Hyperproperties: Verification of Proofs

Hyperproperties: Verification of Proofs Denis L. Bueno Michael R. Clarkson {dlb335,clarkson}@cs.cornell.edu Department of Computer Science Cornell University Computing and Information Science Technical Report http://hdl.handle.net/1813/11153 July 25, 2008 Hyperproperties: Verification of Proofs∗ Denis L. Bueno Michael R. Clarkson {dlb335,clarkson}@cs.cornell.edu Department of Computer Science Cornell University July 25, 2008 Abstract This paper formalizes some proofs by Clarkson and Schneider about hyperproperties. The proofs are mechanically verified using the proof assistant Isabelle. 1 Introduction Properties are sets of execution traces, and hyperproperties are sets of properties. This paper formalizes Clarkson and Schneider’s theory of hyperproperties [3] using Isabelle/HOL [4]. We present human-readable, mechanicallyverified proofs of the propositions and theorems in [3]—except those related to topology, which we leave for future work. The proofs given here are formal analogues of informal proofs that were given in a previous technical report [2]. Thus, in addition to verifying the propositions and theorems, we have also verified the original proofs themselves. This document was produced from LATEX output, which was generated from Isabelle theory files. Those theory files are available for download from the same URL that hosts this technical report [1]. The numbering of propositions and theorems in this document follows the numbering in [2, 3]. ∗ Supported in part by AFOSR grant F9550-06-0019, National Science Foundation Grants 0430161 and CCF-0424422 (TRUST), and a gift from Microsoft Corporation. Denis Bueno is supported by a Sandia National Laboratories Fellowship; Michael Clarkson is supported by an Intel Foundation PhD Fellowship. 1 theory HyperDefs imports Main LList2 LaTeXsugar OptionalSugar begin notation {} (∅) 2 Definitions typedecl state — An abstract notion of a state. types trace = state llist — Traces are (possibly infinite) lists of states. consts States :: state set — An abstract set of states. (Σ) consts BottomState :: state syntax (latex ) BottomState :: state (⊥) consts DummyState :: state We assume the existence of one DummyState, which is used by Theorem 3 and Proposition 3. axioms DummyState-is-State: DummyState ∈ Σ constdefs psi-fin :: trace set (Ψfin ) Ψfin , Σ⋆ psi-inf :: trace set (Ψinf ) Ψinf , Σω Ψ :: trace set Ψ , Ψfin ∪ Ψinf types property = trace set hyperproperty = property set constdefs Prop :: property set 2 Prop , Pow Ψinf HP :: hyperproperty set HP , Pow Prop consts property-satisfies :: trace set ⇒ property ⇒ bool ((- |= -) [80 ,80 ] 80 ) hyperproperty-satisfies :: trace set ⇒ hyperproperty ⇒ bool ((- |= -) [80 ,80 ] 80 ) defs (overloaded) property-satisfies-def : ts |= p , ts ⊆ p hyperproperty-satisfies-def : ts |= h , ts ∈ h constdefs property-lift :: property ⇒ hyperproperty ([[ - ]] 80 ) property-lift p , Pow p notation property-lift ([ - ] 80 ) constdefs trace-set-prefix :: trace set ⇒ trace set ⇒ bool (infix ≤ 80 ) trace-set-prefix-def : T ≤ T ′ , ∀ t. t ∈ T −→ (∃ t ′. t ′ ∈ T ′ ∧ t ≤ t ′) Obs :: trace set set Obs , {ts. ts ⊆ Ψfin ∧ finite ts} sp :: property ⇒ bool sp P , P ∈ Prop ∧ (∀ t ∈ Ψinf . t ∈ / P −→ (∃ m ∈ Ψfin . m ≤ t ∧ (∀ t ′ ∈ Ψinf . m ≤ t ′ −→ t ′ ∈ / P ))) SP :: property set SP , {P . sp P } false-p :: property false-p , ∅ shp :: hyperproperty ⇒ bool shp H , H ∈ HP ∧ (∀ T ∈ Prop. T ∈ / H −→ (∃ M ∈ Obs. M ≤ T ∧ (∀ T ′ ∈ Prop. M ≤ T ′ −→ T ′ ∈ / H ))) SHP :: hyperproperty set SHP , {hp. shp hp} false-hp :: hyperproperty 3 false-hp , [false-p] lp :: property ⇒ bool lp L , L ∈ Prop ∧ (∀ t ∈ Ψfin . (∃ t ′ ∈ Ψinf . t ≤ t ′ ∧ t ′ ∈ L)) LP :: property set LP , {P . lp P } lhp :: hyperproperty ⇒ bool lhp H , H ∈ HP ∧ (∀ T ∈ Obs. (∃ T ′ ∈ Prop. T ≤ T ′ ∧ T ′ ∈ H )) LHP :: hyperproperty set LHP , {hp . lhp hp} true-Prop :: property true-Prop , Ψinf true-HP :: hyperproperty true-HP , Prop end theory Hyper imports HyperDefs begin 3 3.1 Proposition 1 Lemmas lemma property-lifts-into-hyperproperty: assumes P-Prop: P ∈ Prop shows [P ] ∈ HP using P-Prop unfolding property-lift-def Prop-def HP-def by blast 3.2 Proposition theorem proposition-1-oif : assumes S-Prop: S ∈ Prop and S-SP : S ∈ SP shows [S ] ∈ SHP proof − have lift-S-HP : [S ] ∈ HP using S-Prop property-lifts-into-hyperproperty by blast { 4 fix T :: property assume T-st: T ∈ Prop T ∈ / [S ] from hT ∈ / [S ]i have ¬(T ⊆ S ) by (simp add : property-lift-def ) then obtain t where t-st: t ∈ T t ∈ / S by blast have ∃ m. m ∈ Ψfin ∧ m ≤ t ∧ (∀ t ′ ∈ Ψinf . m ≤ t ′ −→ t ′∈S / ) proof − from t-st and T-st have t-psi-inf : t ∈ Ψinf unfolding Prop-def by blast with S-Prop and S-SP and T-st and t-st show ?thesis unfolding SP-def Prop-def sp-def by blast qed then obtain m where m-st: m ∈ Ψfin m ≤ t ∀ t ′. t ′ ∈ Ψinf ∧ m ≤ t ′ −→ ′ t ∈S / by blast let ?M = {m} from m-st and t-st have M-prf-T : ?M ≤ T unfolding trace-set-prefix-def by blast with m-st and t-st have M-Obs: ?M ∈ Obs unfolding Obs-def by blast { fix T ′ :: property assume T ′-st: T ′ ∈ Prop ?M ≤ T ′ then have ∃ t ′ ∈ T ′. m ≤ t ′ by (simp only: trace-set-prefix-def ) blast then obtain t ′ where t ′-st: t ′ ∈ T ′ m ≤ t ′ .. with m-st and T ′-st have t ′-out-S : t ′ ∈ / S unfolding Prop-def by blast from T ′-st and S-Prop and S-SP and t ′-st and t ′-out-S have T ′ ∈ / [S ] unfolding property-lift-def by blast } hence ∀ T ′. T ′ ∈ Prop ∧ ?M ≤ T ′ −→ T ′ ∈ / [ S ] by blast with m-st and M-prf-T and M-Obs have ∃ M . M ∈ Obs ∧ M ≤ T ∧ (∀ T ′. T ′ ∈ Prop ∧ M ≤ T ′ −→ T ′ ∈ / [S ]) by blast } thus ?thesis using lift-S-HP unfolding SHP-def shp-def by blast qed lemma prefix-set-has-longest: 5 fixes t :: ′a llist assumes X-fin: finite X and X-non-empty: X 6= ∅ and X-prefix-t: ∀ x ∈ X . x ≤ t shows ∃ m ∈ X . (∀ x ∈ X . x ≤ m) using prems proof (induct X rule: Finite-Set.finite-ne-induct) fix x :: ′a llist show ∃ m ∈ {x }. ∀ x ∈ {x }. x ≤ m by blast next fix x :: ′a llist and F :: ′a llist set assume R: ∀ x ∈ F . x ≤ t =⇒ ∃ m ∈ F . ∀ x ∈ F . x ≤ m and t-upper-bound : ∀ x ∈ insert x F . x ≤ t then obtain m where m-in-F : m ∈ F and m-le-t: m ≤ t and x-le-t: x ≤ t and m-max-F : ∀ x ∈ F . x ≤ m using R by (auto dest: R) from m-le-t x-le-t have m ≤ x ∨ x ≤ m by (rule pref-locally-linear ) thus ∃ m ∈ insert x F . ∀ x ∈ insert x F . x ≤ m proof assume m ≤ x with m-max-F have ∀ xa ∈ insert x F . xa ≤ x by auto thus ?thesis by blast next assume x ≤ m with m-max-F have ∀ xa ∈ insert x F . xa ≤ m by auto thus ?thesis using m-in-F by blast qed qed theorem proposition-1-if : assumes S-Prop: S ∈ Prop and lift-S-shp: [S ] ∈ SHP shows S ∈ SP proof − { — Show that t has finite bad thing m. fix t :: trace assume t-st: t ∈ / S {t} ∈ Prop then have t-out-lift-S : {t} ∈ / [S ] by (simp add : property-lift-def ) obtain M where M-st: M ∈ Obs M ≤ {t} ∀ T ′. T ′ ∈ Prop ∧ M ≤ T ′ −→ T ′ ∈ / [S ] using t-out-lift-S and t-st and S-Prop and lift-S-shp unfolding SHP-def shp-def by blast have ∃ ms ∈ Ψfin . ms ∈ M ∧ ms ≤ t ∧ (∀ m ∈ M . m ≤ ms) 6 proof − have M-pfx-t: ∀ m ∈ M . m ≤ t using M-st unfolding trace-set-prefix-def by blast have M-nonempty: M 6= ∅ proof (rule ccontr ) { assume M-empty: ¬ M 6= ∅ { fix T ′ :: property assume T ′ ∈ Prop with M-empty have M ≤ T ′ unfolding trace-set-prefix-def by blast } hence M-pfx-Prop: ∀ T ′ ∈ Prop. M ≤ T ′ by blast have ∅ ∈ Prop unfolding Prop-def by blast hence M ≤ ∅ using M-pfx-Prop by blast hence ∅ ∈ / [S ] using M-st and h∅ ∈ Prop i by blast have ∅ ∈ [S ] using property-lift-def by blast from h∅ ∈ [S ]i and h¬ ∅ ∈ [S ]i have False by blast } thus ¬ M 6= ∅ =⇒ False by blast qed have M-fin: finite M using M-st unfolding Obs-def by blast from this obtain ms where ms-st: ms ∈ M ∀ x ∈ M . x ≤ ms using M-pfx-t and M-nonempty apply (insert prefix-set-has-longest [where t=t and X =M ], blast) done hence ms-psi-fin: ms ∈ Ψfin using M-st unfolding Obs-def by blast have ms-pfx-t: ms ≤ t using ms-st and M-st unfolding trace-set-prefix-def by blast from ms-psi-fin and ms-st and ms-pfx-t show ∃ ms ∈ Ψfin . ms ∈ M ∧ ms ≤ t ∧ (∀ m ∈ M . m ≤ ms) by blast qed from this obtain m-star where m-star-st: m-star ∈ Ψfin m-star ∈ M m-star ≤ t ∀ m ∈ M . m ≤ m-star by auto { fix t ′ assume t ′-st: {t ′} ∈ Prop m-star ≤ t ′ let ?T ′ = {t ′} have M ≤ ?T ′ proof − 7 { fix m assume m ∈ M with m-star-st have m ≤ m-star by blast with t ′-st have m ≤ t ′ using llist-le-trans by blast } thus M ≤ ?T ′ unfolding trace-set-prefix-def by blast qed with M-st and t ′-st have ?T ′ ∈ / [S ] by blast hence t ′ ∈ / S unfolding property-lift-def by blast } with m-star-st have ∃ m ∈ Ψfin . m ≤ t ∧ (∀ t ′ ∈ Ψinf . m ≤ t ′ −→ t ′ ∈ / S) unfolding Prop-def by blast } thus ?thesis using S-Prop unfolding SP-def sp-def Prop-def by blast qed 4 Proposition 2 theorem proposition-2-oif : fixes L :: trace set assumes L-Prop: L ∈ Prop and L-LP : L ∈ LP shows [L] ∈ LHP proof − have lift-L-HP : [L] ∈ HP using L-Prop property-lifts-into-hyperproperty by blast { fix M assume M-st: M ∈ Obs { fix m assume m-st: m ∈ M have ∃ t. m ≤ t ∧ t ∈ L proof − from m-st and M-st have m ∈ Ψfin unfolding Obs-def by blast with L-Prop and L-LP and m-st show ?thesis unfolding LP-def lp-def Prop-def by blast qed } hence M-more: ∀ m ∈ M . (∃ t. m ≤ t ∧ t ∈ L) by blast 8 let ?T = {t m . ∃ m ∈ M . m ≤ t m ∧ t m ∈ L} have ?T ⊆ L by blast hence T-in-lift: ?T ∈ [L] unfolding property-lift-def by blast with M-more have M-pfx-T : M ≤ ?T unfolding trace-set-prefix-def by blast have ?T ∈ Prop using M-st L-Prop unfolding Prop-def psi-inf-def Obs-def psi-fin-def by blast with T-in-lift and M-pfx-T and L-Prop have ∃ T . T ∈ Prop ∧ M ≤ T ∧ T ∈ [L] by blast } thus [L] ∈ LHP using lift-L-HP unfolding LHP-def lhp-def by blast qed theorem proposition-2-if : fixes L :: trace set assumes L-Prop: L ∈ Prop and L-lift-lhp: [L] ∈ LHP shows L ∈ LP proof − { fix t :: trace assume t-st: t ∈ Ψfin let ?T = {t} obtain T ′ where T ′-st: ?T ≤ T ′ T ′ ∈ [L] T ′ ∈ Prop proof − from t-st have t-Obs: {t} ∈ Obs using Obs-def by blast hence ∃ T ′ ∈ Prop. ?T ≤ T ′ ∧ T ′ ∈ [L] using L-lift-lhp unfolding LHP-def lhp-def by blast thus ?thesis by auto qed then obtain t ′ where t ′-st: t ≤ t ′ t ′ ∈ T ′ t ′ ∈ Ψinf unfolding trace-set-prefix-def Prop-def by blast have t ′ ∈ L using ht ′ ∈ T ′i and hT ′ ∈ [L]i unfolding property-lift-def by blast with t ′-st have ∃ t ′ ∈ Ψinf . t ≤ t ′ ∧ t ′ ∈ L by blast } thus L ∈ LP unfolding LP-def lp-def using L-Prop by blast qed 5 5.1 Theorem 3 Definitions and Lemmas constdefs Safe :: hyperproperty ⇒ hyperproperty 9 Safe P , {T ∈ Prop. (∀ M ∈ Obs. M ≤ T −→ (∃ T ′ ∈ Prop. M ≤ T ′ ∧ T ′ ∈ P ))} Live :: hyperproperty ⇒ hyperproperty Live P , P ∪ (Prop − Safe P ) lemma Safe-is-HP : fixes P :: hyperproperty assumes P ∈ HP shows Safe P ∈ HP unfolding Safe-def HP-def by blast lemma Live-is-HP : fixes P :: hyperproperty assumes P-HP : P ∈ HP shows Live P ∈ HP using P-HP unfolding Live-def HP-def by blast lemma Safe-is-hypersafety: fixes P :: hyperproperty assumes P-HP : P ∈ HP shows Safe P ∈ SHP using P-HP Safe-is-HP unfolding Safe-def SHP-def shp-def by blast lemma P-subset-Safe-P : fixes P :: hyperproperty assumes P-HP : P ∈ HP shows P ⊆ Safe P using P-HP unfolding Safe-def HP-def by blast lemma stutter-append-is-infinite: fixes x :: trace assumes x-fin: x ∈ Ψfin and s-st: s ∈ Σ shows (x @@ lconst s) ∈ Ψinf proof − from s-st have lconst s ∈ inflsts Σ by (rule lconstT [of s Σ]) thus (x @@ lconst s) ∈ Ψinf using x-fin s-st lapp-fin-infT unfolding psi-fin-def psi-inf-def by blast 10 qed constdefs asInfinite :: trace ⇒ trace asInfinite t , if LNil = t then lconst DummyState else t @@ (lconst (llast t)) — Converts a finite trace to an infinite trace. If the given finite trace is non-empty, it returns a suffix in which the final state is infinitely stuttered; otherwise it returns the constant DummyState trace. lemma llast-in-trace-alphabet: assumes t ∈ Ψfin shows t 6= LNil −→ llast t ∈ Σ (is ?P t) using prems unfolding psi-fin-def by (induct t rule: finlsts.induct) auto lemma asInfinite-correctness: assumes t-fin: t ∈ Ψfin shows asInfinite t ∈ Ψinf ∧ t ≤ asInfinite t proof cases assume LNil = t thus ?thesis unfolding asInfinite-def psi-inf-def using DummyState-is-State by (simp add : lconstT [of DummyState Σ]) next assume t-positive: LNil 6= t with t-fin have res-inf : asInfinite t ∈ Ψinf proof − have llast t ∈ Σ using t-positive t-fin llast-in-trace-alphabet by simp moreover have lconst (llast t) ∈ Ψinf using t-fin t-positive hllast t ∈ Σi unfolding psi-fin-def psi-inf-def by (simp add : lconstT [of llast t Σ]) moreover have t@@lconst (llast t) ∈ Ψinf using t-fin hllast t ∈ Σi by (simp add : stutter-append-is-infinite [of t llast t]) ultimately show asInfinite t ∈ Ψinf unfolding asInfinite-def using t-positive by simp qed from t-fin and t-positive have t ≤ asInfinite t unfolding psi-fin-def asInfinite-def using le-lappend by simp with res-inf show ?thesis .. 11 qed lemma Live-is-hyperliveness: fixes P ::hyperproperty assumes P-HP : P ∈ HP shows Live P ∈ LHP proof − have Live-HP : Live P ∈ HP using P-HP Live-is-HP by blast { fix T assume T-st: T ∈ Obs have ∃ T ′ ∈ Prop. T ≤ T ′ ∧ T ′ ∈ Live P proof cases assume ∃ T ′ ∈ Prop. T ≤ T ′ ∧ T ′ ∈ P then obtain T ′ where T ′-st: T ′ ∈ Prop T ≤ T ′ T ′ ∈ P by blast hence T ′ ∈ Live P unfolding Live-def by blast thus ?thesis using T ′-st by blast next assume T ′-non-extends: ¬(∃ T ′ ∈ Prop. T ≤ T ′ ∧ T ′ ∈ P ) { fix T ′ assume T ′-extends-T : T ′ ∈ Prop T ≤ T ′ hence T ′ ∈ / P using T ′-non-extends by blast hence T ′ ∈ / Safe P proof − have ∃ T ∈ Obs. T ≤ T ′ ∧ (∀ T ′ ∈ Prop. ¬(T ≤ T ′) | (T ′ ∈ / P )) using T-st and T ′-extends-T and T ′-non-extends by blast hence ¬(∀ M ∈ Obs. M ≤ T ′ −→ (∃ T ′′ ∈ Prop. M ≤ T ′′ ∧ T ′′ ∈ P )) by blast thus ?thesis using hT ′ ∈ Prop i unfolding Safe-def by blast qed hence T ′ ∈ (Prop − Safe P ) using hT ′ ∈ Prop i by blast } hence all-pfx : ∀ T ′ ∈ Prop. T ≤ T ′ −→ T ′ ∈ Prop − Safe P by simp show ∃ T ′ ∈ Prop. T ≤ T ′ ∧ T ′ ∈ Live P proof − let ?T ′ = {asInfinite x | x . x ∈ T } have T ′-suff : T ≤ ?T ′ using asInfinite-correctness T-st unfolding trace-set-prefix-def Obs-def by blast have T ′-Prop: ?T ′ ∈ Prop using T-st asInfinite-correctness unfolding Obs-def Prop-def by blast from T ′-suff and T ′-Prop have ?T ′ ∈ Prop − Safe P using all-pfx by blast with T ′-suff and T ′-Prop show ?thesis unfolding Live-def by blast qed 12 qed } thus ?thesis using Live-HP unfolding Live-def LHP-def lhp-def by blast qed 5.2 Theorem theorem theorem-3 : fixes P :: trace set set assumes P-HP : P ∈ HP shows ∃ S ∈ SHP . ∃ L ∈ LHP . P = S ∩ L proof − let ?S = Safe P let ?L = Live P have ?S ∩ ?L = (P ∪ Safe P ) ∩ (P ∪ (Prop − Safe P )) unfolding Live-def using P-HP P-subset-Safe-P by blast also have (P ∪ Safe P ) ∩ (P ∪ (Prop − Safe P )) = P ∩ (Safe P ∪ (Prop − Safe P )) using P-HP unfolding HP-def by blast also have P ∩ (Safe P ∪ (Prop − Safe P )) = P ∩ Prop unfolding Safe-def by blast also have P ∩ Prop = P using P-HP unfolding HP-def by blast finally have witness: ?S ∩ ?L = P by blast have Safe-SHP : Safe P ∈ SHP using Safe-is-hypersafety P-HP by blast have Live-LHP : Live P ∈ LHP using Live-is-hyperliveness P-HP by blast show ?thesis using Safe-SHP Live-LHP witness by blast qed 6 6.1 Theorem 1 Definitions and Lemmas constdefs Systems :: trace set set Systems , {ts. ts 6= ∅ ∧ ts ⊆ Ψinf } refinedby :: trace set ⇒ trace set ⇒ bool (infix ≤ 80 ) S ≤ S′, S′⊆ S rc :: hyperproperty ⇒ bool rc H , ∀ S ∈ Systems. S |= H −→ (∀ S ′ ∈ Systems. S ≤ S ′ −→ S ′ |= H ) RC :: hyperproperty set RC , {H ∈ HP . rc H } axioms safety-and-liveness-onlyif-true: 13 [[ p ∈ LP ; p ∈ SP ]] =⇒ p = true-Prop — Any property which is both safety and liveness is the true property. This is axiomatised since it is well-known about the theory of properties. lemma hypersafety-and-hyperliveness-onlyif-true: fixes H :: hyperproperty assumes H-SHP : H ∈ SHP and H-LHP : H ∈ LHP shows H = true-HP proof (rule ccontr ) have H-HP : H ∈ HP using H-SHP unfolding SHP-def shp-def by blast { assume H-untrue: H 6= true-HP then obtain Tstar where Tstar-st: Tstar ∈ Prop Tstar ∈ / H using H-HP unfolding HP-def true-HP-def Prop-def by blast obtain M where M-st: M ∈ Obs M ≤ Tstar ∀ T ′ ∈ Prop. M ≤ T ′ −→ T ′ ∈ / H using H-SHP Tstar-st unfolding SHP-def shp-def by blast then obtain Th where Th-st: Th ∈ Prop M ≤ Th Th ∈ H using H-LHP unfolding LHP-def lhp-def by blast hence Th ∈ / H using hTh ∈ Prop i M-st by blast thus False using Th-st by blast } qed lemma hypersafety-and-hyperliveness-onlyif-true-contrapos: fixes H :: hyperproperty shows H 6= true-HP −→ (H ∈ / LHP | H ∈ / SHP ) apply (insert hypersafety-and-hyperliveness-onlyif-true [of H ]) by blast axioms Ex-nontrue-Prop: ∃ l ∈ LP . l 6= true-Prop — There is a liveness property other than true. This is axiomatised since it is well-known about the theory of properties. lemma system-is-property: fixes s :: trace set assumes s-Sys: s ∈ Systems shows s ∈ Prop using s-Sys unfolding Systems-def Prop-def by blast lemma HP-contains-SHP : SHP ⊆ HP unfolding SHP-def shp-def by blast 14 6.2 Theorem theorem theorem-1-relaxed : shows SHP ⊆ RC proof (rule ccontr ) assume ¬ SHP ⊆ RC then obtain S where S-SHP : S ∈ SHP and S-not-RC : S ∈ / RC by blast have S-HP : S ∈ HP using S-SHP HP-contains-SHP by blast from S-HP and S-not-RC obtain T T ′ where T-st: T ∈ Prop T ∈ S and T ′-st: T ′ ∈ Prop T ′ ∈ / S and T-gt-T ′: T ⊇ T ′ unfolding RC-def rc-def HP-def Systems-def Prop-def unfolding refinedby-def hyperproperty-satisfies-def by blast from T ′-st obtain M where M-st: M ≤ T ′ (∀ T ′′ ∈ Prop. M ≤ T ′′ −→ T ′′ ∈ / S) using S-SHP unfolding SHP-def shp-def by blast have M ≤ T using M-st T-st T ′-st T-gt-T ′ unfolding trace-set-prefix-def by blast hence T ∈ / S using T-st M-st by blast thus False using T-st by blast qed theorem theorem-1 : SHP ⊂ RC proof show SHP ⊆ RC using theorem-1-relaxed by assumption obtain l where l-LP : l ∈ LP and l-untrue: l 6= true-Prop using Ex-nontrue-Prop by blast hence cx-RC : [l ] ∈ RC unfolding property-lift-def LP-def lp-def RC-def rc-def Systems-def refinedby-def HP-def Prop-def psi-inf-def psi-fin-def hyperproperty-satisfies-def by blast from l-untrue have [l ] 6= true-HP using l-LP unfolding LP-def lp-def true-Prop-def true-HP-def property-lift-def psi-inf-def Prop-def by blast hence [l ] ∈ / SHP proof − have l ∈ Prop using l-LP unfolding LP-def lp-def by blast with l-LP have [l ] ∈ LHP using proposition-2-oif by blast thus [l ] ∈ / SHP 15 using h[l ] 6= true-HP i hypersafety-and-hyperliveness-onlyif-true-contrapos by blast qed thus SHP 6= RC using cx-RC by blast qed 7 7.1 Proposition 3 Definitions and Lemmas constdefs Cls :: ( ′a set ⇒ ′a set) set Cls , {cl . ∀ T :: ′a set. T ⊆ cl T } PIF :: hyperproperty set PIF , {{Cl T | T . T ∈ Prop} | Cl . Cl ∈ Cls} lsingle :: ′a ⇒ ′a llist lsingle x , x ##LNil hasDummyState :: trace ⇒ bool hasDummyState t , ∃ t ′. t ′@@(lsingle DummyState) ≤ t GS :: trace set GS , {t. t ∈ Ψinf ∧ hasDummyState t} — The guaranteed service property, GS, contains infinite traces in which a designated state occurs. This definition generalizes GS from the technical report. axioms Cl-produces-Props: [[ T ∈ Prop; Cl ∈ Cls ]] =⇒ Cl T ∈ Prop — This axiom is essentially a type signature on closures. It is axiomatised because although it is not mentioned in the technical report, it is required for Proposition 3. EX-trace-sans-DummyState: ∃ t ∈ Ψinf . ¬hasDummyState t — There is an infinite trace without a certain state (the DummyState, in this case). This is axiomatised because it is well-known about the theory of properties. GS-liveness: lp GS — The GS property is a liveness property. This is axiomatised since it is wellknown. 16 lemma GS-LHP : [GS ] ∈ LHP proof − have GS ∈ Prop unfolding Prop-def GS-def by blast thus ?thesis using GS-liveness proposition-2-oif unfolding LP-def by blast qed lemma trace-set-prefix-expanding ′: fixes T :: trace set assumes T-st: T ≤ T ′ and T ′-sub: T ′ ⊆ T ′′ shows T ≤ T ′′ using T-st T ′-sub unfolding trace-set-prefix-def by blast 7.2 Proposition theorem proposition-3-relaxed : shows PIF ⊆ LHP proof − { fix P assume P ∈ PIF then obtain Cl-P where P-st: P = {Cl-P T | T . T ∈ Prop} and Cl-P-closure: Cl-P ∈ Cls unfolding PIF-def by blast have P-HP : P ∈ HP proof − { fix x assume x ∈ P then obtain T where T-st: x = Cl-P T T ∈ Prop using P-st by blast hence x ∈ Prop using Cl-P-closure Cl-produces-Props by blast } thus ?thesis unfolding HP-def by blast qed { fix T assume T-Obs: T ∈ Obs have ∃ T ′ ∈ Prop. T ≤ T ′ ∧ T ′ ∈ P proof − let ?T-inf = {asInfinite t | t. t ∈ T } let ?T ′ = Cl-P ?T-inf have T ′-suff : T ≤ ?T ′ proof − V have Cl-P-monotonic: X . X ⊆ Cl-P X using Cl-P-closure unfolding Cls-def by blast hence Cl-P-prop: ?T-inf ⊆ Cl-P ?T-inf by auto have T-pfx-T-inf : T ≤ ?T-inf using T-Obs asInfinite-correctness 17 unfolding Obs-def trace-set-prefix-def by blast with Cl-P-prop show ?thesis apply (insert trace-set-prefix-expanding ′ [OF T-pfx-T-inf Cl-P-prop]) apply assumption done qed have ?T-inf ∈ Prop using T-Obs asInfinite-correctness unfolding Obs-def Prop-def by blast hence T ′-P : ?T ′ ∈ P using P-st by blast have T ′-Prop: ?T ′ ∈ Prop using h?T-inf ∈ Prop i Cl-P-closure Cl-produces-Props by blast with h?T ′ ∈ P i and T ′-suff show ?thesis by blast qed } hence P ∈ LHP using P-HP unfolding LHP-def lhp-def by blast } thus PIF ⊆ LHP by blast qed theorem proposition-3 : shows PIF ⊂ LHP proof show PIF ⊆ LHP using proposition-3-relaxed . have GS-lift-LHP : [GS ] ∈ LHP by (simp add : GS-LHP ) show PIF 6= LHP proof (rule ccontr ) { assume PIF = LHP hence [GS ] ∈ PIF using GS-lift-LHP by simp then obtain CL-GS where CL-GS-st: [GS ] = {CL-GS T | T . T ∈ Prop} and CL-GS-Cls: CL-GS ∈ Cls unfolding PIF-def by blast obtain t where t-inftrace: t ∈ Ψinf and t-no-Dummy: ¬ hasDummyState t using EX-trace-sans-DummyState by blast hence ts-Prop: {t} ∈ Prop unfolding Prop-def by blast have t ∈ CL-GS {t} using CL-GS-Cls unfolding Cls-def by blast hence ¬ (CL-GS {t} |= GS ) using t-no-Dummy unfolding property-satisfies-def GS-def by blast hence False using CL-GS-st using ts-Prop unfolding property-satisfies-def property-lift-def by blast } thus ¬ PIF 6= LHP =⇒ False by blast qed 18 qed 8 8.1 Theorem 2 Definitions and Lemmas We represent traces over the alphabet Ak as ′a llist llist where ′a is the type of elements of A. That is, instead of using k -tuples, we use llists of length k. constdefs kshp :: nat ⇒ hyperproperty ⇒ bool kshp k S , S ∈ HP ∧ (∀ T ∈ Prop. T ∈ / S −→ (∃ M ∈ Obs. M ≤ T ∧ card M = k ∧ (∀ T ′ ∈ Prop. M ≤ T ′ −→ T ′ ∈ / S ))) KSHP :: nat ⇒ hyperproperty set KSHP k , {S . kshp k S } fromSome :: ′a option ⇒ ′a fromSome x , (case x of Some e ⇒ e | None ⇒ arbitrary) fromSomeSt :: state option ⇒ state fromSomeSt x , (case x of Some s ⇒ s | None ⇒ ⊥) zipn :: nat ⇒ (state llist) llist ⇒ (state llist) llist ⇒ bool zipn k T t , ∀ j :: nat. j < k −→ t!!j = Some (lmap (λt. fromSomeSt (t!!j )) T ) — The zip relation. We get unzip for free. set-to-llist :: ′a set ⇒ ′a llist set-to-llist S , SOME l . lset l = S Following are various axioms about the zip operator. Each axiom corresponds to an unproved fact about the operator. axioms zip-of-Obs-exists: M ∈ Obs =⇒ ∃ m. zipn k (set-to-llist M ) m — Any observation can be zipped. This axiom is used in the if direction of theorem 3. zip-EX-suffix : [[ M ∈ Obs; S ∈ Systems; zipn k (set-to-llist M ) m; M ≤ S ]] =⇒ ∃ s ∈ kProd k S . prefix-k k m s — There is a suffix S k to any zip of an observation, if the system S is a suffix of the observation. 19 zip-of-Obs-fin: [[ M ∈ Obs; zipn k (set-to-llist M ) m ]] =⇒ m ∈ (Σ⋆ )⋆ — Zipping an observation produces a finite trace over Σk . unzipped-recoverable: zipn k (set-to-llist M ) Mz =⇒ ∀ j <k . ∃ m ∈ M . m = lmap (λt. fromSome (t!!j )) Mz — Every member from an unzipped trace set corresponds to some element of the zip. unzip-monotonic-wrt-prefix-k : [[ zipn k (set-to-llist M ) Mz ; zipn k (set-to-llist T ) Tz ; prefix-k k Mz Tz ]] =⇒ M ≤ Tl — Unzipping is monotonic. constdefs noBot :: state llist ⇒ bool noBot , finlsts-rec True (λ s r b. b ∧ (s 6= ⊥)) — noBot t asserts that the finite trace t does not contain ⊥. bottoms :: state llist — infinite list of bottoms bottoms , lconst ⊥ prefix-bottom :: state llist ⇒ state llist ⇒ bool (infix ≤⊥ 60 ) t ≤⊥ u , ∃ tp. noBot tp ∧ t ≤ tp @@ bottoms ∧ tp ≤ u — Effectively removes the bottoms from the first trace, then compares it to the second. prefix-k :: (state llist) llist ⇒ nat ⇒ (state llist) llist ⇒ bool (- ≤- - 60 ) t k ≤k u k , ∀ j . j < k −→ (lmap (λt. fromSome (t!!j )) t k ) ≤⊥ (lmap (λt. fromSome (t!!j )) u k ) — The input traces are over the alphabet Σk . We project the j th position of each element, which creates two traces each with state elements, and compare those with prefix-bottom. State-K :: state llist set State-K , Σ⋆ TraceFin-K :: state llist llist set TraceFin-K , State-K ⋆ TraceInf-K :: state llist llist set TraceInf-K , State-K ω Prop-K :: state llist llist set set 20 Prop-K , Pow TraceInf-K A generic definition of safety which takes an alphabet as a parameter. For theorem 2 we require reasoning about traces over Σ and Σk . constdefs spa :: nat ⇒ (state llist) llist set ⇒ bool spa k P , P ∈ Prop-K ∧ (∀ t ∈ TraceInf-K . t ∈ / P −→ (∃ m ∈ TraceFin-K . m ≤k t ∧ (∀ t ′ ∈ TraceInf-K . m ≤k t ′ −→ t ′ ∈ / P ))) SPA :: nat ⇒ (state llist) llist set set SPA k , {P . spa k P } kProd :: nat ⇒ state llist set ⇒ (state llist) llist set kProd k S , {t ∈ TraceInf-K . ∃ S ′ ∈ Systems. S ′ ⊆ S ∧ card S ′ = k ∧ zipn k (set-to-llist S ′) t} — k -product of a system S. pa-satisfies :: ′a llist set ⇒ ′a llist set ⇒ bool ((- |= -) [80 ,80 ] 80 ) pa-satisfies-def : ts |= p , ts ⊆ p — Whether a set of traces over an alphabet ′a satisfies a property. KSP :: nat ⇒ (state llist) llist set set KSP k , SPA k Bads-from-KSaf :: nat ⇒ hyperproperty ⇒ trace set set Bads-from-KSaf k KK , {M ∈ Obs. card M ≤ k ∧ (∃ T ∈ Prop. T ∈ / KK ∧ M ≤ T ) ∧ (∀ T ′ ∈ Prop. M ≤ T ′ −→ T ′ ∈ / KK ) } — Boldface M in the proof of theorem 2. Saf-from-KSaf :: nat ⇒ hyperproperty ⇒ (state llist) llist set Saf-from-KSaf k KK , {t ∈ TraceInf-K . ¬(∃ M ∈ Obs. ∃ tz ∈ TraceFin-K . M ∈ Bads-from-KSaf k KK ∧ zipn k (set-to-llist M ) tz ∧ tz ≤k t)} — Boldface K in the proof of theorem 2. lemma Saf-from-KSaf-is-safety: fixes k :: nat assumes KK-KSHP : KK ∈ KSHP k shows Saf-from-KSaf k KK ∈ KSP k proof − 21 let ?K = Saf-from-KSaf k KK have Saf-from-KSaf-st: ?K ∈ Prop-K unfolding Saf-from-KSaf-def TraceInf-K-def State-K-def Prop-K-def by blast { fix t assume t-st: t ∈ TraceInf-K t ∈ / ?K then have ∃ M ∈ Obs. M ∈ Bads-from-KSaf k KK ∧ (∃ tz ∈ TraceFin-K . zipn k (set-to-llist M ) tz ∧ tz ≤k t) unfolding Saf-from-KSaf-def TraceInf-K-def TraceFin-K-def State-K-def by blast then obtain M tz where M-tz-st: M ∈ Obs M ∈ Bads-from-KSaf k KK tz ∈ TraceFin-K zipn k (set-to-llist M ) tz tz ≤k t by blast { fix u assume u-st: u ∈ TraceInf-K tz ≤k u hence u ∈ / ?K using M-tz-st unfolding TraceInf-K-def Saf-from-KSaf-def State-K-def by blast } hence ∃ tz ∈ TraceFin-K . tz ≤k t ∧ (∀ u ∈ TraceInf-K . tz ≤k u −→ u ∈ / Saf-from-KSaf k KK ) using M-tz-st unfolding TraceFin-K-def TraceInf-K-def State-K-def by blast } thus ?K ∈ KSP k unfolding KSP-def SPA-def spa-def using Saf-from-KSaf-st by blast qed lemma trace-set-prefix-transitive: assumes X-p-Y : X ≤ Y and Y-p-Z : Y ≤ Z shows X ≤ Z proof − { fix x assume x ∈ X then obtain y where y ∈ Y x ≤ y using X-p-Y unfolding trace-set-prefix-def by blast then obtain z where z ∈ Z y ≤ z using Y-p-Z unfolding trace-set-prefix-def by blast have x ≤ z using hx ≤ y i hy ≤ z i by (rule llist-le-trans [of x y z ]) hence ∃ z ∈ Z . x ≤ z using hz ∈ Z i by blast 22 } thus X ≤ Z unfolding trace-set-prefix-def by blast qed 8.2 Theorem theorem theorem-2-onlyif : fixes k :: nat assumes S-Sys: S ∈ Systems and KK-KSHP : KK ∈ KSHP k shows ∃ K ∈ KSP k . ((S |= (KK :: hyperproperty)) −→ ((kProd k S ) |= K )) proof − let ?K = Saf-from-KSaf k KK let ?MM = Bads-from-KSaf k KK let ?S-k = kProd k S have K-is-safety: ?K ∈ KSP k using KK-KSHP by (simp add : Saf-from-KSaf-is-safety) have (S |= (KK :: hyperproperty)) −→ ((?S-k ) |= ?K ) proof (rule ccontr ) { assume neg: ¬ (S |= (KK :: hyperproperty) −→ (?S-k ) |= ?K ) hence S-Sat-KK : S |= KK by blast have S-k-Unsat: ¬ ((?S-k ) |= ?K ) using neg by blast have S-in-KK : S ∈ KK using S-Sat-KK unfolding hyperproperty-satisfies-def . have S-unsub-K : ¬ ?S-k ⊆ ?K using S-k-Unsat unfolding pa-satisfies-def . then obtain t where t-st: t ∈ ?S-k t ∈ / ?K by blast hence t ∈ TraceInf-K unfolding kProd-def by blast then obtain M zip-M where M-zip-M-st: M ∈ Obs M ∈ ?MM zipn k (set-to-llist M ) zip-M zip-M ≤k t using t-st unfolding Saf-from-KSaf-def by blast obtain T where T-st: zipn k (set-to-llist T ) t T ∈ Prop T ⊆S using ht ∈ ?S-k i unfolding kProd-def Systems-def Prop-def by blast have M-pfx-T : M ≤ T using hzipn k (set-to-llist T ) t i hzipn k (set-to-llist M ) zip-M i hzip-M ≤ k ti by (simp add : unzip-monotonic-wrt-prefix-k ) hence T ∈ / KK using hM ∈ ?MM i hT ∈ Prop i unfolding Bads-from-KSaf-def by blast have T ≤ S using T-st S-Sys ht ∈ ?S-k i unfolding trace-set-prefix-def Systems-def kProd-def zipn-def by blast 23 with M-pfx-T have M-pfx-S : M ≤ S by (rule trace-set-prefix-transitive [of M T S ]) have S ∈ Prop using S-Sys unfolding Systems-def Prop-def by blast have S ∈ / KK using M-zip-M-st M-pfx-S hS ∈ Prop i unfolding Bads-from-KSaf-def by blast with S-in-KK have False by simp } thus ¬ (S |= KK −→ kProd k S |= ?K ) =⇒ False by assumption qed thus ∃ K ∈ KSP k . S |= KK −→ kProd k S |= K using K-is-safety by blast qed theorem theorem-2-if : fixes k :: nat assumes S-Sys: S ∈ Systems and KK-KSHP : KK ∈ KSHP k shows ∃ K ∈ KSP k . (((kProd k S ) |= K ) −→ (S |= (KK :: hyperproperty))) proof − let ?K = Saf-from-KSaf k KK let ?M = Bads-from-KSaf k KK let ?S-k = kProd k S have K-is-safety: ?K ∈ KSP k using KK-KSHP by (simp add : Saf-from-KSaf-is-safety) have ((?S-k |= ?K ) −→ (S |= (KK :: hyperproperty))) proof (rule ccontr ) { assume neg: ¬ (((?S-k ) |= ?K ) −→ (S |= (KK :: hyperproperty))) hence ?S-k ⊆ ?K unfolding pa-satisfies-def by simp have ¬ (S |= KK ) using neg by simp have S ∈ Prop using S-Sys unfolding Prop-def Systems-def by blast hence S ∈ / KK using h¬ (S |= KK )i unfolding hyperproperty-satisfies-def by simp hence ∃ M ∈ Obs. M ≤ S ∧ card M = k ∧ (∀ T ′ ∈ Prop. M ≤ T ′ −→ T ′ ∈ / KK ) using hS ∈ Prop i KK-KSHP unfolding KSHP-def kshp-def by blast then obtain M where M-st: M ≤ S card M = k M ∈ Obs ∀ T ′ ∈ Prop. M ≤ T ′ −→ T ′ ∈ / KK by blast have ∃ m. zipn k (set-to-llist M ) m using hM ∈ Obs i by (simp add : zip-of-Obs-exists [of M k ]) then obtain m where m-st: zipn k (set-to-llist M ) m by blast obtain s where s ∈ ?S-k m ≤k s using hM ∈ Obs i hS ∈ Systems i m-st hM ≤ S i using zip-EX-suffix by best 24 have M ∈ ?M unfolding Bads-from-KSaf-def using M-st hS ∈ Prop i by blast have m ∈ TraceFin-K unfolding TraceFin-K-def using m-st hM ∈ Obs i zip-of-Obs-fin unfolding zipn-def State-K-def Obs-def psi-fin-def by blast have s ∈ / ?K unfolding Saf-from-KSaf-def using hM ∈ Obs i hm ∈ TraceFin-K i hM ∈ ?M i hzipn k (set-to-llist M ) m i hm ≤ k s i by blast hence ¬ ?S-k ⊆ ?K using hs ∈ ?S-k i by blast hence False using h?S-k ⊆ ?K i by blast } thus ¬ (kProd k S |= Saf-from-KSaf k KK −→ S |= KK ) =⇒ False by assumption qed thus ∃ K ∈ KSP k . kProd k S |= K −→ S |= KK using K-is-safety by blast qed end References [1] Denis L. Bueno and Michael R. Clarkson. Hyperproperties: Verification of proofs. Cornell University Computing and Information Science Technical Report, http://hdl.handle.net/1813/11153, July 2008. [2] Michael R. Clarkson and Fred B. Schneider. Hyperproperties. Cornell University Computing and Information Science Technical Report, http: //hdl.handle.net/1813/9480, January 2008. [3] Michael R. Clarkson and Fred B. Schneider. Hyperproperties. In Proc. IEEE Computer Security Foundations Symposium, pages 51–65, June 2008. [4] Tobias Nipkow, Lawrence C. Paulson, and Markus Wenzel. Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Springer-Verlag, London, Cambridge, Massachusetts, 2002. 25