The Complexity of Monitoring Hyperproperties
TThe Complexity of Monitoring Hyperproperties
Borzoo Bonakdarpour
Department of Computer ScienceIowa State University, USAEmail: [email protected]
Bernd Finkbeiner
Reactive Systems GroupSaarland University, GermanyEmail: fi[email protected]
Abstract —We study the runtime verification of hyperproper-ties, expressed in the temporal logic HyperLTL, as a means toinspect a system with respect to security polices. Runtime moni-tors for hyperproperties analyze trace logs that are organized bycommon prefixes in the form of a tree-shaped Kripke structure,or are organized both by common prefixes and by commonsuffixes in the form of an acyclic Kripke structure. Unlike runtimeverification techniques for trace properties, where the monitortracks the state of the specification but usually does not needto store traces, a monitor for hyperproperties repeatedly modelchecks the growing Kripke structure. This calls for a rigorouscomplexity analysis of the model checking problem over tree-shaped and acyclic Kripke structures.We show that for trees , the complexity in the size of theKripke structure is
L-complete independently of the numberof quantifier alternations in the HyperLTL formula. For acyclic
Kripke structures, the complexity is
PSPACE-complete (in thelevel of the polynomial hierarchy that corresponds to the numberof quantifier alternations). The combined complexity in the size ofthe Kripke structure and the length of the HyperLTL formula is
PSPACE-complete for both trees and acyclic Kripke structures,and is as low as NC for the relevant case of trees and alternation-free HyperLTL formulas. Thus, the size and shape of both theKripke structure and the formula have significant impact on thecomplexity of the model checking problem. I. I
NTRODUCTION
Most security properties related to confidentiality and infor-mation flow cannot be formulated as trace properties becausethey relate multiple computations. For example, observationaldeterminism [1] is satisfied if on every pair of computationtraces where the observable inputs are the same, also theobservable outputs are the same. This class of secure infor-mation flow policies has been characterized in a set-theoreticframework called hyperproperties [2]. Hyperproperties can beexpressed in the temporal logic HyperLTL [3], which extendsthe linear-time temporal logic (LTL) [4] with trace quantifiersand trace variables. Suppose, for example, that the observableinput to a system is the atomic proposition i and the output isthe atomic proposition o . Observational determinism can thenbe expressed as the HyperLTL formula ϕ obs = ∀ π. ∀ π (cid:48) . ( i π ⇔ i π (cid:48) ) ⇒ ( o π ⇔ o π (cid:48) ) , where is the usual “globally” operator of temporal logic: iftwo traces π and π (cid:48) agree globally on i , then they must alsoglobally agree on o . Runtime verification is a technique that inspects the healthof a system by evaluating execution traces collected at runtime. Existing runtime verification techniques (e.g., [5]–[8]) { a } { a }{ b }{ c }{ a } { c }{ b } { c }{ a } { a }{ b } { b }{ a } { a } (a) Set of lineartraces. { a } { a }{ b }{ c }{ a } { c }{ b } { c }{ a } { a } (b) Equivalenttree-shaped Kripkestructure. { a } { a }{ b } { b }{ c }{ a } (c) Equivalentacyclic Kripkestructure. Fig. 1: A trace log example and its assembly into space-efficient tree-shaped and acyclic Kripke structures.evaluate a linear finite trace t against a formula ϕ expressedin a trace-based language such as LTL or regular expressions.Monitors for trace-based languages typically do not need torecord traces that are already evaluated. By contrast, a monitorfor hyperproperties must store a set T of traces seen so farand repeatedly check this growing set against the specification(cf. [9]–[11]). For example, to monitor observational determin-ism ϕ obs , the monitor has to examine every existing pair oftraces at all times and, hence, has to keep the pairs that arealready evaluated in a trace log. These trace logs may be inthe form of a simple linear collection of the traces seen sofar or, for space efficiency, organized by common prefixes andassembled into a tree-shaped Kripke structure or by commonprefixes as well as suffixes assembled into an acyclic
Kripkestructure (see Fig. 1). Moreover, as a runtime monitor forhyperproperties observes the execution traces while new traces(say T (cid:48) ) are produced by the running system over time, themonitor has to evaluate ϕ with respect to T ∪ T (cid:48) due tointer-trace assertions in ϕ . Over time, the size of the Kripkestructure that represents T ∪ T (cid:48) may grow and its shape maychange. Thus, a fundamental research question is to study thecomplexity of the model checking problem for HyperLTL asthe trace log grows over time. For LTL, the complexity ofthe model checking problem for restricted Kripke structuresis known [12]. In particular, the model checking problemis PSPACE-hard (in the size of the formula) only if thereexists a strongly connected component with two distinct cycles.For acyclic Kripke structures, the model checking problemis in coNP . If, additionally, the verification problem can be a r X i v : . [ c s . L O ] J a n ecomposed into a polynomial number of finite path checkingproblems, for example, if the Kripke structure is a tree ora directed graph with constant depth, then the complexityreduces further to NC . Prior to our work, the complexity ofthe model checking problem for hyperproperties over restrictedKripke structures was an open question. A. Contributions
With this motivation, we study, in this paper, the impactof structural constraints on the complexity of the modelchecking problem for HyperLTL. As mentioned earlier, we areinterested in Kripke structures that are tree-shaped or acyclicas two appropriate shapes to store execution trace logs. Withrespect to the HyperLTL formula, we are interested in theimpact of the quantifier structure. Tables I and II summa-rize our new complexity results, contrasted with the knownresults for general Kripke structures [3], [13], [14], relatedto the equivalent model checking problem. Table I shows thecomplexity of the model checking problem in terms of thesize of the Kripke structure alone. This system complexity isoften the most relevant complexity in practice, because thesystem tends to be much larger than the specification. Thisis in particular true in runtime verification, where the Kripkestructure that records the traces seen so far grows over time,while the temporal formula remains the same. Table II showsthe combined complexity in the full input, consisting of boththe Kripke structure and the HyperLTL formula. Our resultsshow that the shape of the Kripke structure plays a crucial rolein the complexity of the model checking problem: • Trees.
For trees, the complexity in the size ofthe Kripke structure is
L-complete independently ofthe number of quantifier alternations. The combinedcomplexity in the size of the Kripke structure andthe length of the HyperLTL formula is
PSPACE-complete (in the level of the polynomial hierarchy thatcorresponds to the number of quantifier alternations)and is as low as NC for alternation-free fragment aswell formulas of the form ∃∀ and ∀∃ . • Acyclic graphs.
For acyclic Kripke structures, thecomplexity is
NL-complete for the alternation-freefragment and is
PSPACE-complete for alternating for-mulas (in the level of the polynomial hierarchy thatcorresponds to the number of quantifier alternations).The combined complexity in the size of the Kripkestructure and the length of the HyperLTL formula isalso
PSPACE-complete in the level of the polynomialhierarchy that corresponds to the number of quantifieralternations.
B. Significance of Contributions
The significance of our results is multifold: • Our results are in sharp contrast to the undecidabilityresult of [15] and the non-elementary complexityof [3], which has commonly been interpreted as sug-gesting that only the alternation-free fragment is worthconsidering in practical settings. Our results show thatthere is a lot that can be done for hyperproperties withalternations without exceeding
PSPACE . • An important observation from Tables I and II isthe impact of the shape of the Kripke structure andtype of formula on the complexity. For example, theHyperLTL formula for Goguen and Meseguer’s non-interference policy [16] is alternation-free for deter-ministic systems, while the same policy in a non-deterministic setting is of the form ∀∀∃ .ψ , hence, onealternation. This changes the complexity from NL-complete to coNP-complete in acyclic graphs, whileit remains L-complete for trees. This shows that thereare trade offs, both in the choice of the shape of thetrace logs and in the formula that represents the policy,with signficant practical implications. We will presenta more detailed motivating example on these trade offsin Section III. • As discussed in [10], [11], monitoring hyperpropertiesmay depend on the entire set of traces seen so far.This implies that a dependency on the total length andnumber of the traces is unavoidable. Having said that,our
L-completeness result for monitoring trees showsthat the dependency in the total length is actually onlylogarithmic. Also, if the complexity is measured in thelength of the traces and the formula, our
PSPACE-completeness result shows that monitoring can beaccomplished with a linear number of instances of theincremental traces. • Our results are also of interest in the context of classicmodel checking. In the restricted Kripke structures,leaves in trees and acyclic graphs are defined to haveself-loops, which encode infinite traces. Our resultsthus have two applications: (1) classic model checkingof restricted Kripke structures with infinite traces, and(2) runtime verification of a collected or evolvingset of finite traces. Tree-shape and acyclic Kripkestructures often occur as the natural representationof the state space of some protocols. For example,certain security protocols, such as authentication andsession-based protocols (e.g., TLS, SSL, SIP) gothrough a finite sequence of phases , resulting in anacyclic Kripke structure. The advantage of modelchecking restricted structures is particularly strongfor HyperLTL formulas with many quantifier alterna-tions: while the model checking problem over generalKripke structures cannot be solved by any elementaryrecursive function [3], [13], [14], the model checkingproblem for trees and acyclic graphs is in
PSPACE .The complexity in the size of a tree-shaped Kripkestructure is even just
L-complete .In a nutshell, we believe that the results in this paper providethe fundamental understanding of the runtime verificationproblem for secure information flow and pave the way for fur-ther research on efficient and scalable monitoring techniques.
Organization:
The remainder of this paper is organizedas follows. In Section II, we review Kripke structures andHyperLTL. We present a detailed motivating example in Sec-tion III. Section IV presents our results on the complexityof HyperLTL model checking in the size of the Kripkestructure. Section V presents the results on the complexity inthe combined input consisting of both the Kripke structure and2 his paper
Tree Acyclic General ∀ + / ∃ + (Theorem 1) NL-complete (Theorem 2)
NL-complete [13] ∃ + ∀ + / ∀ + ∃ + L-complete NP/coNP-complete ( T h e o r e m ) PSPACE-complete [3] ( ∀ ∗ ∃ ∗ ) ∗ Π pk -complete ( k − -EXPSPACE-complete [14] Σ pk -completePSPACE-complete (Corollary 1) NONELEMENTARY [3]
TABLE I: Complexity of the HyperLTL model checking problem in the size of the Kripke structure, where k is the number ofquantifier alternations in ( ∀ ∗ ∃ ∗ ) ∗ . This paper
Tree Acyclic General ∃ k / ∀ k NC (Theorem 4) NP/coNP-complete ( T h e o r e m ) PSPACE-complete [13] ∃ + / ∀ + NP/coNP-complete (Theorem 6) ∃∀ / ∀∃ NC (Theorem 5) Σ p2 / Π p2 -complete EXPSPACE-complete [3] ( ∀ ∗ ∃ ∗ ) ∗ Π pk +1 -complete ( T h e o r e m s , ) k -EXPSPACE-complete [3] Σ pk +1 -completePSPACE-complete (Corollaries 2,3) NONELEMENTARY [3]
TABLE II: Complexity of the HyperLTL model checking problem in the combined input, consisting of the Kripke structure andthe HyperLTL formula, where k is the number of quantifier alternations in ( ∀ ∗ ∃ ∗ ) ∗ .the HyperLTL formula. We discuss related work in Section VI.Finally, we make concluding remarks in Section VII.II. P RELIMINARIES
We begin with a quick review of Kripke structures andHyperLTL.
A. Kripke Structures
Let AP be a finite set of atomic propositions and Σ = 2 AP be the alphabet . A letter is an element of Σ . A trace t overalphabet Σ is an infinite sequence of letters in Σ ω : t = t (0) t (1) t (2) · · · . Definition 1: A Kripke structure is a tuple K = (cid:104) S, s init , δ, L (cid:105) , where • S is a finite set of states; • s init ∈ S is the initial state; • δ ⊆ S × S is a transition relation, and • L : S → Σ is a labeling function on the states of K .We require that for each s ∈ S , there exists s (cid:48) ∈ S , such that ( s, s (cid:48) ) ∈ δ .For example, in Fig. 2, we have that L ( s init ) = { a } , L ( s ) = { b } , etc. The size of the Kripke structure isthe number of its states. The directed graph F = (cid:104) S, δ (cid:105) iscalled the
Kripke frame of the Kripke structure K . A loop in F is a finite sequence s s · · · s n , such that ( s i , s i +1 ) ∈ δ ,for all ≤ i < n , and ( s n , s ) ∈ δ . We call a Kripke frame acyclic , if the only loops are self-loops on terminal states, i.e.,on states that have no other outgoing transition. See Fig. 2 foran example. Since Definition 1 does not allow terminal states,3 a } s init { a } s { b } s { b } s Fig. 2: Example of an acyclic Kripke structure (with self-loopsat otherwise terminal states).we only consider acyclic Kripke structures with such addedself-loops.We call a Kripke frame tree-shaped , or, in short, a tree , ifevery state s has a unique state s (cid:48) with ( s (cid:48) , s ) ∈ δ , except forthe root node, which has no predecessor, and the leaf nodes,which, again because of Definition 1, additionally have a self-loop but no other outgoing transitions.A path of a Kripke structure is an infinite sequence of states s (0) s (1) · · · ∈ S ω , such that: • s (0) = s init , and • ( s ( i ) , s ( i + 1)) ∈ δ , for all i ≥ .A trace of a Kripke structure is a trace t (0) t (1) t (2) · · · ∈ Σ ω such that there exists a path s (0) s (1) · · · ∈ S ω with t ( i ) = L ( s ( i )) for all i ≥ . We denote by Traces ( K , s ) the set of alltraces of K with paths that start in state s ∈ S .In the context of monitoring, we assume that traces of asystem under inspection are given as a tree-shaped or acyclicKripke structure. These type of Kripke frames are obviouslymore space efficient than a set of linear traces, because treesallow us to organize the traces according to common prefixesand acyclic graphs according to both common prefixes andcommon suffixes. B. HyperLTL
HyperLTL [3] is a temporal logic for expressing hyperprop-erties. A hyperproperty [2] is a set of sets of execution traces.HyperLTL generalizes LTL by allowing explicit quantificationover multiple execution traces simultaneously. The set ofHyperLTL formulas is defined inductively by the followinggrammar: ϕ ::= ∃ π.ϕ | ∀ π.ϕ | φφ ::= true | a π | ¬ φ | φ ∨ φ | φ U φ | φ where a ∈ AP is an atomic proposition and π is a tracevariable from an infinite supply of variables V . The Booleanconnectives ¬ and ∨ have the usual meaning, U is thetemporal until operator and is the temporal next operator.We also consider the usual derived Boolean connectives, suchas ∧ , ⇒ , and ⇔ , and the derived temporal operators eventually ϕ ≡ true U ϕ , globally ϕ ≡ ¬ ¬ ϕ , and weak until : ϕ W ψ ≡ ( ϕ U ψ ) ∨ ϕ . The quantified formulas ∃ π and ∀ π are read as ‘along some trace π ’ and ‘along all traces π ’,respectively. A sentence is a closed formula, i.e., the formulathat has no free trace variables. A formula with only universalor only existential quantifiers is called alternation-free . Suchformulas have alternation depth
0. The alternation depth offormulas with both existential and universal quantifiers is thenumber of alternations from existential to universal quantifiersand from universal to existential quantifiers.The semantics of HyperLTL is defined with respect toa trace assignment, a partial mapping
Π :
V → Σ ω . Theassignment with empty domain is denoted by Π ∅ . Given a traceassignment Π , a trace variable π , and a trace t , we denote by Π[ π → t ] the assignment that coincides with Π everywherebut at π , which is mapped to t . Furthermore, Π[ j, ∞ ] denotesthe assignment mapping each trace π in Π ’s domain to Π( π )( j )Π( π )( j + 1)Π( π )( j + 2) · · · . The satisfaction of a HyperLTL formula ϕ over a traceassignment Π and a set T of traces, denoted by T, Π | = ϕ ,is defined as follows: T, Π | = a π iff a ∈ Π( π )(0) ,T, Π | = ¬ φ iff T, Π (cid:54)| = φ,T, Π | = φ ∨ φ iff T, Π | = φ or T, Π | = φ ,T, Π | = φ iff T, Π[1 , ∞ ] | = φ,T, Π | = φ U φ iff ∃ i ≥ T, Π[ i, ∞ ] | = φ ∧∀ j ∈ [0 , i ) : T, Π[ j, ∞ ] | = φ ,T, Π | = ∃ π. ϕ iff ∃ t ∈ T : T, Π[ π → t ] | = ϕ,T, Π | = ∀ π. ϕ iff ∀ t ∈ T : T, Π[ π → t ] | = ϕ. We say that a set T of traces satisfies a sentence ϕ ,denoted by T | = ϕ , if T, Π ∅ | = ϕ . A Kripke structure K = (cid:104) S, s init , δ, L (cid:105) satisfies a HyperLTL formula ϕ , denotedby K | = ϕ , iff Traces ( K , s init ) | = ϕ . Example.
Consider the HyperLTL formula ϕ = ∀ π . ∀ π . a π U b π and the Kripke structure in Fig. 2. The Kripke structuredoes not satisfy ϕ . For example, the trace assignment Π that assigns to π the trace { a }{ b } ω and to π the trace { a }{ a }{ b } ω does not satisfy a π U b π .4tandard linear-time temporal logic (LTL) is the fragmentof HyperLTL with a single quantifier. Typically, the quantifieris universal and is left implicit, i.e., the LTL formula ϕ = ∀ π. ψ is written as ψ with the index π omitted from all atomicpropositions. We say that a trace t satisfies an LTL formula ϕ ,denoted by t | = ϕ , if { t } | = ϕ .We note that although our focus in this paper is onruntime verification (hence, a finite number of finite traces),for simplicity and without loss of generality, we use the infinitesemantics of HyperLTL. To this end, we assume that theleaves of Kripke frames have self-loops that corresponds tothe “stuttering” semantics of finite-trace temporal logics.III. M OTIVATING E XAMPLE
A. EDAS Conference Manager Bug
We demonstrate the importance of the problem underinvestigation in this paper with a real-life information leakencountered by the first author while using the EDAS Con-ference Management System . Fig. 3 shows an anonymizedscreenshot of the EDAS web interface [9]. The color-codedtable displays the status of submitted papers by the user:accepted (green), rejected (orange), withdrawn (grey), andpending (yellow). Now, consider the well-known Goguen andMeseguer’s non-interference ( GMNI ) security policy [16] for deterministic systems, where a low-privileged user (in thiscase, the author) should not be able to acquire any informationabout the activities (if any) of the high-privileged user (in thiscase, the conference PC chair). The HyperLTL formula for thispolicy in the context of our example is the following: ϕ GMNI = ∀ π. ∀ π (cid:48) . (cid:16) ( dec = λ ) π (cid:48) ∧ ( dec π (cid:54) = dec π (cid:48) ) (cid:17) ⇒ (cid:16) ses π ⇔ ses π (cid:48) (cid:17) where high input variable dec for a submission, rangingover { acc , rej , undec } , contains the internal decision of theconference chair for the submission and low output proposition ses represents whether or not the submission is assigned to asession for presentation. By abuse of notation, we denote thevalue of variable dec in the associated state of trace π by dec π .Finally, λ denotes an arbitrary dummy value for the dec .The web interface exhibits the following blunt violation of GMNI , i.e., the author can learn the internal decision of thechair, while the status of the paper is pending. The first tworows show the status of two papers submitted to a conferenceafter their notification (i.e., values sent on the low-observablechannel): the first paper is accepted while the second isrejected. The last two rows show two other papers submitted toa different conference whose status are pending at the time thescreenshot is taken. Although the authors should not be able toinfer the internal decision making activities (i.e., high inputs)of the conference chair before the notification, this table leaksthese activities as follows. When the chair sets dec = acc , thepaper is supposed to be assigned to a session in the technicalprogram, while a rejected paper (i.e., dec = rej ) does notneed to be assigned to a session. Now, by comparing therows, one can observe that their ‘Session’ column have thesame value (i.e., ‘not yet assigned’). Likewise, the second and the last rows have an empty ‘Session’ column. This simplymeans that the table reveals the internal status of the fourthand last papers as accepted and rejected, respectively, althoughtheir external status are pending. More specifically, in formula ϕ GMNI , if π (cid:48) and π are instantiated by the last two yellowrows, respectively, then purging dec by λ in π (cid:48) will resultin different ses observations, which clearly is a violation ofnon-interference through the four independent executions togenerate the HTML table rows . B. The Need for Runtime Monitoring
The above example illustrates how a security policy caneasily be violated due to a careless implementation, where thevalue of high variable dec flows in the publicly-observablevariable ses , although the chair did not take any inappropriateaction that directly violates the security policy. This exampledemonstrates the need for designing techniques for monitoringthe functional as well as security aspects of systems such as anonline conference manager to inspect their health at run timeor through periodic offline trace log analysis.A key step in deploying any type of verification is identi-fying the specification of the system in terms of a formula.For our conference manager system, we now identify thespecification in a sequence of steps starting from a simpleformula, which is evolved into more complex ones: • If the specification is only concerned with monitoringnon-interference in deterministic executions, then for-mula ϕ GMNI suffices. In this case, according to Table I,the complexity of monitoring a tree-shaped (respec-tively, acyclic) trace log is
L-complete (respectively,
NL-complete ) in the size of the log. • Next, let us imagine, the generation of the HTML re-port is accomplished by a set of concurrent threads. Inthis case, we need to refine ϕ GMNI to obtain a strongernotion of confidentiality known as the GeneralizedNon-interference (
GNI ) [17], which permits nondeter-minism in the behavior, but stipulates that low-securityoutputs may not be altered by the injection of high-security inputs: ϕ GNI = ∀ π. ∀ π (cid:48) . ∃ π (cid:48)(cid:48) . ( dec π = dec π (cid:48)(cid:48) ) ∧ ( ses π (cid:48) ⇔ ses π (cid:48)(cid:48) ) The trace π (cid:48)(cid:48) is an interleaving of the high inputs trace π and the low outputs of the trace π (cid:48) . In this case,according to Table I, the complexity of monitoringa tree-shaped (respectively, acyclic) trace log is L-complete (respectively, coNP-complete ) in the size ofthe log. As can be seen, in case of asyclic trace logs,there is a significant jump in the complexity hierarchyof monitoring. • As mentioned earlier, the EDAS information leak wasdue to an implementation bug, rather than by a mistakeby the chair. For the designer of the conferencemanagement system, this is an important distinction: ◦ Information leaks caused by an incorrect im-plementation should be fixed by eliminatingthe bug in the implementation, and We note that EDAS has fixed this bug after we brought it to their attention. ◦ Information leaks caused by the user could befixed by educating the user or by improvingthe user interface, for example by issuing anexplicit warning, or might not even need fixingif the information leak was intentional.In the next step, we will further refine the specificationto only refer to information leaks that are due to errorsin the implementation, ignoring information leaks thatare caused by the conference chair. For this purpose,we specify that a trace π is OK (from the systemimplementation’s point of view) even if π results ina leak, as long as there exists a trace π , representing adifferent interaction of the chair with the system, thatavoids the leak. In order to prevent trivial alternatives,such as “do nothing”, we only consider alternative userbehaviors that would accomplish the same objectives.Now, suppose that for two traces π and π , the pred-icate obj ( π , π ) indicates that π and π accomplishthe same functional objectives, e.g., obj ( π , π ) = (cid:16) ( dec = acc ) π ⇒ ( dec = acc ) π (cid:17) ∧ (cid:16) ( dec = rej ) π ⇒ ( dec = rej ) π (cid:17) i.e., if π prescribes that a paper is accepted (respec-tively, rejected), then the same decision is made forthe paper in π as well. Then, our refined property is expressed by the following HyperLTL formula: ϕ ref = ∀ π . ∃ π . ∀ π . ∃ π . obj ( π , π ) ∧ ( dec π = dec π ) ∧ ( ses π ⇔ ses π ) The formula (with three quantifier alternations) ex-presses noninterference with the modification thatthe universally quantified trace π is replaced bya existentially quantified trace π that satisfies thesame objectives. According to Table I, the complexityof monitoring the refined property in a tree-shaped(respectively, acyclic) trace log is L-complete (respec-tively, Π p -complete ) in the size of the Kripke structure.If we did not allow non-determinism, which translatesto removing the innermost existential quantifier and,hence, one less alternation in the formula quanti-fiers, the complexities would be L-complete and Π p -complete , respectively.As can be seen in this example, the choice of the shape ofthe Kripke structure and the HyperLTL formula play a crucialrole in the complexity of the model checking problem. Thisobservation motivates rigorously investigating the complexityof RV for tree-shaped and acyclic Kripke structures. Ourfindings, summarized in Tables I and II, are presented in detailin Sections IV and V, respectively.IV. S YSTEM C OMPLEXITY
In this section, we analyze the complexity of the modelchecking problem in the size of the Kripke structure. We use6he following notation to distinguish the different variations ofthe problem:
MC[Fragment, Frame Type] ,where • MC is the model checking problem, i.e., the problem todetermine whether or not K | = ϕ , where K is a Kripkestructure and ϕ is a closed HyperLTL formula; • Fragment is one of the following for ϕ : ◦ AF-HyperLTL refers to the alternation-free frag-ment of HyperLTL (i.e., ∃ + ψ or ∀ + ψ ); ◦ (EA) k -HyperLTL , for k ≥ , denotes the frag-ment with k alternations and a lead existentialquantifier, where k = 0 means an alternation-free formula with only existential quantifiers; ◦ (AE) k -HyperLTL , for k ≥ , denotes the frag-ment with k alternations and a lead universalquantifier, where k = 0 means an alternation-free formula with only universal quantifiers, ◦ HyperLTL is the full logic HyperLTL, and • Frame Type is either tree , acyclic , or general . A. Tree-shaped Graphs
Our first result is that the model checking problem for tree-shaped Kripke structures is
L-complete in the size of the Kripkestructures. This result is particularly interesting, as system tracelogs are very often stored as a set of traces grouped by commonprefixes.
Theorem 1:
MC[HyperLTL, tree] is L-complete in the sizeof the Kripke structure.
Proof:
For the upper bound, we note that the number oftraces in a tree is bounded by the number of states, i.e., thesize of the Kripke structure. The model checking algorithmmaintains for each trace variable a counter on the number oftraces, i.e., a logarithmic number of bits in size of the Kripkestructure. To evaluate the inner LTL subformula, determine,in a backwards fashion, whether a subformula holds for aparticular trace position. We need two counters on the lengthof the trace (corresponding to the variables i and j in thesemantics of Until) for each Until subformula. Since the lengthof the trace is again bounded by the number of states, againa logarithmic number of bits will suffice. (Note that, sincewe are only interested in the complexity in the size of theKripke structure, we consider the number of subformulas tobe constant.)The lower bound follows from the L-hardness ofORD [18]. ORD is the graph-reachability problem for directedline graphs. Graph reachability from s to t can be expressedwith the formula ∃ π. ( s π ∧ t π ) . B. Acyclic Graphs
We now turn to acyclic graphs. Acyclic Kripke structuresare interesting in two contexts: (1) efficient storage of systemtrace logs in runtime verification, grouping the traces accordingto common prefixes and common suffixes, and (2) analyzing certain security protocols, in particular authentication algo-rithms, which often consist of sequences of phases with norepetitions or loops. Such applications result in acyclic Kripkestructures. We develop results for three different fragmentsof HyperLTL: (1) the alternation-free fragment (Theorem 2),the bounded-alternation fragment (Theorem 3), and (3) fullHyperLTL (Corollary 1).
1) Alternation-free Formulas:Theorem 2:
MC[AF-HyperLTL, acyclic] is NL -complete inthe size of the Kripke structure. Proof:
For the upper bound, we consider the case that theHyperLTL formula is existential, i.e., it is of the form ∃ π . . . ∃ π k . ϕ, where ϕ does not contain any trace quantifiers. For the casethat the formula is universal, i.e., it is of the form ∀ π . . . ∀ π k . ϕ, we check the formula ∃ π . . . ∃ π k . ¬ ϕ and report the comple-mented result.We consider the self-composition of the Kripke struc-ture. Let K = (cid:104) S, s init , δ, L (cid:105) be a Kripke structure,and let ∃ π . . . ∃ π k . ϕ be an existential HyperLTL formula.The self-composition of K is the Kripke structure K (cid:48) = (cid:104) S k , s k init , δ (cid:48) , L (cid:48) (cid:105) , where S k = k times (cid:122) (cid:125)(cid:124) (cid:123) S × S × · · · × Ss k init = k times (cid:122) (cid:125)(cid:124) (cid:123) ( s init , s init , . . . , s init ) δ (cid:48) = (cid:110)(cid:0) ( s , . . . , s k ) , ( s (cid:48) , . . . , s (cid:48) k ) (cid:1) | ∀ i ∈ [1 , k ] : ( s i , s (cid:48) i ) ∈ δ (cid:111) L (cid:48) ( s , . . . , s k ) = (cid:110) a i | ∃ i ∈ [1 , k ] : a ∈ L ( s i ) (cid:111) . It is easy to see that the self-composition of an acyclic Kripkestructure is again acyclic.For the HyperLTL formula ∃ π . . . ∃ π k . ϕ , let ϕ (cid:48) be thesame as inner LTL formula ϕ , where every indexed proposition a π i , for some i ∈ [1 , k ] , is replaced by the atomic proposition a i . Now, the Kripke structure K satisfies ∃ π . . . ∃ π k . ϕ , iffthere is a path in the self-composition K (cid:48) , such that thecorresponding trace satisfies ϕ (cid:48) . Since the Kripke structure isacyclic, the length of the traces is bounded by the number ofstates of the Kripke structure. We can, therefore, nondetermin-istically guess the trace that satisfies ϕ (cid:48) , using a counter witha logarithmic number of bits in the number of states of K .The lower bound follows from the NL-hardness of thegraph-reachability problem for ordered graphs [19]. Orderedgraphs are acyclic graphs with a vertex numbering that isa topological sorting of the vertices. As in the proof ofTheorem 1, we express graph reachability from s to t withthe formula ∃ π. ( s π ∧ t π ) .
2) Formulas with Bounded Alternation Depth:
Next, we consider formulas where the number of quantifieralternations is bounded by a constant k . We show that changing7he frame structure from a tree to an acyclic graph results insignificant increase in complexity (see Table I). Theorem 3:
MC[(EA) k -HyperLTL, acyclic] is Σ pk -complete in the size of the Kripke structure. MC[(AE) k -HyperLTL, acyclic] is Π pk -complete in the size of the Kripke structure. Proof:
We show membership in Σ pk and Π pk , respectively,by induction over k . According to Theorem 2, the modelchecking problem for k = 0 , where the formula is alternation-free, is solvable in polynomial time. For k + 1 quantifier alter-nations, suppose that the first quantifier is existential. Since theKripke structure is acyclic, the length of the traces is boundedby the number of states. We can thus nondeterministicallyguess the existentially quantified traces in polynomial timeand then verify the correctness of the guess, by the inductionhypothesis, in Π pk . Hence, the model checking problem for k +1 is in Σ pk + . Likewise, if the first quantifier is universal, we uni-versally guess the universally quantified traces in polynomialtime and verify the correctness of the guess, by the inductionhypothesis, in Σ pk . Hence, the problem of determining K | = ϕ for k + 1 alternations in ϕ is in Π pk + .For the lower bound, we show that the model checkingproblem for HyperLTL formula with k alternations is Σ pk -hard and Π pk -hard , respectively, via a reduction from the quantifiedBoolean formula (QBF) satisfiability problem [20]: Given is a set of Boolean variables, { x , x , . . . , x n } , and a quantified Boolean formula y = Q x . Q x . . . Q n − x n − . Q n x n . ( y ∧ y ∧· · ·∧ y m ) where each Q i ∈ {∀ , ∃} ( i ∈ [1 , n ] ) and each clause y j ( j ∈ [1 , m ] ) is a disjunction of three literals(3CNF). Is y true? If y is restricted to at most k alternations of quantifiers, thenQBF satisfiability is complete for Σ pk + if Q = ∃ , and for Π pk if Q = ∀ . We note that in the given instance of the QBFproblem: • The clauses may have more than three literals, butthree is sufficient of our purpose; • The inner Boolean formula has to be in conjunctivenormal form in order for our reduction to work; • Without loss of generality, the variables in the literalsof the same clause are different (this can be achievedby a simple pre-processing of the formula), and • If the formula has k alternations, then it has k + 1 alternation depths . For example, formula ∀ x . ∃ x . ( x ∨ ¬ x ) has one alternation, but two alternation depths: one for ∀ x and the second for ∃ x . By d ( x i ) , we mean thealternation depth of Boolean variable x i .We now present a mapping from an arbitrary instanceof QBF with k alternations and where Q = ∃ to themodel checking problem of an acyclic Kripke structure anda HyperLTL formula with k quantifier alternations. Then, weshow that the Kripke structure satisfies the HyperLTL formula if and only if the answer to the QBF problem is affirmative.Figures 4 and 5 show an example. Kripke structure K = (cid:104) S, s init , δ, L (cid:105) : • (Atomic propositions AP ) For each alternation depth d ∈ [1 , k + 1] , we include an atomic proposition q d .We furthermore include three atomic propositions: c isused to mark the clauses, p is used to force clauses tobecome true if a Boolean variable appears in a clause,and proposition ¯ p is used to force clauses to becometrue if the negation of a Boolean variable appears ina clause in our reduction. Thus, AP = (cid:8) c, p, ¯ p (cid:9) ∪ (cid:8) q d | d ∈ [1 , k + 1] (cid:9) . • (Set of states S ) We now identify the members of S : ◦ First, we include an initial state s init anda state r . Then, for each clause y j , where j ∈ [1 , m ] , we include a state r j , labeled byproposition c . ◦ For each clause y j , where j ∈ [1 , m ] , weintroduce the following n states: (cid:110) v ji , u ji | i ∈ [1 , n ] (cid:111) . Each state v ji is labeled with propositions q d ( x i ) , and with p if x i is a literal in y j , orwith ¯ p if ¬ x i is a literal in y j . ◦ For each Boolean variable x i , where i ∈ [1 , n ] ,we include three states s i , ¯ s i , and ˆ s i . Each state s i (respectively, ¯ s i ) is labeled by p and q d ( x i ) (respectively, ¯ p and q d ( x i ) ).Thus, S = (cid:8) s init (cid:9) ∪ (cid:8) r j | j ∈ [0 , m ] (cid:9) ∪ (cid:8) v ji , u ji , s i , ¯ s i , ˆ s i | i ∈ [1 , n ] ∧ j ∈ [1 , m ] (cid:9) . • (Transition relation δ ) We now identify the membersof δ : ◦ We include a transition ( s init , r j ) , for each j ∈ [0 , m ] . ◦ We add transitions ( r j , v j ) for each j ∈ [1 , m ] . ◦ For each i ∈ [1 , n ] and j ∈ [1 , m ] , we includetransitions ( v ji , u ji ) . For each i ∈ [1 , n ) and j ∈ [1 , m ] , we include transitions ( u ji , v ji +1 ) . ◦ For each i ∈ [1 , n ] , we include transitions ( s i , ˆ s i ) and (¯ s i , ˆ s i ) . For each i ∈ [1 , n ) , weinclude transitions (ˆ s i , s i +1 ) and (ˆ s i , ¯ s i +1 ) . ◦ We include two transitions ( r , s ) and ( r , ¯ s ) . ◦ Finally, we include self-loops (ˆ s n , ˆ s n ) and ( u jn , u jn ) , for each j ∈ [1 , m ] .Thus, δ = (cid:8) ( s init , r j ) , ( r j , v j ) , ( u jn , u jn ) | j ∈ [0 , m ] (cid:9) ∪ (cid:8) ( r , s ) , ( r , ¯ s ) (cid:9) ∪ (cid:8) ( v ji , u ji ) | i ∈ [1 , n ] ∧ j ∈ [1 , m ] (cid:9) ∪ (cid:8) ( u ji , v ji +1 ) | i ∈ [1 , n ) ∧ j ∈ [1 , m ] (cid:9) ∪ (cid:8) ( s i , ˆ s i ) , (¯ s i , ˆ s i ) | i ∈ [1 , n ] (cid:9) ∪ (cid:8) (ˆ s i , s i +1 ) , (ˆ s i , ¯ s i +1 ) | i ∈ [1 , n ) (cid:9) . } }} y = y =( ¬ x ∨ x ∨ ¬ x ) ( ¬ x ∨ x ∨ ¬ x ) ( x ∨ x ∨ x )( x ∨ ¬ x ∨ x ) u u u u u u u u u u u u { c } { c } { c } { c }{ q , ¯ p } u u u u u u u u ¯ s ¯ s ˆ s ˆ s ˆ s ˆ s ˆ s ¯ s s s s s s ¯ s ¯ s r { q , p }{ q , p } { q , ¯ p }{ q , ¯ p }{ q , p }{ q , p } { q , ¯ p }{ q , ¯ p }{ q , p } { q , ¯ p } s init π d tr a ce s π ′ tr a ce s { q , p } { q , p }{ q , ¯ p }{ q , p } { q }{ q , ¯ p }{ q }{ q } { q } { q , p }{ q , ¯ p }{ q }{ q } { q , p }{ q , p }{ q }{ q }{ q , p } v v v v v v v v v v v v v v v v v v v r y = y = v r r r { q , ¯ p } Fig. 4: Mapping quantified Boolean formula y = ∃ x . ∀ x . ∃ x . ∃ x . ∀ x . ( x ∨ ¬ x ∨ x ) ∧ ( ¬ x ∨ x ∨ ¬ x ) ∧ ( ¬ x ∨ x ∨¬ x ) ∧ ( x ∨ x ∨ x ) to an instance of MC[(EA) k -HyperLTL, acyclic] . HyperLTL formula:
The HyperLTL formula in our mappingis the following: ϕ map = ∃ π k +1 . ∀ π k · · · ∃ π . ∀ π . ∀ π (cid:48) . (cid:32) (cid:86) d ∈{ , ,...,k } ¬ c π d ∧ c π (cid:48) (cid:33) ⇒ (cid:32) (cid:86) d ∈{ , ,...,k +1 } ¬ c π d ∧ (cid:20) (cid:87) d ∈ [1 ,k +1] (cid:16)(cid:0) q dπ d ⇔ q dπ (cid:48) (cid:1) ∧ (cid:0) ( p π (cid:48) ∧ p π d ) ∨ (¯ p π (cid:48) ∧ ¯ p π d ) (cid:1)(cid:17)(cid:21)(cid:33) Note that the formula has k alternations. Intuitively, thisformula expresses the following: for all the (clause) traces thatare universally quantified (i.e., the left side of the implication),there exist (clause) traces, where either p or ¯ p eventuallymatches its counterpart position in any trace π (cid:48) . The matchingpositions identify the assignments of Boolean variables in thecorresponding clauses that make the QBF instance true.We now show that the given quantified Boolean formula T T T TT TTF FFF FT T T x x x x x x x x Fig. 5: Model for the QBF instance in Fig. 4.is true if and only if the Kripke structure obtained by ourmapping satisfies the HyperLTL formula ϕ map .( ⇒ ) Suppose that y is true. Then, there is an instanti-ation of existentially quantified variables for eachvalue of universally quantified variables, such thateach clause y j , where j ∈ [1 , m ] becomes true(see Fig. 5 for an example). We now use these in-stantiations to instantiate each ∃ π x d in HyperLTLformula ϕ map , where d ∈ { , , . . . , k + 1 } asfollows. For each existentially quantified variable x i , where i ∈ [1 , n ] , in depth d ∈ [1 , k + 1] , if x i = true , we instantiate π d with a trace thatincludes state s i . Otherwise, the trace will includestate ¯ s i . We now show that this trace instantiation9valuates formula ϕ map to true. Observe that theleft side of the implication in the formula isbasically distinguishing traces (i.e., clause traces π (cid:48) , where c holds and traces corresponding touniversal variables, where ¬ c is true). Sinceeach y j is true, for any instantiation of universalquantifiers, there is at least one literal in y j that istrue. If this literal is of the form x i , then we have x i = true and trace π d will include s i , whichis labeled by p and q d . Hence, the values of p (respectively, q d ), in both π d and π (cid:48) instantiatedby trace s init r j v j · · · u jn are eventually equal. If the literal in y j is ofthe form ¬ x i , then x i = false and, hence,some trace π d will include ¯ s i . Again, the valuesof ¯ p (respectively, q d ), in both π d and π (cid:48) areeventually equal. Finally, since all clauses are true,all traces π (cid:48) reach a state where the right side ofthe implication becomes true.( ⇐ ) Suppose our mapped Kripke structure satisfies theHyperLTL formula ϕ map . This means that foreach trace π (cid:48) of the form s init r j v j · · · u jn , there exists a state u ji , where the values of q d and either p or ¯ p are eventually equal to theircounterparts in some trace π d . If this trace is exis-tentially quantified and includes s i , then we assign x i = true for the preceding quantifications. If thetrace includes ¯ s i , then x i = false . Observe thatsince in no state p and ¯ p are simultaneously trueand no trace includes both s i and ¯ s i , variable x i will have only one truth value. This way, a modelsimilar to Fig. 5 can be constructed. Similar to theforward direction, it is straightforward to see thatthis valuation makes every clause y j of the QBFinstance true.To establish the hardness for HyperLTL formu-las where the first quantifier is universal, weanalogously map an instance of QBF with k alternations and where Q = ∀ to the modelchecking problem of an acyclic Kripke structureand a HyperLTL formula that also begins with auniversal quantifier. This time, the HyperLTL for-mula has k +1 quantifier alternations, because theinner-most quantifier is universal. We have thusreduced a Π pk + -hard problem to the model check-ing problem for HyperLTL formulas with k + 1 quantifier alternations where the first quantifier isuniversal. Hence, the model checking problem forformulas with k quantifier alternations where thefirst quantifier is universal is Π pk -hard .An important case of Theorem 3 are formulas with a singlequantifier alternation, i.e., k = 1 . This class of formulascontains, for example, generalized noninference [21], whichcan be expressed as a ∀∃ and generalized non-interference [17],which can be expressed as a ∀∀∃ HyperLTL formula [3]. According to the polynomial hierarchy, the model checkingproblem for acyclic graphs is
NP-complete for formulas ofthe form ∃ + ∀ + ψ and coNP-complete for formulas of the form ∀ + ∃ + ψ .It is worth noting that the special case of a single quantifieralternation consisting of a single existential and a singleuniversal quantifier is already NP/coNP-complete for acyclicgraphs, but still in L for trees. The intuitive reason is therepeated-diamonds structure in Fig. 4, which is possible inacyclic graphs, but not in trees. This structure allows us toselect multiple Boolean values with a single trace quantifier.Finally, Theorem 3 implies that the model checking prob-lem for acyclic Kripke structures and HyperLTL formulas withan arbitrary number of quantifiers is in PSPACE . Moreover, itsproof of lower bound shows that the problem is at least as hardas QBF, making it
PSPACE-hard . Corollary 1:
MC[HyperLTL, acyclic] is PSPACE-complete in the size of the Kripke structure.V. C
OMBINED C OMPLEXITY
We now analyze the complexity of the model checkingproblem in the size of the combined input, consisting of boththe Kripke structure and the HyperLTL formula. Again, weseparately focus on trees and acyclic graphs.
A. Trees
For tree-shaped Kripke structures, we first show that modelchecking is efficiently parallelizable for two fragments: (1)the alternation-free fragment (Theorem 4), and (2) formulaswith one alternation consisting of a single universal and asingle existential quantifier (Theorem 5). We denote (2) as (AE/EA)-HyperLTL . As we already noted, this model check-ing problem is particularly interesting because its complexityis significantly different for trees and acyclic graphs. This isagain true for the combined complexity, which is in NC fortrees, but Σ p2 -complete or Π p2 -complete , depending on whetherthe leading quantifier is existential or universal, for acyclicgraphs. Theorem 4:
MC[(A/E) k -HyperLTL, tree] is in NC . Proof:
A decision problem is in NC , if there exists aparallel algorithm that runs in time O (log c n ) with O ( n c (cid:48) ) processors for some constants c and c (cid:48) .To verify an alternation-free formula with k quantifiers, weconsider all combinations of k traces in the Kripke structure.Since k is a constant and the number of traces is bounded bythe number of states of the tree, there is only a polynomialnumber of combinations. The evaluation of an individualcombination corresponds to the evaluation of an LTL formulaover a single trace, which can be done in NC [22]. We evaluateall combinations in parallel.For universal quantifiers, we then compute the conjunctionover these results by evaluating a binary tree of conjunctions.The height of the tree is logarithmic in the number of com-binations. Using a linear number of processors, the evaluationtherefore is done in logarithmic time. Likewise, for existential10uantifiers, we compute the disjunction over the results byevaluating a binary tree of disjunctions. Theorem 5:
MC[(AE/EA)-HyperLTL, tree] is in NC . Proof:
Analogously to the proof of Theorem 4, weconsider all pairs of traces in the Kripke structure. Since thenumber of traces is bounded by the number of states of thetree, the number of pairs is polynomial. The evaluation of anindividual pair corresponds to the evaluation of an LTL formulaover a single trace, which can be done in NC [22]. We evaluateall pairs in parallel. If the formula is of the form ∀∃ , we thenneed to evaluate the conjunction over all first elements of thepair, and the disjunction over all second elements. This canbe done by a binary tree, where the upper part consists ofconjunctions and the lower part consists of disjunctions. Theheight of the tree is logarithmic in the number of pairs. Usinga linear number of processors, the evaluation is therefore donein logarithmic time. Likewise, if the formula is of the form ∃∀ , we compute the disjunction over the results by evaluatinga binary tree, where the upper part consists of disjunctions andthe lower part of conjunctions. Theorem 6:
MC[(EA/AE) k -HyperLTL, tree] is Σ pk + -complete in the combined size of the Kripke structure andthe formula, if the leading quantifier is existential and is Π pk + -complete if the leading quantifier is universal. Proof:
Matching upper bounds are provided in the proofof Theorem 7 in the next subsection for the more generalcase of acyclic graphs. We now show that the model checkingproblem is Σ pk -hard (respectively, Π pk -hard ) via a reduction fromQBF satisfiability, where the leading quantifier is existential(respectively, universal). In contrast to the proof of Theorem 3,we do not assume a specific form of the Boolean formula.Let the quantified Boolean formula consist of Booleanvariables { x , x , . . . , x n } , and a formula with k alternations y = Q x . Q x . . . Q n − x n − . Q n x n . ϕ where each Q i ∈ {∀ , ∃} ( i ∈ [1 , n ] ) and ϕ is an arbitraryBoolean formula over variables { x , . . . , x n } . Satisfiability forQBF formulas of this type is complete for Σ pk + if Q = ∃ ,and for Π pk + if Q = ∀ .We reduce the satisfiability problem for a quantifiedBoolean formula to the model checking problem for a Hy-perLTL formula with the same quantifier structure. • Kripke structure K = (cid:104) S, s init , δ, L (cid:105) . We usethe simple Kripke structure shown in Fig. 6, whichcontains two traces {}{ x } ω and {}{} ω . • HyperLTL formula.
The HyperLTL formula in ourmapping is the following: Q π . Q π . . . Q n − π n − . Q n π n . ϕ (cid:48) (1)where ϕ (cid:48) is constructed from ϕ by replacing everyoccurrence of a variable x i in the Boolean formulawith x π i in the HyperLTL formula.The given formula is true if and only if the Kripke structureobtained by our mapping satisfies HyperLTL formula (1).We translate every assignment to the trace quantifiers to acorresponding assignment of the Boolean variables, and vice s s { x } s init Fig. 6: Kripke structure in the proof of Theorem 6.versa, as follows: Assigning the trace {}{ x } ω to π i means that x i is set to true , and assigning the trace {}{} ω to π i meansthat x i is set to false . Corollary 2:
MC[HyperLTL, tree] is PSPACE-complete . B. Acyclic Kripke Structures
For HyperLTL formulas with bounded quantifier alterna-tion, trees and acyclic graphs have the same model checkingcomplexity (except for the special case of exactly one universaland one existential quantifier). We match the lower bounds fortrees from Theorem 6 with upper bounds for acyclic graphs.
Theorem 7:
MC[(EA/AE)k-HyperLTL, acyclic] is Σ pk + -complete in the combined size of the Kripke structureand the formula, if the leading quantifier is existential and Π pk + -complete if the leading quantifier is universal. Proof:
We show membership in Σ pk + and Π pk + , respec-tively, by induction over k . For the base case, k = 0 , wherethe formula is alternation-free, the model checking problemcan be solved in NP and co-NP , respectively, as follows.If the quantifiers are existential, we can nondeterministicallyguess a combination of the traces and verify the correctnessof the guess in polynomial time, as the length of each trace isbounded by the number of states. Likewise, if the quantifiersare universal, we can universally guess a combination of thetraces and verify the correctness of the guess in polynomialtime.For k + 1 quantifier alternations, suppose that the firstquantifier is existential. Since the Kripke structure is acyclic,the length of the traces is bounded by the number of states. Wecan thus nondeterministically guess the existentially quantifiedtraces in polynomial time and verify the correctness of theguess, by the induction hypothesis, in Π pk + . Hence, the modelchecking problem for k + 1 is in Σ pk + . Likewise, if the firstquantifier is universal, we universally guess the universallyquantified traces in polynomial time and verify the correctnessof the guess, by the induction hypothesis, in Σ pk + . Hence, themodel checking problem for k + 1 is in Π pk + .Together with the lower bounds for trees in Theorem 6, weobtain Σ pk + / Π pk + -completeness for k quantifier alternations. Corollary 3:
MC[HyperLTL, acyclic] is PSPACE-complete .VI. R
ELATED W ORK
Model checking algorithms for HyperLTL were introducedin [13]. The satisfiability problem for HyperLTL was shown11o be decidable for the ∃ ∗ ∀ ∗ fragment [15]. Runtime verifi-cation algorithms for HyperLTL include both automata-basedalgorithms [9], [11] and rewriting-based algorithms [10]. Hy-perLTL is also supported by a growing set of tools, includingthe model checker MCHyper [13], and the decision procedureEAHyper [23], and the runtime monitoring tool RVHyper [24].A study of the impact of structural restrictions on the com-plexity of the model checking problem, similar to this paper,has been carried out for LTL [12]. The LTL model checkingproblem is PSPACE-hard if there exists a strongly connectedcomponent with two distinct cycles in the Kripke structure. Ifno such component exists, then the model checking problemis in coNP . For the special case of finite paths and trees, theLTL model checking problem is in NC , or, more precisely, in AC (logDCFL) [22], [25].VII. C ONCLUSION
We have developed a detailed and fundamental classifi-cation of the complexity of the model checking problem forhyperproperties expressed in HyperLTL over trace logs thatare stored as tree-shaped or acyclic Kripke structures. Thecomplexity analysis is a crucial step for the development ofruntime monitors, because in runtime verification methods forhyperproperties, the traces generated over time by the runningsystem have to be stored into a growing data structure. This is afundamental difference to monitoring techniques for standardtrace properties, where the traces are evaluated individuallyand the monitors are usually memoryless.We showed that for trees, the model checking complexityin the size of the Kripke structure is
L-complete independentlyof the number of quantifier alternations. For acyclic Kripkestructures, the complexity is in
PSPACE (in the level ofthe polynomial hierarchy that corresponds to the number ofquantifier alternations). The combined complexity in the sizeof the Kripke structure and the length of the HyperLTL formulais in
PSPACE for both trees and acyclic Kripke structures, andis as low as NC for the relevant case of trees and alternation-free HyperLTL formulas.These results highlight two crucial design choices formonitoring algorithms: • The substantial differences between the complexitiesreported in Tables I and II, in particular the contrast tothe non-elementary complexity of the model checkingproblem for general graphs, are intriguing. Theseresults suggest that non-exhaustive techniques such asruntime verification, that work on restricted structures,may have a significant complexity advantage overstatic verification. • In the context of runtime verification, our results inTables I and II clearly show the tradeoffs in deployingruntime verification technology in practice. First, notethat for runtime verification, the size of the formulais expected to remain constant and, hence, whatmatters is the size of the Kripke structure. Tables Ishows that the model checking complexity remainsthe same for trees, while it grows significantly foracyclic structures. This justifies careful space vs. timeconsiderations in practical settings. Our study raises many open questions for future work. Animmediate question left unanswered in this paper is the precisecomplexity for trees and alternation-free HyperLTL formulaswithin NC . Next, it would be interesting to determine thecomplexity of the verification problem for further restrictedstructures such as flat graphs, i.e., graphs that have no nestedcycles. Also, there are many extensions of HyperLTL, suchas the branching-time logic HyperCTL ∗ [3] and the first-orderextension FOHLTL [26]. It would be very interesting to see ifthe differences we observed for HyperLTL carry over to thesemuch more expressive logics. And, finally, we are currentlyworking on designing runtime verification techniques that canreuse the result of past verification steps as the size of theKripke structure grows. Acknowledgements:
This work was partially supportedby Canada NSERC Discovery Grant 418396-2012, by NSERCStrategic Grants 430575-2012 and 463324-2014, by the Ger-man Research Foundation (DFG) as part of the CollaborativeResearch Center “Methods and Tools for Understanding andControlling Privacy” (SFB 1223), and by the European Re-search Council (ERC) Grant OSARES (No. 683300).R
EFERENCES[1] S. Zdancewic and A. C. Myers, “Observational determinism for con-current program security,” in
Proceedings of the 16th IEEE ComputerSecurity Foundations Workshop (CSFW) , 2003, p. 29.[2] M. R. Clarkson and F. B. Schneider, “Hyperproperties,”
Journal ofComputer Security , vol. 18, no. 6, pp. 1157–1210, 2010.[3] M. R. Clarkson, B. Finkbeiner, M. Koleini, K. K. Micinski, M. N. Rabe,and C. S´anchez, “Temporal logics for hyperproperties,” in
Proceedingsof the 3rd Conference on Principles of Security and Trust (POST) , 2014,pp. 265–284.[4] A. Pnueli, “The temporal logic of programs,” in
Symposium on Foun-dations of Computer Science (FOCS) , 1977, pp. 46–57.[5] D. Giannakopoulou and K. Havelund, “Automata-Based Verificationof Temporal Properties on Running Programs,” in
Automated SoftwareEngineering (ASE) , 2001, pp. 412–416.[6] M. Kim, I. Lee, U. Sammapun, J. Shin, and O. Sokolsky, “Monitoring,Checking, and Steering of Real-Time Systems,”
Electronic. Notes inTheoretical Computer Science , vol. 70, no. 4, 2002.[7] B. Finkbeiner and L. Kuhtz, “Monitor circuits for LTL with boundedand unbounded future,” in
Runtime Verification , 2009, pp. 60–75.[8] A. Bauer, M. Leucker, and C. Schallhart, “Runtime Verification forLTL and TLTL,”
ACM Transactions on Software Engineering andMethodology (TOSEM) , vol. 20, no. 4, pp. 14:1–14:64, 2011.[9] S. Agrawal and B. Bonakdarpour, “Runtime verification of k -safety hy-perproperties in HyperLTL,” in Proceedings of the IEEE 29th ComputerSecurity Foundations (CSF) , 2016, pp. 239–252.[10] N. Brett, U. Siddique, and B. Bonakdarpour, “Rewriting-based runtimeverification for alternation-free HyperLTL,” in
Proceedings of the 23rdInternational Conference on Tools and Algorithms for the Constructionand Analysis of Systems (TACAS) , 2017, pp. 77–93.[11] B. Finkbeiner, C. Hahn, M. Stenger, and L. Tentrup, “Monitoringhyperproperties,” in
Proceedings of the 17th International Conferenceon Runtime Verification , 2017, pp. 190–207.[12] L. Kuhtz and B. Finkbeiner, “Weak kripke structures and LTL,” in
Proceedings of the 22nd International Conference on ConcurrencyTheory (CONCUR) , 2011, pp. 419–433.[13] B. Finkbeiner, M. N. Rabe, and C. S´anchez, “Algorithms for modelchecking HyperLTL and HyperCTL*,” in
Proceedings of the 27thInternational Conference on Computer Aided Verification (CAV) , 2015,pp. 30–48.[14] M. N. Rabe, “A temporal logic approach to information-flow control,”Ph.D. dissertation, Saarland University, 2016.
15] B. Finkbeiner and C. Hahn, “Deciding hyperproperties,” in
Proceedingsof the 27th International Conference on Concurrency Theory (CON-CUR) , 2016, pp. 13:1–13:14.[16] J. A. Goguen and J. Meseguer, “Security policies and security models,”in
Proceedings of the IEEE Symposium on Security and Privacy (S &P) , 1982, pp. 11–20.[17] D. McCullough, “Noninterference and the composability of securityproperties,” in
Proceedings of the 1988 IEEE Symposium on Securityand Privacy (S & P) , 1988, pp. 177–186.[18] K. Etessami, “Counting quantifiers, successor relations, and logarithmicspace,”
Journal of Compuer and System Sciences , vol. 54, no. 3, pp.400–411, 1997.[19] T. Lengauer and K. Wagner, “The correlation between the complexitiesof the nonhierarchical and hierarchical versions of graph problems,”
Journal of Computer and System Sciences
Computers and Intractability: A Guide tothe Theory of NP-Completeness . New York: W. H. Freeman, 1979.[21] J. McLean, “A general theory of composition for trace sets closed underselective interleaving functions,” in
Proceedings of the IEEE Symposiumon Security and Privacy (S & P) , Apr. 1994, pp. 79–93.[22] L. Kuhtz and B. Finkbeiner, “LTL path checking is efficiently par-allelizable,” in
Proceedings of the 36th International Colloquium onAutomata, Languages and Programming (ICALP 2009) , 2009, pp. 235–246.[23] B. Finkbeiner, C. Hahn, and M. Stenger, “EAHyper: Satisfiability, im-plication, and equivalence checking of hyperproperties,” in
Proceedingsof the 29th International Conference on Computer Aided Verification(CAV) , 2017, pp. 564–570.[24] B. Finkbeiner, C. Hahn, M. Stenger, and L. Tentrup, “RVHyper: Aruntime verification tool for temporal hyperproperties,” in
Tools andAlgorithms for the Construction and Analysis of Systems (TACAS) ,2018, pp. 194–200.[25] L. Kuhtz, “Model checking finite paths and trees,” Ph.D. dissertation,Saarland University, 2010.[26] B. Finkbeiner, C. M¨uller, H. Seidl, and E. Zalinescu, “Verifying SecurityPolicies in Multi-agent Workflows with Loops,” in
Proceedings ofthe 15th ACM Conference on Computer and Communications Security(CCS) , 2017, pp. 633–645., 2017, pp. 633–645.