Monitoring Hyperproperties with Circuits

Abstract

This paper presents an extension of the safety fragment of Hennessy-Milner Logic with recursion over sets of traces, in the spirit of Hyper-LTL. It then introduces a novel monitoring setup that employs circuit-like structures to combine verdicts from regular monitors. The main contribution of this study is the definition of the monitors and their semantics, as well as a monitor-synthesis procedure from formulae in the logic that yields ‘circuit-like monitors’ that are sound and violation complete over a finite set of infinite traces.

The authors were supported by the projects ‘Open Problems in the Equational Logic of Processes’ (OPEL) (grant No 196050–051) and ‘Mode(l)s of Verification and Monitorability’ (MoVeMent) (grant No 217987) of the Icelandic Research Fund, and ‘Runtime and Equational Verification of Concurrent Programs’ (ReVoCoP) (grant No 222021), of the Reykjavik University Research Fund. Luca Aceto’s work was also partially supported by the Italian MIUR PRIN 2017 project FTXR7S IT MATTERS ‘Methods and Tools for Trustworthy Smart Systems’.

A Appendix: Cases for the Proof of Violation Completeness

Here we give some more insight on the remaining cases of the violation completeness proof. First we highlight that the second base case of our proof, for formulae of the form \(\forall _{\pi } \psi \) is completely analogous to the one we give and thus omitted.

We will here give an important lemma necessary for analyzing both remaining cases, and then present the high level details for the case of \(\sqcap \). The intuition of the importance of the lemma is that the monitors \(Syn(\varphi _1)\) and \(Syn(\varphi _2)\) should not have their computation affected from the fact that they are run in parallel over a set of traces T.

Lemma 1

If

• \(s_{M_1} \triangleleft \overrightarrow{m_1}[i] \triangleleft T\rightarrow s_{M_1}'\triangleleft \overrightarrow{m_1}[i]' \triangleleft T'\), and

• \(s_{M_2} \triangleleft \overrightarrow{m_2}[i] \triangleleft T\rightarrow s_{M_2}'\triangleleft \overrightarrow{m_2}[i]' \triangleleft T'\)

then

• \(s_{M_1 \vee M_2} \triangleleft \overrightarrow{m_{12}}[i] \triangleleft T\rightarrow s_{M_1 \wedge M_2}' \triangleleft \overrightarrow{m_{12}}[i]' \triangleleft T'\), and

• \(s_{M_1 \wedge M_2} \triangleleft \overrightarrow{m_{12}}[i] \triangleleft T\rightarrow s_{M_1 \wedge M_2}' \triangleleft \overrightarrow{m_{12}}[i]' \triangleleft T'\),

where \(\overrightarrow{m_{12}} = \overrightarrow{m_{2}} \cup \overrightarrow{m_{2}}\) and \(\overrightarrow{m_{12}}' = \overrightarrow{m_{2}}' \cup \overrightarrow{m_{2}}'\) respectively.

Proof

We note here that a configuration for \(s_{M_1 \vee M_2}\) is identical to one for \(s_{M_1 \wedge M_2}\) except the root variable, as all other variables they both contain are \(s_{M_1}' \cup s_{M_2}'\).

The key aspect of this proof is the third rule of the instrumentation relation. There we can see that in order for a configuration instrumented over a set of regular monitors, instrumented over a set of traces, can only advance its computation, if all monitors instrumented over the same trace progress with their computation synchronously by reading the next trace event.

Thus, form the assumptions of this lemma we get that for all \(j = \{1,\ldots r\}\), where r is the total amount of different regular monitors occurring in \(M_1\) and \(M_2\) the premise of our rule is satisfied and thus the cumulative configuration of variables amounting for the union of variables of the two circuit monitors \(M_1\) and \(M_2\) (including the root variable), can perform the necessary transition to the new state, where all regular monitors (those both from \(M_1\) and \(M_2\)) assigned to trace \(t_i\) have processed the event a, and we are done.    \(\square \)

Having the above lemma streamlines our inductive step for the rest of the cases. Assuming a non-base-case formula in Hyper \(^1\)-sHML we can clearly see that it must be of the form \(\varphi = \varphi _1 \sqcap \varphi _2\) or \(\varphi = \varphi _1 \sqcap \varphi _2\). We only analyze one of the two cases as they are symmetrical. For any set of traces T, such that , from the semantics of Hyper \(^1\)-sHML, we have that and . Since the synthesized monitor for \(\varphi _1 \sqcap \varphi _2\) can reach a configuration where the values of the gates for \(Syn(\varphi _1)\) and \(Syn(\varphi _2)\) are the same as they would be for the individual monitors instrumented over T, and by inductive hypothesis (which guarantees that \(Syn(\varphi _1)\) and \(Syn(\varphi _2)\) are violation-complete) we have necessary conclusion by combining the two negative verdicts of the individual monitors via the semantics.    \(\square \)