns automaton from answers
Automata provide a canonical representation for learning
TeacherKnows hyperproperty
Answers queriesCan be human or automated
(e.g., HyperLTL tool)
Does the trace set T satisfythe hyperproperty?
No!
Bad prefixes
...
...
...
...
i F F T F T F T
o T F F T T T T
i T F T T F T T
o T F F T T F T
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
Bad prefixes
A hyperproperty H is safety if every trace set that violates H has a bad prefix.
A hyperproperty H is k-safety if every trace set that violates H has a bad prefix of size k.
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
A bad prefix of a hyperproperty H is a finite set of finite traces
such that every extension to a set of infinite traces violates H.
Representing sets of traces
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T{ }
τ1
τ2
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T Ti1 T T T
o1 T T T
i2 T T T
o2 T T F
Representing hyperproperties
i1 T T T
o1 T T T
i2 T T T
o2 T T F
unzip
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
A bad-prefix automaton of a k-safety hyperproperty His an automaton A over finite words of k‘-tuplessuch that, for every set of traces T,
T violates H iff L(A) contains a word 𝛔 s.t. unzip(𝛔) is a prefix of T
q1 q2i1↔i2 ⋀ o1 ⋀ ¬o2
*i1↔i2 ⋀ o1↔o2
zip
Horizontal tightness
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
i1 T T T
o1 T T T
i2 T T T
o2 T T F
i1 T T T T
o1 T T T T
i2 T T T T
o2 T T F F
...
...
Vertical tightness
i F F T F T F T
o T F F T T T T
i T F T T F T T
o T F F T T F T
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
i1 T T T
o1 T T T
i2 T T T
o2 T T F
i1 T T T
o1 T T T
i2 T T T
o2 T T F
i3 F F T
o3 T F F
...
...
...
...
Tight automata
i F F T F T F T
o T F F T T T T
i T F T T F T T
o T F F T T F T
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
A k-bad-prefix automaton is tightiff it acceptssome representationof each bad prefix of size ≦ k
...
...
...
...
Permutation completeness
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
...
...
i1 T T T
o1 T T T
i2 T T T
o2 T T F
τ1
τ2
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
i1 T T T
o1 T T F
i2 T T T
o2 T T T
τ2
τ1
Permutation completeness
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
...
...
τ1
τ2
i T T T T F T T
o T T T T T F T
i T T T T F T F
o T T F F T T T
...
...
τ2
τ1
A k-bad-prefix automaton is permutation-completeiff it accepts every representationfor each bad prefix it accepts.
A k-bad-prefix automaton is tightiff it accepts some representationfor each bad prefix of size ≦ k
Theorem: A minimal deterministic tight permutation-completek-bad-prefix automaton is a canonical representationfor (regular) k-safety hyperproperties.
Direct automata constructions
ConstrucDon: For a k-safety hyperproperty S, we can constructa determinisDc, Dght, and permutaDon-complete bad-prefix automaton of size
§ polynomial in |A| and doubly exponenDal in k ⋅ log(k) if S is given as a determinisDc bad-prefix automaton A
§ exponenDal in |A| and doubly exponenDal in k ⋅ log(k) if S is given as a nondeterminisDc bad-prefix automaton A
Learning regular languages: L*
Teacher answers two types of queries:
§ Membership queriesIs the word 𝛔 in the language?
Yes/No§ Equivalence queries:
Does the automaton A recognize the language? Yes/No: counterexample
Queries
Answers
[Angluin 1987]
Learning hyperproperties: L* Hyper
Teacher answers two types of queries:
§ Membership queriesDoes the trace set T satisfy the hyperproperty?
Yes/No§ Equivalence queries:
Is the automaton A a bad-prefix automaton for the hyperproperty?Yes/No: counterexample
Queries
Answers
Separating sequences E ⊆ 𝚺*
Observation tables
𝟄 ¬a𝟄 0 1
¬a 1 1a 0 0
a ⋅ ¬a 0 0
¬a ⋅ a 1 1¬a ⋅ ¬a 1 1
a ⋅ a 0 0a ⋅ ¬a ⋅ a 0 0
a ⋅ ¬a ⋅ ¬a 0 0
Accessingsequences
S ⊆ 𝚺*
S⋅𝚺
[Angluin 1987]
Observation table stores results ofmembership queries
accessing seq ⋅ separating seq
E.g. ¬a ⋅ ¬a is in the language
States
Observation tables
𝟄 ¬a𝟄 0 1
¬a 1 1a 0 0
a ⋅ ¬a 0 0
¬a ⋅ a 1 1¬a ⋅ ¬a 1 1
a ⋅ a 0 0a ⋅ ¬a ⋅ a 0 0
a ⋅ ¬a ⋅ ¬a 0 0
Accessingsequences
S ⊆ 𝚺*
S⋅𝚺01
00
11¬a
a
*
*
[Angluin 1987]
Separabng sequences E ⊆ 𝚺*
States
Observation tables
𝟄 ¬a𝟄 0 1
¬a 1 1a 0 0
a ⋅ ¬a 0 0
¬a ⋅ a 1 1¬a ⋅ ¬a 1 1
a ⋅ a 0 0a ⋅ ¬a ⋅ a 0 0
a ⋅ ¬a ⋅ ¬a 0 0
Accessingsequences
S ⊆ 𝚺*
S⋅𝚺
States
Consistency check:For all t,t‘ ∊ S, e ∊ 𝚺 .
state(t)=state(t‘) ⇒state(t⋅e)=state(t‘⋅e) ?
Closedness check:For all t ∊ S, e ∊ 𝚺 ,there is a t‘ ∊ S .
state(t⋅e)=state(t‘) ?
A closed and consistentobservation table defines a deterministic automaton.
[Angluin 1987]
Separabng sequences E ⊆ 𝚺*
Learning regular languages: L*
Is table closedand consistent?
Build conjectureautomaton
Equivalencequery
Initialtable
yes
No: membership queries
done
yes
no: add counterexample to table
[Angluin 1987]
add counterexampleto table
Learning hyperproperties: L* Hyper
Is table closedand consistent?
Build conjectureautomaton
Equivalencequery
Initialtable
yes
No: membership queries
done
yes
Permutation-complete?
yes
No: add counterexampleto table
Arity ofcounterexample
≦ k ?
Extend table toarity of
counterexample
no
no
Yes: add counterexampleto table
Example
01
00
11¬a
a
*
*
8⇡,⇡0. a⇡ ^ Globally (a⇡ $ a⇡0)
Equivalence query: Counterexample of arity 2, {a ⋅ ¬a, a ⋅ a}
𝟄 ¬a𝟄 0 1
¬a 1 1a 0 0
a ⋅ ¬a 0 0
¬a ⋅ a 1 1¬a ⋅ ¬a 1 1
a ⋅ a 0 0a ⋅ ¬a ⋅ a 0 0
a ⋅ ¬a ⋅ ¬a 0 0
Table for arity 1:
Extending the arity
𝟄 ¬a𝟄 0 1
¬a 1 1a 0 0
a ⋅ ¬a 0 0
¬a ⋅ a 1 1¬a ⋅ ¬a 1 1
a ⋅ a 0 0a ⋅ ¬a ⋅ a 0 0
a ⋅ ¬a ⋅ ¬a 0 0
Repeat last tuple elementto turn 1-tuple into 2-tuple
Table for arity 1: Table for arity 2:
S ⊆ (𝚺1)*
E ⊆ (𝚺1)*
E ⊆ (𝚺2)*
S⋅𝚺1
cv
Extending the arity
𝟄 ¬a𝟄 0 1
¬a 1 1a 0 0
a ⋅ ¬a 0 0
¬a ⋅ a 1 1¬a ⋅ ¬a 1 1
a ⋅ a 0 0a ⋅ ¬a ⋅ a 0 0
a ⋅ ¬a ⋅ ¬a 0 0
cv𝟄
(¬a,¬a)𝟄 ⋅ (a,a)
(a,a) ⋅ (¬a,¬a)
(¬a,¬a) ⋅ (a,a)(¬a,¬a) ⋅ (¬a,¬a)
(a,a) ⋅ (a,a)(a,a) ⋅ (¬a,¬a) ⋅ (a,a)
(a,a) ⋅ (¬a,¬a) ⋅ (¬a,¬a)
S ⊆ (𝚺1)*
S⋅𝚺1
Table for arity 1:
S‘ ⊆ (𝚺2)*
S‘⋅𝚺2
𝟄 (¬a, ¬a)
E ⊆ (𝚺1)*
E ⊆ (𝚺2)*
Table for arity 2:
Repeat last tuple elementto turn 1-tuple into 2-tuple
Extending the arity
𝟄 ¬a𝟄 0 1
¬a 1 1a 0 0
a ⋅ ¬a 0 0
¬a ⋅ a 1 1¬a ⋅ ¬a 1 1
a ⋅ a 0 0a ⋅ ¬a ⋅ a 0 0
a ⋅ ¬a ⋅ ¬a 0 0
Table for arity 1:
𝟄(¬a,¬a)𝟄 ⋅ (a,a)
(a,a) ⋅ (¬a,¬a)
(¬a,¬a) ⋅ (a,a)(¬a,¬a) ⋅ (¬a,¬a)
(a,a) ⋅ (a,a)(a,a) ⋅ (¬a,¬a) ⋅ (a,a)
(a,a) ⋅ (¬a,¬a) ⋅ (¬a,¬a)
𝟄 (¬a, ¬a)
Table for arity 2:
Closed and consistent observation table with added counterexample
𝟄 (¬a,¬a)
𝟄 0 1
(¬a,¬a) 1 1
(a,a) 0 0
(a,a) ⋅ (¬a,¬a) 0 0
(a,¬a) 1 1
(¬a,a) 1 1
(¬a,¬a) ⋅ (*) 1 1
(a,a) ⋅ (a,a) 0 0
(a,a) ⋅ (¬a,¬a) ⋅ (a,a) 0 0
(a,a) ⋅ (¬a,¬a) ⋅ (¬a,a) 1 1
(a,a) ⋅ (¬a,¬a) ⋅ (a,¬a) 1 1
(a,a) ⋅ (¬a,¬a) ⋅ (¬a,¬a) 0 0
(a,a) ⋅ (¬a,a) ⋅ (*) 1 1
01
00
11¬(a,a)
(a,a)*
(a,a) ∨ (¬a,¬a)
(¬a,a) ∨ (a,¬a)
8⇡,⇡0. a⇡ ^ Globally (a⇡ $ a⇡0)
Complexity
Theorem: L* Hyper learns a minimal, deterministic, and permutation-complete automaton Afor a k-safety hyperproperty in
§ polynomial time in |A|
§ polynomial time in the length of the longest counterexample, and
§ exponential time in k
Application: Learning Automata for HyperLTL
Membership queries for a set T of traces of length n anda hyperproperty given as a universal safety HyperLTL formula 𝞅 with k quantifierscan be answered in
§ polynomial time in n and
§ polynomial space in |𝞅| and k ⋅ log(|T|)
Equivalence queries for a deterministic automaton A anda hyperproperty given as a universal safety HyperLTL formula 𝞅 with k quantifierscan be solved in
§ polynomial time in |A|,
§ exponential time in |𝞅|, and
§ exponential space in k.
§ Automata provide a canonical representation for k-safety hyperproperties
§ Direct constructions for tight permutation-complete automata
§ L* Hyper learns minimal deterministic automata in polynomial time in the size of the automaton
§ Learning is an output-sensitive approach
§ Challenge: Beyond k-safety
Conclusions
Queries
Answers