Logics and Algorithms for a Unified Theory of Hyperproperties

The central role of information technology in all aspects of our private and professional lives has led to a fundamental change in the type of program properties we care about. Up to now, the focus has been on functional correctness; in the future, requirements that reflect our societal values, like privacy, fairness, and explainability, will be far more important. These properties belong to the class of hyperproperties, which represent sets of sets of execution traces and can therefore specify the relationship between different computations of a reactive system. Previous work has focussed on individual hyperproperties like noninterference or restricted classes, such as k-hypersafety; this project sets out to develop a unified theory for general hyperproperties. We will develop a formal specification language and effective algorithms for logical reasoning, verification, and program synthesis. The central idea is to use the type and alternation structure of the logical quantifiers, ranging from classic first-order and second-order quantification to quantifiers over rich data domains and quantitative operators for statistical analysis, as the fundamental structure that partitions the broad concept of hyperproperties into specific property classes; each particular class is then supported by algorithms that provide a uniform solution for all the properties within the class. The project will bring the analysis of hyperproperties to the level of traditional notions of safety and reliability, and provide a rigorous foundation for the debate about standards for privacy, fairness, and explainability that future software-based systems will be measured against.

We have developed logical and algorithmic foundations for hyperproperties. We have formalized hyperproperties of modern reactive systems, such as causality. We have developed the theory of temporal causality, which draws causal relationships between trace properties on a given trace, such as counterexamples uncovered by a model checker, or error traces recognized by a monitoring tool. A key result is an automata-based algorithm that automatically synthesizes omega-regular causes for omega-regular effects on such traces. We have developed the first second-order logic for temporal hyperproperties. The new logic, Hyper2LTL, can express complex epistemic properties like common knowledge, Mazurkiewicz trace theory, and asynchronous hyperproperties. We have also developed new methods for monitoring, verification, and synthesis for hyperproperties. Our key result in runtime monitoring has been the development of the first monitoring technique for second-order hyperproperties. Our key result in verification is a model checking technique that is complete for properties with arbitrary quantifier alternations. Our most significant result in synthesis is a syntax-guided program repair method for hyperproperties that automatically finds patches that are as close as possible to the original program.

The project will have a far-reaching impact both within formal methods, bringing the analysis of hyperproperties to a standard comparable to traditional notions of safety and reliability, and in the broader debate about privacy, fairness, and explainability, where the new unified theory will provide a common semantic foundation, leading to synergies and rigorous competition for the best approaches. The logic and the reasoning techniques will provide researchers, government officials, and the general public with a precise understanding of the subtle differences between the various proposals for formal definitions. In the long run, this will help establish commonly accepted standards for privacy, fairness, and explainability that future software-based systems will be measured against.