Automated Verification of Hyperproperties in Software
A new method for verifying complex program properties to enhance security.
― 6 min read
Table of Contents
- Background on Hyperproperties
- The Challenge of Verifying Hyperproperties
- Introducing the New Method
- How the Algorithm Works
- Implementing the Verification Tool
- Handling Loops in Programs
- The Role of Parametric Assertions
- Experimental Results and Comparison
- Challenges and Future Directions
- Conclusion
- Original Source
Hyperproperties are used to describe multiple runs of a program and are often applied in areas such as security and information control. Most studies have concentrated on Safety Properties, which ensure that certain conditions are met in all runs of a program. This paper investigates the automated verification of more complex properties that go beyond basic safety requirements. Specifically, we look at properties that include both universal and existential aspects over program runs.
We focus on a type of property that states for every run of a program, there is another run that helps satisfy a certain condition. This is crucial for ensuring various security needs, such as preventing information leaks or ensuring that the program behaves consistently under different conditions. We propose a method that uses a constraint-based approach to verify these kinds of properties.
Background on Hyperproperties
Traditionally, properties of programs have been examined independently. Hyperproperties change this by relating multiple runs of a program to each other. They are becoming increasingly significant in fields like security, where understanding how different executions can impact one another is vital.
Imagine a scenario where you have a program that takes both high-security information and low-security information as inputs. If we want to ensure that the system does not leak sensitive information, we might want to prove that the output does not reveal anything about the high-security input, regardless of how the low-security input is modified.
To validate this, we can apply the concept of determinism: if two runs have the same low-security input, the output should also be the same. This is a simple example of a safety property. However, more complex scenarios require us to look at different executions simultaneously, as the interaction of input types can lead to different outcomes.
The Challenge of Verifying Hyperproperties
Many methods have been developed to check safety properties, often involving model checking and abstract interpretation. But verifying hyperproperties is more complicated. The traditional models usually apply a single execution without considering how other runs might affect it. This makes automated verification for hyperproperties more challenging.
For instance, consider a simple program where a random number might be chosen during execution. Although the program behaves consistently across certain runs, it does not leak information about its high-security input. Yet it might fail to meet safety properties because the Nondeterminism can alter its output based on varying inputs.
Introducing the New Method
This paper proposes a new verification algorithm specifically designed for hyperproperties. The method is based on a new Program Logic we call Forall-Exist Hoare Logic (FEHL). Like existing verification methods, it examines one program at a time, but it is tailored to handle the complexities involved in analyzing multiple executions.
Our algorithm is automated and aims to simplify the verification process of hyperproperties. The primary goal is to check that the properties hold across all relevant executions without requiring excessive user input or labor-intensive proof strategies.
How the Algorithm Works
The core of our verification algorithm leverages a sound and complete program logic that examines hyperproperties based on the constraints set forth by the running programs. We focus on how to compute the strongest postcondition, a term that refers to the most specific outcome that can be guaranteed after executing a section of code.
This process begins with the formulation of what we call parametric assertions. Instead of fixing certain values during verification, we treat them as variables that can be substituted later. This allows our method to delay concrete decisions, making it easier to explore various execution paths in the code.
The first step of the algorithm involves setting up a framework that acknowledges the nondeterministic nature of programs. This means that whenever a random or uncertain decision is made during execution, the algorithm treats it symbolically, considering all potential states that could result from that decision.
Implementing the Verification Tool
We have developed a tool based on our algorithm, capable of automatically verifying hyperproperties in code. The tool is built to support a simplified programming language with basic control structures and allows for straightforward program analysis.
To test the effectiveness of our verification method, we conducted several experiments comparing it with existing tools. The results showed that our approach often succeeded in situations where other tools struggled. This indicates that our logic-based method can simplify the verification of complex properties, achieving faster and more effective results.
Handling Loops in Programs
One of the critical challenges in verifying hyperproperties is managing loops correctly. Our verification algorithm includes a specialized rule for loops that allows it to evaluate them even when they are executed in different sequences or counts.
This loop handling is essential as it ensures that we can verify properties for programs that involve repetitive actions. The algorithm checks that all relevant conditions are met at each iteration, thereby ensuring correctness across varying execution paths.
The Role of Parametric Assertions
Parametric assertions are a significant aspect of our method. These allow us to define conditions that can adapt based on different parameter evaluations. By introducing parameters for specific conditions, we can explore a broader range of potential outcomes from the program, increasing the algorithm's robustness.
When examining loops or other complex structures, the algorithm uses these assertions to confirm that all necessary properties are validated. It checks if the loops can produce correct outputs based on their defined parameters and ensures that all variations of execution are accounted for.
Experimental Results and Comparison
The evaluation process involved comparing our tool's performance with several other verification methods. The results consistently indicated that our tool was not only capable of finding valid hyperproperties but often did so in a more efficient manner.
In our tests, we focused on different benchmarks that presented various challenges. The effectiveness of our method can be largely attributed to its ability to streamline the verification process by utilizing established SMT (satisfiability modulo theories) solvers for constraint resolution.
Challenges and Future Directions
Despite the successes we have achieved, there are limitations to our current method, particularly regarding loop alignments and handling more complex relational properties. Addressing these weaknesses will be crucial for enhancing the verification process in future iterations.
Furthermore, we plan to investigate advanced techniques for generating loop invariants to improve verification accuracy. By refining these techniques, we hope to increase the range of properties that can be effectively verified using our method.
Conclusion
We have developed a novel approach to automate the verification of hyperproperties in software programs. By introducing Forall-Exist Hoare Logic and leveraging parametric assertions, our method provides a more effective way to handle complex security and information-flow challenges. The early results indicate that our tool can perform on par with or better than existing solutions, with the potential for further improvements in future research.
We believe that our work opens new avenues for both practical verification applications and theoretical explorations in the realm of hyperproperties. The progress we have made in making automated verification more accessible marks an important step in developing secure and reliable software systems.
Title: Automated Software Verification of Hyperliveness
Abstract: Hyperproperties relate multiple executions of a program and are commonly used to specify security and information-flow policies. Most existing work has focused on the verification of $k$-safety properties, i.e., properties that state that all $k$-tuples of execution traces satisfy a given property. In this paper, we study the automated verification of richer properties that combine universal and existential quantification over executions. Concretely, we consider $\forall^k\exists^l$ properties, which state that for all $k$ executions, there exist $l$ executions that, together, satisfy a property. This captures important non-$k$-safety requirements, including hyperliveness properties such as generalized non-interference, opacity, refinement, and robustness. We design an automated constraint-based algorithm for the verification of $\forall^k\exists^l$ properties. Our algorithm leverages a sound-and-complete program logic and a (parameterized) strongest postcondition computation. We implement our algorithm in a tool called ForEx and report on encouraging experimental results.
Authors: Raven Beutner
Last Update: 2024-03-05 00:00:00
Language: English
Source URL: https://arxiv.org/abs/2403.03323
Source PDF: https://arxiv.org/pdf/2403.03323
Licence: https://creativecommons.org/licenses/by/4.0/
Changes: This summary was created with assistance from AI and may have inaccuracies. For accurate information, please refer to the original source documents linked here.
Thank you to arxiv for use of its open access interoperability.