Verifying Bounded Subset-Closed Hyperproperties

  • Isabella Mastroeni
  • Michele PasquaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11002)


Hyperproperties are quickly becoming very popular in the context of systems security, due to their expressive power. They differ from classic trace properties since they are represented by sets of sets of executions instead of sets of executions. This allows us, for instance, to capture information flow security specifications, which cannot be expressed as trace properties, namely as predicates over single executions. In this work, we reason about how it is possible to move standard abstract interpretation-based static analysis methods, designed for trace properties, towards the verification of hyperproperties. In particular, we focus on the verification of bounded subset-closed hyperproperties which are easier to verify than generic hyperproperties. It turns out that a lot of interesting specifications (e.g., Non-Interference) lie in this category.



We thank Roberto Giacobazzi and Francesco Ranzato for sharing with us their preliminary work on analyzing analyses [20], which has many connections with the present work and may create interesting future collaborations. Finally, we would like to thank the anonymous reviewers for the useful suggestions and comments, helping us in improving the presentation of our work.


  1. 1.
    Agrawal, S., Bonakdarpour, B.: Runtime verification of k-safety hyperproperties in HyperLTL. In: IEEE 29th Computer Security Foundations Symposium, pp. 239–252 (2016)Google Scholar
  2. 2.
    Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985)MathSciNetCrossRefGoogle Scholar
  3. 3.
    Antonopoulos, T., Gazzillo, P., Hicks, M., Koskinen, E., Terauchi, T., Wei, S.: Decomposition instead of self-composition for proving the absence of timing channels. In: Proceedings of PLDI, pp. 362–375 (2017)Google Scholar
  4. 4.
    Assaf, M., Naumann, D.A., Signoles, J., Totel, E., Tronel, F.: Hypercollecting semantics and its application to static analysis of information flow. In: Proceedings of POPL, pp. 874–887 (2017)Google Scholar
  5. 5.
    Banerjee, A., Giacobazzi, R., Mastroeni, I.: What you lose is what you leak: Information leakage in declassification policies. ENTCS 173, 47–66 (2007)zbMATHGoogle Scholar
  6. 6.
    Barthe, G., D’Argenio, P.R., Rezk, T.: Secure information flow by self-composition. In: Proceedings of 17th IEEE Computer Security Foundations Workshop, pp. 100–114 (2004)Google Scholar
  7. 7.
    Buro, S., Mastroeni, I.: Abstract code injection - A semantic approach based on abstract non-interference. In: Dillig, I., Palsberg, J. (eds.) VMCAI 2018. LNCS, vol. 10747, pp. 116–137. Springer, Cham (2018). Scholar
  8. 8.
    Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., Sánchez, C.: Temporal logics for hyperproperties. In: Proceedings of POST (2014)Google Scholar
  9. 9.
    Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur. 18(6), 1157–1210 (2010)CrossRefGoogle Scholar
  10. 10.
    Cohen, E.: Information transmission in computational systems. SIGOPS Oper. Syst. Rev. 11(5), 133–139 (1977)CrossRefGoogle Scholar
  11. 11.
    Cousot, P.: Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theor. Comput. Sci. 277(1–2), 47–103 (2002)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of POPL, pp. 238–252 (1977)Google Scholar
  13. 13.
    Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of POPL, pp. 269–282 (1979)Google Scholar
  14. 14.
    Cousot, P., Cousot, R.: Higher-order abstract interpretation (and application to comportment analysis generalizing strictness, termination, projection and PER analysis of functional languages). In: Proceedings of ICCL, pp. 95–112 (1994)Google Scholar
  15. 15.
    Finkbeiner, B., Rabe, M.N., Sánchez, C.: Algorithms for model checking HyperLTL and HyperCTL\(^*\). In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 30–48. Springer, Cham (2015). Scholar
  16. 16.
    Giacobazzi, R., Logozzo, F., Ranzato, F.: Analyzing program analyses. In: Proceedings of POPL, pp. 261–273 (2015)Google Scholar
  17. 17.
    Giacobazzi, R., Mastroeni, I.: Transforming semantics by abstract interpretation. Theor. Comput. Sci. 337(1–3), 1–50 (2005)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proceedings of POPL, pp. 186–197 (2004)Google Scholar
  19. 19.
    Giacobazzi, R., Mastroeni, I.: Abstract non-interference: a unifying framework for weakening information-flow. ACM Trans. Priv. Secur 21(2), 9:1–9:31 (2018)CrossRefGoogle Scholar
  20. 20.
    Giacobazzi, R., Ranzato, F.: Personal communication (2017)Google Scholar
  21. 21.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)Google Scholar
  22. 22.
    Hunt, S., Mastroeni, I.: The PER model of abstract non-interference. In: Proceedings of 12th International Symposium on Static Analysis, pp. 171–185 (2005)Google Scholar
  23. 23.
    Mastroeni, I., Banerjee, A.: Modelling declassification policies using abstract domain completeness. MSCS 21(6), 1253–1299 (2011)MathSciNetzbMATHGoogle Scholar
  24. 24.
    Mastroeni, I., Nikolić, Đ.: Abstract program slicing: from theory towards an implementation. In: Dong, J.S., Zhu, H. (eds.) ICFEM 2010. LNCS, vol. 6447, pp. 452–467. Springer, Heidelberg (2010). Scholar
  25. 25.
    Mastroeni, I., Pasqua, M.: Hyperhierarchy of semantics - A formal framework for hyperproperties verification. In: Ranzato, F. (ed.) SAS 2017. LNCS, vol. 10422, pp. 232–252. Springer, Cham (2017). Scholar
  26. 26.
    Mastroeni, I., Zanardini, D.: Abstract program slicing: An abstract interpretation-based approach to program slicing. ACM TOCL 18(1), 7:1–7:58 (2017)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Naumann, D.A.: From coupling relations to mated invariants for checking information flow. In: Proceedings of ESORICS, pp. 279–296 (2006)Google Scholar
  28. 28.
    Pasqua, M., Mastroeni, I.: On topologies for (hyper)properties. In: Proceedings of ICTCS, pp. 1–12 (2017).
  29. 29.
    Ranzato, F., Tapparo, F.: Strong preservation as completeness in abstract interpretation. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 18–32. Springer, Heidelberg (2004). Scholar
  30. 30.
    Sousa, M., Dillig, I.: Cartesian hoare logic for verifying k-safety properties. In: Proceedings of PLDI, pp. 57–69 (2016)Google Scholar
  31. 31.
    Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005). Scholar
  32. 32.
    Urban, C., Müller, P.: An abstract interpretation framework for input data usage. In: ESOP, pp. 683–710 (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Dipartimento di InformaticaUniversity of VeronaVeronaItaly

Personalised recommendations