Algorithms for Model Checking HyperLTL and HyperCTL\(^*\)

  • Bernd Finkbeiner
  • Markus N. Rabe
  • César Sánchez
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9206)


We present an automata-based algorithm for checking finite state systems for hyperproperties specified in HyperLTL and HyperCTL\(^*\). For the alternation-free fragments of HyperLTL and HyperCTL\(^*\) the automaton construction allows us to leverage existing model checking technology. Along several case studies, we demonstrate that the approach enables the verification of real hardware designs for properties that could not be checked before. We study information flow properties of an I2C bus master, the symmetric access to a shared resource in a mutual exclusion protocol, and the functional correctness of encoders and decoders for error resistant codes.

1 Introduction

HyperLTL and HyperCTL\(^*\) are recent extensions to LTL and CTL\(^*\) with the ability to express a wide range of hyperproperties [14]. Hyperproperties generalize trace properties and include properties from information-flow security such as noninterference [15]. Even though the complexity of model checking HyperLTL and HyperCTL\(^*\) has been determined, no efficient algorithms are known so far. In this paper, we thus study the automatic verification of finite state systems for hyperproperties specified in HyperLTL and HyperCTL\(^*\).

HyperLTL and HyperCTL\(^*\) allow us to specify relations over executions of the same system [14]. They introduce path quantifiers so computation paths can be referred to in the atomic propositions. For example, the following HyperLTL formula expresses noninterference [22] between input h and output o by requiring that all computation paths \(\pi \) and \(\pi '\) that only differ in h, have the same output o at all times:
Quantifiers in CTL\(^*\), in contrast, are of the form \(\mathsf {A}\varphi \) and \(\mathsf {E}\varphi \) where the subformula \(\varphi \) can only (implicitly) refer to a single path—the path introduced by \(\mathsf {A}\) and \(\mathsf {E}\) respectively. Hence, CTL\(^*\) cannot express noninterference [1, 20].

Noninterference between i and o implies that o contains no information about i, and is therefore an important building block for properties in security [22]. By embedding noninterference in a temporal context, HyperLTL and HyperCTL\(^*\) allow us to express a wide range of properties from information-flow security, including variants of declassification and quantitative information flow [3, 5, 16, 41]. The use cases of HyperLTL and HyperCTL\(^*\), however, extend far beyond security, as we demonstrate in this paper.

The main result of this paper is an automata-theoretic algorithm for the model checking problem of HyperLTL and HyperCTL\(^*\). The automata approach to model checking LTL properties [46] reduces the verification problem to automata operations and decision problems, like automata product and check for emptiness. Typically, the LTL specification is translated into a Büchi word automaton that captures all violations of the specification. The product of the system with this automaton reveals the system’s traces that violate the specification. We extend the approach based on Büchi word automata with the ability to quantify over new executions along the run, and thereby obtain an algorithm for HyperCTL\(^*\) (Sect. 3). The construction for a quantifier \(\exists \pi .~\varphi \) corresponds to a product of the system and the automaton for the subformula \(\varphi \). As in the classical approach, a final check of emptiness of the language of the automaton provides the answer to the model checking problem. The construction of the automaton involves the expensive nondeterminization of alternating automata [36] to handle quantifier alternations. For the rich class of alternation-free formulas, however, the algorithm is shown to be in NLOGSPACE in the size of the system. In Sect. 4 we use the alternating automaton construction to derive an approach to leverage existing model checking technology for model checking circuits for the alternation-free fragment of HyperCTL\(^*\).

We demonstrate the flexibility and the effectiveness of the proposed approach for the alternation-free fragment of HyperCTL\(^*\) along three case studies (Sect. 5). The first case study concerns the information flow analysis of an I2C bus master. The second case study concerns the analysis of the symmetries in a mutual exclusion protocol. The typical fair-access properties against which mutual exclusion protocols are usually analyzed, such as accessibility and bounded overtaking [30], can be seen as abstractions of what is really expected from mutual exclusion protocols: symmetric access to the shared resource. HyperLTL enables a fine grained analysis of the symmetry between the processes, for example by expressing the property that switching the actions and roles between two components in a trace results in another legal trace, in which the access to the shared resource is switched accordingly. The third case study concerns the functional correctness of encoders and decoders of error resistant codes. The error resistance of a code is a property of its space of code words: all pairs of code words must have a certain minimum Hamming distance. We show that Hamming distance can be expressed in HyperLTL and demonstrate that this leads to an effective approach to the verification of encoders and decoders.

To summarize, our contributions are as follows:
  • We develop the first direct automaton construction for model checking HyperLTL and HyperCTL\(^*\) based on alternating automata.

  • We present the first practical approach for model checking hardware systems for alternation-free HyperCTL\(^*\) formulas.

Our evaluation shows that the approach enables the verification of industrial size hardware modules for hyperproperties. That is, we extend the state of the art in model checking hyperproperties from systems using only few (binary) variables [14, 34] to systems with over 20.000 variables.

Related Work. In this paper, we present an automata-theoretic model checking algorithm for HyperLTL and HyperCTL\(^*\), together with a practical approach to the verification of hardware circuits against alternation-free formulas. Previous automata constructions for the problem [14] are based on nondeterministic Büchi automata, whereas we present an algorithm based on alternating Büchi automata, which allows us to leverage modern hardware verification techniques like IC3 [10]/PDR [18], interpolation [32], and SAT [8]. Our model checker can therefore be applied to significantly more complex systems than the proof-of-concept model checker for the one-alternation fragment of HyperLTL [14], which is limited to small explicitly given models.

HyperLTL and HyperCTL\(^*\) are related to other logics for hyperproperties, such as variations of the \(\mu \)-calculus, like the polyadic \(\mu \)-calculus by Andersen [2], the higher-dimensional \(\mu \)-calculus [38], and holistic hyperproperties [35]. The model checking problem for these logics can be reduced to the model checking problem of the modal \(\mu \)-calculus [2, 27] (or directly to parity games [34]) and involves, similar to our construction, an analysis of the product of several copies of the system. We are not aware, however, of any practical approaches that would allow the verification of complex hardware designs against specifications given in these logics. Another related class of logics are the epistemic temporal logics [19], which reason about the knowledge of agents and how it changes over time. While it has been shown that epistemic temporal logic can express certain information flow policies [4], most practical work with epistemic logics has focussed on applications from the area of multi-agent systems [21, 28, 29, 33, 39].

Lastly, in the area of information flow security, there are several verification techniques that focus on specific information flow properties—rather than on a general logic like HyperLTL and HyperCTL\(^*\)—but use techniques that relate to our model checking algorithm. A construction based on the product of copies of a system, self-composition [6, 7], has been tailored for various trace-based security definitions [17, 23, 44].

2 Temporal Logics for Hyperproperties

We now introduce the temporal logics for hyperproperties, their semantics, and their model checking problem.

A Kripke structure is a tuple \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\) consisting of a set of states S, an initial state \(s_0\), a transition function \(\delta :S\rightarrow 2^{S}\), a set of atomic propositions\(\mathsf {AP} \), and a labeling function\(L:S\rightarrow 2^{\mathsf {AP} }\) decorating each state with a set of atomic propositions. We require that each state has a successor, that is \(\delta (s)\ne \emptyset \), to ensure that every execution of a Kripke structure can always be extended to an infinite execution. A path of a Kripke structure is an infinite sequence of states \(s_0s_1\ldots \in S^\omega \) such that \(s_0\) is the initial state of K and \(s_{i+1}\in \delta (s_i)\) for all \(i\in \mathbb {N}\). We denote by \( Paths (K,s)\) the set of all paths of K starting in state \(s\in S\) and by \( Paths ^*(K,s)\) the set of their suffixes. Given a path p and a number \(i\ge {}0\), \(p[i,\infty ]\) denotes the suffix path where the first i elements are removed.

HyperLTL and HyperCTL\(^*\) extend the standard temporal logics LTL and CTL\(^*\) by quantification over path variables. Their formulas are generated by the following grammar, where \(a\in \mathsf {AP} \) and \(\pi \) ranges over path variables:

Additionally, we define the derived operators
and \(\varphi _1\mathbin {\mathcal {W}}\varphi _2 =\varphi _1\mathbin {\mathcal {U}}\varphi _2 \vee \square \varphi _1\).

For HyperLTL and HyperCTL\(^*\) we require that temporal operators only occur inside the scope of path quantifiers. HyperLTL is the sublogic of formulas in prenex normal form. A formula is in prenex normal form, if it starts with a sequence of quantifiers, and is quantifier-free in the rest of the formula. The conceptual difference between HyperLTL and HyperCTL\(^*\), is that HyperLTL, like LTL, is a linear-time logic and that HyperCTL\(^*\), like CTL and CTL\(^*\), is a branching-time logic [20]. A formula \(\varphi \) is in negation normal form if the only occurrences of \(\lnot \) occur in front of propositions \(a_\pi \).

Semantics. In the following we define the semantics for the operators \(a_\pi \), \(\lnot \varphi \), \(\varphi _1\vee \varphi _2\),
, \(\varphi _1\mathbin {\mathcal {U}}\varphi _2\), and \(\exists \pi .~\varphi \). The other operators are defined via the following equalities: \(\forall \pi .~\varphi = \lnot \exists \pi .~\lnot \varphi \), \(\varphi _1\wedge \varphi _2 = \lnot (\lnot \varphi _1\vee \lnot \varphi _2)\), and \(\varphi _1{\mathcal {R}}\varphi _2 = \lnot (\lnot \varphi _1{\mathcal {U}}\lnot \varphi _1)\). These derived operators are kept in the syntax to guarantee the existence of equivalent formulas in negation normal form.

Let K be a Kripke structure and let \(s_0\) be its initial state. The semantics of HyperLTL and HyperCTL\(^*\) is given in terms of assignments \(\varPi :N\rightarrow Paths ^*(K,s_0)\) of a set of path variables N to suffixes of paths. We use \(\varPi [i,\infty ]\) for the map that assigns to each path variable \(\pi \) the suffix \(\varPi (\pi )[i,\infty ]\). We use the reserved path variable \(\varepsilon \) to denote the most recently quantified path and define the validity of a formula as follows:

For the empty assignment \(\varPi =\{\}\), we define \(\varPi (\varepsilon )(0)\) to yield the initial state. Validity on states of a Kripke structure K, written \(s\models _K\varphi \), is defined as \(\{\}\models _K\varphi \). A Kripke structure \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\) satisfies formula \(\varphi \), denoted with \(K\models \varphi \) whenever \(s_0\models _K \varphi \).

3 Automata-Theoretic Model Checking of HyperCTL\(^*\)

In this section, we present an automata-theoretic construction for the verification of HyperCTL\(^*\) formulas. In Sect. 4 we will then use this construction to build a practical algorithm for the verification of circuits. We start with a brief review of alternating automata. Given a finite set Q, \(\mathbb B(Q)\) denotes the set of Boolean formulas over Q and \(\mathbb B^+(Q)\) the set of positive Boolean formulas, that is, formulas that do not contain negation. The satisfaction of a formula \(\theta \in \mathbb B(Q)\) by a set \(Q'\subseteq Q\) is denoted by \(Q'\models \theta \).

Definition 1

(Alternating Büchi Automata). An alternating Büchi automaton (on words) is a tuple \(\mathcal A = (Q,q_0,\varSigma ,\rho ,F)\), where Q is a finite set of states, \(q_0 \in Q\) is the initial state, \(\varSigma \) is a finite alphabet, \(\rho : Q\times \varSigma \rightarrow \mathbb B^+(Q)\) is a transition function that maps a state and a letter to a positive Boolean combination of states, and \(F\subseteq Q\) are the accepting states.

A run of an alternating automaton is a Q-labeled tree. A treeT is a subset of \(\mathbb N_{> 0}^*\) such that for every node\(\tau \in \mathbb N^*_{> 0}\) and every positive integer \(n \in \mathbb N_{> 0}\), (i) if \(\tau \cdot n \in T\) then \(\tau \in T\) (i.e., T is prefix-closed), and (ii) for every \(0 < m < n\), \(\tau \cdot m \in T\). The root of T is the empty sequence \(\varepsilon \) and for a node \(\tau \in T\), \(\vert \tau \vert \) is the length of the sequence \(\tau \), in other words, its distance from the root. A run of \(\mathcal A\) on an infinite word \(\pi \in \varSigma ^\omega \) is a Q-labeled tree (Tr) such that \(r(\varepsilon ) = q_0\) and for every node \(\tau \) in T with children \(\tau _1,\ldots ,\tau _k\) the following holds: \(1\le k \le \vert Q \vert \) and \(\{r(\tau _1),\ldots ,r(\tau _k)\} \models \rho (q,\pi [i])\), where \(q = r(\tau )\) and \(i = \vert \tau \vert \). A run r of \(\mathcal A\) on \(\pi \in \varSigma ^\omega \) is accepting whenever for every infinite path \(\tau _0\tau _1\ldots \) in T, there are infinitely many i with \(r(\tau _i) \in F\). We say that \(\pi \) is accepted by \(\mathcal A\) whenever there is an accepting run of \(\mathcal A\) on \(\pi \), and denote with \(\mathcal L_\omega (\mathcal A)\) the set of infinite words accepted by \(\mathcal A\).

If the transition function of an alternating automaton does not contain any conjunctions, we call the automaton nondeterministic. The transition function \(\rho \) of a nondeterministic automaton thus identifies a disjunction over a set of successor states. Such a transition function can also be stated as a function \(\rho : Q \times \varSigma \rightarrow 2^Q\) identifying the successors. Our model checking algorithm relies on the standard translation for alternation removal due to Miyano and Hayashi:

Theorem 1

([36]). Let \(\mathcal A\) be an alternating Büchi automaton with n states. There is a nondeterministic Büchi automaton \(\mathsf {MH}(\mathcal A)\) with \(2^{\mathcal O(n)}\) states that accepts the same language.

3.1 The Alternation-Free Fragment

We present a model checking algorithm for the alternation-free fragment of HyperCTL\(^*\). This fragment is expressive enough to capture a broad range of other information-flow properties, like declassification mechanisms, quantitative noninterference, and information-flow requirements that change over time [14, 16]. The case studies in Sect. 5 illustrate that this fragment also captures properties in application domains beyond information-flow security.

Definition 2

(Alternation-Free HyperCTL\(^*\)). A HyperCTL\(^*\) formula \(\varphi \) in negation normal form is alternation-free, if \(\varphi \) contains only quantifiers of one type. Additionally, we require that no existential quantifier occurs in the left subformula of an until operator or in the right subformula of a release operator, and, symmetrically, that no universal quantifier occurs in the right subformula of an until operator or in the left subformula of a release operator.

Similar to the automata-theoretic approach to LTL properties [37, 45], we construct an alternating automaton bottom up from the formula, but handling multiple path quantifiers. For alternation-free HyperCTL\(^*\), the quantifiers may occur inside temporal operators (with the restrictions in Definition 2) as long as there is no quantifier alternation.

Let K be a Kripke structure \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\). To check the satisfaction of a HyperCTL\(^*\) formula \(\varphi \) by K, we translate \(\varphi \) into a K-equivalent alternating automaton \(\mathcal A_\varphi \). The construction of \(\mathcal A_\varphi \) proceeds inductively following the structure of \(\varphi \), as follows. Assume that \(\varphi \) is in negation normal form and starts with an existential quantifier, and consider a subformula \(\psi \) of \(\varphi \). Let n be the number of path quantifiers occurring on the path from the root of the syntax tree of \(\varphi \) to \(\psi \), and let these path quantifiers bind the variables \(\pi _1,\dots ,\pi _n\). The alphabet \(\varSigma \) of \(\mathcal A_{\psi }\) is \(S^n\), the set of n-tuples of states of K. We say that a language \(L \subseteq (S^n)^\omega \) is K-equivalent to \(\psi \), if all sequences of state tuples \((s^0_0, \ldots , s^0_n)(s^1_0, \ldots , s^1_n) \ldots \) in L correspond to a path assignment \(\varPi \) satisfying \(\psi \). That is, for all \((s^0_0, \ldots , s^0_n)(s^1_0, \ldots , s^1_n) \ldots \in L\) it holds \(\varPi \models _{K}\psi \) for the path assignment \(\varPi (\pi _i) = s^0_i s^1_i\dots \) (for all \(i\le n\)). An automaton is K-equivalent to \(\psi \) if its language is K-equivalent to \(\psi \).

For atomic propositions, Boolean connectives, and temporal operators, our construction follows the standard translation from LTL to alternating automata [37, 45]. Let \(\mathcal A_{\psi _1}=(Q_1,q_{0,1},\varSigma _{1},\rho _1,F_1)\) and \(\mathcal A_{\psi _2}=(Q_2,q_{0,2},\varSigma _{2},\rho _2,F_2)\) be the alternating automata for the subformulas \(\psi _1\) and \(\psi _2\):

For a quantified subformula \(\psi = \exists \pi . \psi _1\), we have to reduce the alphabet \(\varSigma _{\psi _1}=S^{n+1}\) to \(\varSigma =S^n\). The language for formula \(\psi \) contains exactly those sequences \(\sigma \) of state tuples, such that there is a path p through the Kripke structure K for which \(\sigma \) extended by p is in \(\mathcal L(\mathcal A_{\psi _1})\). Let \(\mathcal N'_{\psi _1} = (Q',q_{0}',\varSigma ,\rho ',F')\) be the nondeterministic automaton \(\mathcal N'_{\psi _1}=\mathsf MH (\mathcal A_{\psi _1})\) constructed from \(\mathcal A_{\psi _1}\) by the construction in Theorem 1, and let \(\mathcal A_{\psi } = (Q'',q_{0}'',\varSigma _{\psi },\rho '',F'')\) be constructed from \(\mathcal {N}'_{\psi _1}\) and the Kripke structure \(K=(S,s_0,\delta ,\mathsf {AP} ,L)\) as follows:
For the case that \(n=0\) we define that \(\mathbf {s}|_n\) is the initial state \(s_0\) of K.

Since we consider the alternation-free fragment, there are no negated quantified subformulas and the construction is finished.

The correctness of the construction can be shown by structural induction.

Proposition 1

Let \(\varphi \) be a HyperCTL\(^*\) formula and \(\mathcal A_{\varphi }\) the alternating automaton obtained by the previous construction. Then, \(\varphi \) and \(\mathcal A_{\varphi }\) are K-equivalent.

So far, we only considered alternation-free formulas that start with existential quantifiers. To decide \(K \models \varphi \) for an arbitrary \(\varphi \), we first transform \(\varphi \) in a Boolean combination over a set X of quantified subformulas. Each element \(\psi '\) of X is now in the form \(\exists \pi .\varphi \) for which we apply the construction above. Since \(\psi '\) is of the form \(\exists \pi . \psi _1\), \(\mathcal A_{\psi '}\) is a nondeterministic Büchi automaton, for which we apply a standard nonemptiness test [47].

Theorem 2

The model checking problem for the alternation-free fragment of HyperCTL\(^*\) is PSPACE-complete in the size of the formula and NLOGSPACE-complete in the size of the Kripke structure.


The alternating automaton \(\mathcal A_{\psi _1}\) is a tree with self-loops, when we consider automata created for quantified subformulas as leafs of the tree. By structural induction, we show that the size of \(\mathcal A_{\psi '}\) for an alternation-free formula \(\psi '\) is polynomial in \(|\psi '|\) and in |K| and that sub-automata for quantified subformulas are not reachable via actions that are self-loops with conjunctions.

Base Case: for atomic propositions and negated atomic propositions, the induction hypothesis is fulfilled.

Induction Step: Let \(\psi = \exists \pi .~\psi _1\). Only Until operators and Release operators in the formula lead to nodes that have two transitions, one with a self-loop and one without self-loops. By the restrictions in the definition of the alternation-free fragment, we guarantee that automata of quantified subformulas are not reachable via transitions with self-loops that contain conjunctions.

Conjunctive transitions that are not part of loops or self-loops only lead to a polynomial increase in size during nondeterminization. Emptiness of nondeterministic Büchi automata is in NLOGSPACE [47], so the upper bound of the theorem follows.

Since HyperCTL\(^{*}\) subsumes LTL, the lower bound for LTL model checking [42] implies the lower bound for HyperCTL\(^{*}\).    \(\square \)

3.2 The Full Logic

The construction from the previous subsection can be extended to full HyperCTL\(^*\) by adding a construction for negated quantified subformulas. We compute an automaton for the complement language, based on the following theorem:

Theorem 3

([25]). For every alternating Büchi automaton \(\mathcal A = (Q,q_{0},\varSigma ,\rho ,F)\), there is an alternating Büchi automaton \(\overline{\mathcal A}\) with \(O(|Q|)^2\) states that accepts the complemented language: \(\mathcal L_\omega (\overline{\mathcal A}) = \overline{\mathcal L_\omega (\mathcal A)}\).

We extend the previous construction with the following case:
We capture the complexity of the resulting model checking algorithm in terms of the alternation depth of the HyperCTL\(^*\) formula. The formulas with alternation depth 0 are exactly the alternation-free formulas.

Definition 3

(Alternation Depth). A HyperCTL\(^*\) formula \(\varphi \) in negation normal form has alternation depth 0 plus the highest number of alternations from existential to universal and universal to existential quantifiers along any of the paths of the formula’s syntax tree. Existential quantifiers in the left subformula of an until operator or in the right subformula of a release operator, and, symmetrically, universal quantifiers in the right subformula of an until operator or in the left subformula of a release operator count as additional alternation.

For example, let \(\psi \) be a formula without additional quantifiers, then \(\exists \pi .~\psi \) has alternation depth 0, \(\forall \pi _1.\exists \pi .~\psi \) has alternation depth 1,
has alternation depth 0, \(\exists \pi .~\square \exists \pi '.~\psi \) has alternation depth 1, and \((\forall \pi .~\psi ) \wedge (\exists \pi .~\psi )\) has alternation depth 0.

Let \(g_c(k,n)\) be a tower of exponentiations of height k, defined simply as \(g_c(0,n)=n\) and \(g_c(k,n)= c^{g_c(k-1,n)}\). We define NSPACE(g(kn)) to be the languages that are accepted by a nondeterministic Turing machine that runs in SPACE \(O(g_c(k,n))\) for some \(c>1\). For convenience, we define NSPACE\((g(-1,n))\) to be NLOGSPACE.

Proposition 2

Let K be a Kripke structure and \(\varphi \) a HyperCTL\(^*\) formula with alternation depth k. The alternating automaton \(\mathcal A_\varphi \) resulting from the previous construction has \(O(g(k+1,|\varphi |))\) and O(g(k, |K|)) states and can be constructed in NSPACE\((g(k,|\varphi |))\) and NSPACE\((g(k-1,|K|))\).

Theorem 4

Given a Kripke structure K and a HyperCTL\(^*\) formula \(\varphi \) with alternation depth k, we can decide whether \(K\models \varphi \) in NSPACE\((g(k,|\varphi |))\) and NSPACE\((g(k-1,|K|))\).

The proof of Proposition 2 is an induction over the alternation depth. The proof of Theorem 4 uses that the nonemptiness problem for nondeterministic Büchi automata is in NLOGSPACE [47]. Theorem 4 subsumes the result for the alternation-free fragment:

Corollary 1

For alternation depth 0, the model-checking problem \(K\models \varphi \) is in PSPACE in \(|\varphi |\) and in NLOGSPACE in |K|.

4 Symbolic Model Checking of Circuits

In this section we translate the automaton-based construction from Sect. 3 for alternation-free formulas into a practical verification approach for circuits. Given a circuit C and an alternation-free formula \(\varphi \) the algorithm produces a new circuit \(C_{\varphi }\) that is linear in the size of C and also linear in the size of \(\varphi \). The compactness of the encoding builds on the ability of circuits to describe systems of exponential size with a linear number of binary variables. The circuit \(C_{\varphi }\) is then checked for fair reachability to determine the validity of \(C\models \varphi \). This check can be done with of-the-shelf model checkers leveraging modern hardware verification technology [8, 11, 12].

A circuit1\(C=(X, init ,I,O,T)\) consists of a set X of binary variables (latches with unit delay), a condition \( init \in \mathbb {B}(X)\) characterizing a non-empty set of initial states of X, a set of input variables I, a set of output variables O, and a transition relation \(T\in \mathbb {B}(X \times I \times O \times X)\). We require that T is input-enabled and input-deterministic, that is, for all \(x\subseteq X\), \(i\subseteq I\), there is exactly one \(o\subseteq O\) and one \(x'\subseteq X\) such that \(T(x,i,o,x')\) holds. We denote a subset of X as a state of circuit C, indicating exactly those latches that are set to 1. The size of a circuit C, denoted |C|, is defined as the number of latches |X|.

A circuit C can be interpreted as a finite Kripke structure \(K_C\) of potentially exponential size. The state space of \(K_C\) is \(S = s_0 ~\cup ~ 2^{X} \times 2^I \times 2^O \times 2^X\), where \(s_0\) is a fresh initial state. The transition relation distinguishes the initial step of the computation: \(s'\in \delta (s_0)\) iff there is a circuit state \(x\subseteq X\) with \( init (x)\) and \(x=s'|_{X}\) such that \(T(x, s'|_I,s'|_O, s'|_X)\), where \(s'|_I\), \(s'|_O\), \(s'|_X\), and \(s'|_{X'}\) are the projections to variables I, O, the first copy of X, and the second copy of X respectively. For subsequent steps of computation we define \(s'\in \delta (s)\) whenever \(T(s|_X, s'|_I, s'|_O, s'|_{X'})\) and \(s|_{X'} = s'|_{X}\). That is, the first copy X denotes the previous state, whereas \(X'\) denotes the current state. The labelling function of \(K_C\) maps each state s to the set Open image in new window. That is, the alphabet Open image in new window. The semantics of HyperCTL\(^*\) on a circuit C is defined using the associated Kripke structure \(K_C\). We write \(C\models \varphi \) whenever \(K_C\models \varphi '\), where \(\varphi '\) is obtained by replacing all atomic propositions
. This leads to a natural semantics on circuits: the atomic propositions always refer to the current value of the latches, the next input, and the next output.

Given a circuit C and an alternation-free HyperCTL\(^*\) formula \(\varphi \), we reduce the model checking problem \(C\models \varphi \) to finding a computation path in a circuit \(C_\varphi \) that does not visit a bad state and satisfies a conjunction of strong fairness (or compassion) constraints \(F=\{f_1,\dots ,f_k\}\). A strong fairness constraint f of a circuit consists of a tuple \((a_1,a_2)\) of atomic propositions and a path p satisfies f, if \(a_1\) holds only finitely often or \(a_2\) holds infinitely often on p. We build \(C_\varphi \) bottom up following the formula structure. Without loss of generality, we assume that \(\varphi \) contains only existential quantifiers and is in negation normal form. Let \(\psi \) be a subformula of \(\varphi \) that occurs under n quantifiers. Let \(C_{\psi _1}=(X_{\psi _1}, init _{\psi _1},I_{\psi _1},O_{\psi _1},T_{\psi _1})\), \(C_{\psi _2}=(X_{\psi _2}, init _{\psi _2},I_{\psi _2},O_{\psi _2},T_{\psi _2})\) be the circuits, and let \(F_{\psi _1}\) and \(F_{\psi _2}\) be the fairness constraints for the subformulas \(\psi _1\) and \(\psi _2\). For LTL operators, the construction resembles the standard translation from LTL to circuits [13, 24]. We construct \(C_\psi \) and \(F_\psi \) as follows:

Here Open image in new window; \( init (X_{n})\) is the initial condition applied to copy \(X_n\) of the latches; and likewise \(T(X_{n})\) is the transition relation of C applied to the copy \(X_n\). We use \(X_n=X_{n-1}\) to denote the expression that all latches in \(X_n\) are equal to their counterparts in \(X_{n-1}\). We omitted the construction for the conjunction and the Release operator due to the space limits. It is easy to verify that the transition relation is input-enabled and input-deterministic.

Proposition 3

Given a circuit C and an alternation-free formula \(\varphi \) with k quantifiers, the size of the circuit \(C_\varphi \) is at most \(|C|\cdot k + |\varphi |\).

For each subformula \(\psi \) of \(\varphi \), the output \(o_\psi \) in the circuit \(C_\varphi \) indicates that \(\psi \) must hold for the current computation path, and the latch \(x_\psi \) represent the requirements on the future of the computation that arise from the output \(o_\psi \). The output \(b_\psi \) indicates that the requirements for subformula \(\psi \) are violated and a bad state is entered.

Proposition 4

Let C be a circuit and let \(\varphi \) be an alternation-free HyperCTL\(^*\) formula. \(C\models \varphi \) holds iff the circuit \(C_\varphi \) admits a computation that shows output \(o_\varphi \) in the first step, that never outputs \(b_\psi \) for any of the subformulas \(\psi \) of \(\varphi \), and that satisfies the fairness constraints.

The proof of correctness proceeds again by structural induction on the structure of the formula. The search for paths of the form above can be performed by standard hardware model checkers.

5 Case Studies and Experimental Results

We have implemented the symbolic model checking approach from Sect. 4 as a transformation on Aiger circuits.2 We rely on standard hardware synthesis tools to compile VHDL and Verilog files into a circuit to which we apply our tool to obtain a new circuit. As the backend engine, we use the ABC model checker [11], which provides many of the modern verification algorithms, including IC3 [10]/PDR [18], interpolation (INT) [32], and SAT-based bounded model checking (BMC) [8]. All experiments ran on an Intel Core i5 processor (4278U) with 2.6 GHz. Table 1 shows the verification times for the circuits and properties considered in our case studies. We used the default settings of ABC in all runs, except the entry marked with \(^*\). The symbol \(\checkmark \) indicates that an invariant was found, and \(\times \) that a (counter)example was found.
Table 1.

Experimental results for the case studies.

The experiments show that our approach enables the verification of hyperproperties for hardware modules with hundreds or even thousands of latches. For finding counterexamples, bounded model checking was most effective, and for cases where an invariant was needed, the relative performance of IC3/PDR vs. interpolation was inconclusive. In addition to benchmarking, our goal for these case studies has been to explore the versatility of alternation-free HyperCTL\(^*\) model-checking and the potential of our prototype tool. In the following subsections, we report on the setup and results of the case studies, as well as on the verification workflow from a user perspective. Our case studies come from three different areas: information flow, symmetry, and error resistant codes.

5.1 Case Study 1: Information Flow Properties of I2C

Our first case study investigates the information flow properties of an I2C bus master. I2C is a widely used bus protocol that connects multiple components in a master-slave topology. Even though the I2C bus has no security features, it has been used in security-critical applications, such as the smart cards of the German public health insurance, which led to exploits [43]. We analyzed a I2C bus master implementation from the open source repository A typical setup consists of one master, one controller, and several slaves. The master communicates to the slaves via two physical wires, the clock line (SCL) and the data line (SDA). The interface of the master towards the controller consists of 8 bit wide words for input and output of data, a 3-bit wide address to encode slave numbers, a system clock input, and several reset and control signals. We checked the I2C bus master implementation against the information flow properties shown in Table 2.
Table 2.

Information flow properties for the verification of the I2C bus master. In this list of properties, \(P_\pi =P_{\pi '}\) is defined as \(\bigwedge _{a\in P} a_\pi \!=\! a_{\pi '}\). \(\overline{P}_\pi =\overline{P}_{\pi '}\) is defined as \((I\setminus P)_\pi =(I\setminus P)_{\pi '}\) where \(P\subseteq \mathsf {AP} \) and \(I\subseteq \mathsf {AP} \) are the inputs of the circuit.

From the Controller to the Bus. Property (NI1) states that there is no information flow with respect to the address to which the I2C master intends to send data, and (NI2) with respect to the data words themselves. Both information flows are intended, and our tool reports the violation. We tried to bound the information flow between the first valuation of the 3 bit wide address input and the bus data by encoding [14] the quantitative information-flow property. While the information flow of 3 bit could be determined (QNI1), checking the upper bound of \(\log 9\approx 3.17\) bit (QNI2) led to a timeout. Property (NI3) states that when the write enable bit is not set, no information should flow from the controller inputs to the bus. This property is satisfied by the implementation.

From the Bus to the Controller. Property (NI4) claims the absence of information flow from the slaves to the controller, which is again legitimately violated by the implementation. Property (NI5) refines (NI4) to determine whether the flow can still happen when we only consider information received on SDA while the master sends data too. The branching time operator \(\mathcal {H}\) in (NI5), called the Hide operator \(\mathcal H_{I,O}\varphi \), is borrowed from the logic SecLTL [16] and expresses that information from the inputs I do not interfere with the outputs O. The Hide operator is easily expressible in HyperCTL\(^*\) [14]. Property (NI5) is violated by the implementation, because the concurrent transmission of data on the bus by multiple masters can bring I2C into arbitration mode and changes the interpretation of information sent over the bus later.

Long-term Information Flow: Properties (NI7) and (NI8) claim that the information flows from (NI1) and (NI4) cannot happen for an arbitrary delay. These properties are violated, which indicates that information may not be eventually forgotten by the I2C master.

All properties on the I2C Master were easily analyzed by the model checker. In order to determine if our approach scales to even larger designs, we checked an adapted version of property (NI2) on an Ethernet IP core with 21093 latches. The counterexample was still found within seconds.

5.2 Case Study 2: Symmetry in Mutual Exclusion Protocols

In our second case study, we investigate symmetry properties of mutual exclusion protocols. Mutual exclusion is a classical problem in distributed systems, for which several solutions have been proposed and analyzed. Violation of symmetry indicates that some clients have an unfair advantage over the other clients.

Our case study is based on a Verilog implementation of the Bakery protocol [26] from the VIS verification benchmark. The Bakery protocol works as follows. When a process wants to access the critical section it draws a “ticket”, i.e., it obtains a number that is incremented every time a ticket is drawn. If there is more than one process who wishes to enter the critical section, the process with the smallest ticket number goes first. When two processes draw tickets concurrently, they may receive tickets with the same number, so ties among processes with the same ticket must be resolved by a different mechanism, for example by comparing process IDs. The Verilog implementation has an input \( select \) to indicate the process ID that runs in the next step, and an input \( pause \) to indicate whether the step is stuttering. Each process n has a program counter pc(n). When process n is selected, the statement corresponding the program counter pc(n) is executed. We are interested in the following HyperLTL property:
where \( sym ( select _{\pi }, select _{\pi '})\) means that process 0 is selected on path \(\pi \) when process 1 is selected on path \(\pi '\) and vice versa. Property (S1) states that, for every execution, there is another execution in which the \( select \) inputs corresponding to processes 0 and 1 are swapped and the outcome (i.e., the sequence of program counters of the processes) is also swapped. It is well known that it is impossible to accomplish mutual exclusion in an entirely symmetric fashion [31]. It is therefore not surprising that the implementation indeed violates Property (S1).
Inspecting the counterexample revealed, however, that the symmetry is broken even before the critical section is reached: if a non-existing process ID is selected by the variable select, process 0 proceeds instead. Property (S2) excludes paths on which a non-existing process ID is selected. The model-checker produced a counterexample in which processes 0 and 1 tried to access the critical section, but were treated differently.
Next, we parameterized the necessary symmetry breaking in the system. We introduced additional inputs indicating which process may move, in case of a tie of the tickets and extended the property by the assumption that the symmetry is broken symmetrically.

Property (S3) is still violated by the implementation: the order in which the processes were checked depends on the process IDs and causes delays in how the program counters evolve. After contracting the comparison of process IDs into a single step, property (S3) became satisfied.

In further experiments, we changed the structure of property from the form (S3) \(\forall \pi .\forall \pi '.~\square \varphi \Rightarrow \square \psi \) to (S7) \(\forall \pi .\forall \pi '.~ \psi \mathbin {\mathcal {W}}\lnot \varphi \), which removes the liveness part of the property, while maintaining the semantics (for input-deterministic and input-enabled systems). This change significantly reduced the verification times and enabled the verification of the protocol for up to 7 participants.

5.3 Case Study 3: Error Resistant Codes

Error resistant codes enable the transmission of data over noisy channels. While the correct operation of encoder and decoders is crucial for communication systems, the formal verification of their functional correctness has received little attention. A typical model of errors bounds the number of flipped bits that may happen for a given code word length. Then, error correction coding schemes must guarantee that all code words have a minimal Hamming distance. Alternation-free HyperCTL\(^*\) can specify that all code words produced by an encoder have a minimal Hamming distance of d:

where I are the inputs denoting the data, O denote the code words, and the predicate \(\text {Ham}_{O}(d,\pi ,\pi ')\) is defined as \(\text {Ham}_{O}(-1,\pi ,\pi ')=\mathsf {false}\) and:

We started with two simple encoders that are not intended to provide error resistance: a Huffman encoder from the VIS benchmarks, and an 8bit-10bit encoder from that guarantees that the difference between the number of 1 s and the number of 0 s in the codeword is bounded by 2. As expected, encoders provide a Hamming distance of 1 (Huff1and 8b10b_2), but not more (Huff2and 8b10b_3). The experiments on these simple encoders were useful to determine the configuration of the command signals that enable the transmission of data. For example, checking the plain property as specified above for the 8bit-10bit encoder reveals that the reset signal must be set to false before sending data (8b10b_1). Similarly, for the 8bit-10bit decoder, we checked whether all codewords of Hamming distance 1 produce different outputs (8b10b_4).

Next, we considered an encoder for the 7-4-Hamming code, which encodes blocks of 4 bits into codewords of length 7, and guarantees a Hamming distance of 3. We started with finding out in which configuration the encoder actually sends encoded data (Hamm1to Hamm4). With Hamm3we discovered that the implementation deviates from the specification because the reset signal for the circuit is active high, instead of active low as specified. In Hamm3, we fixed the usage of the reset bit. We then scaled the specification to Hamming distances 2 and 3 (Hamm5to Hamm7).

6 Conclusions

We presented a novel automata-based automatic technique to model-check HyperLTL and HyperCTL\(^*\) specifications, and an implementation integrated with a state-of-the-art hardware model checker. Our case studies show that the implementation scales to realistic hardware designs; in one case we successfully checked a design with more than 20.000 latches. The logics HyperLTL and HyperCTL\(^*\) proved to be versatile tools for the analysis of various kinds of properties.


Our definition of circuits can be considered as a model of and-inverter graphs in the Aiger standard [9], where the gate list is abstracted to a transition relation.


The tool and the experiments are available online [40].



We thank Hans-Jörg Peter for valuable discussions and for synthesizing models for the case studies, Heinrich Ody for joint work on an early prototype of the tool, and Heidy Khlaaf for insightful comments on the paper.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Bernd Finkbeiner
    • 1
  • Markus N. Rabe
    • 1
  • César Sánchez
    • 2
  1. 1.Saarland UniversitySaarbrückenGermany
  2. 2.IMDEA Software InstituteMadridSpain

Personalised recommendations