Trace properties, which have long been used for reasoning about systems, are sets of execution traces. Hyperproperties, introduced here, are sets of trace properties. Hyperproperties can express security policies, such as secure information flow and service level agreements, that trace properties cannot. Safety and liveness are generalized to hyperproperties, and every hyperproperty is shown to be the intersection of a safety hyperproperty and a liveness hyperproperty. A verification technique for safety hyperproperties is given and is shown to generalize prior techniques for verifying secure information flow. Refinement is shown to be applicable with safety hyperproperties. A topological characterization of hyperproperties is given.Traces may be finite or infinite sequences, which we categorize into sets:where Σ * denotes the set of all finite sequences over Σ, and Σ ω denotes the set of all infinite sequences over Σ. For trace t = s 0 s 1 · · · and index i ∈ N, we define the following indexing notation:We denote concatenation of finite trace t and (finite or infinite) trace t as tt , and we denote the empty trace as .A system is modeled by a non-empty set of infinite traces, called its executions. If an execution terminates (and thus could be represented by a finite trace), we represent it as an infinite trace by infinitely stuttering the final state in the finite trace.
Trace propertiesA trace property is a set of infinite traces [4,35]. The set of all trace properties iswhere P denotes powerset. A set T of traces satisfies a trace property P , denoted T |= P , iff all the traces of T are in P :Some security policies are expressible as trace properties. For example, consider the policy "The system may not write to the network after reading from a file". Formally, this is the set of traceswhere isFileRead and isNetworkWrite are state predicates.
M.R. Clarkson and F.B. Schneider / Hyperproperties
1161Similarly, access control is a trace property requiring every operation to be consistent with its requestor's rights:Function acm(s) yields the access control matrix in state s. Function subj(s) yields the subject who requested the operation that led to state s, function obj(s) yields the object involved in that operation, and function rightsReq(s) yields the rights required for the operation to be allowed. As another example, guaranteed service is a trace property requiring that every request for service is eventually satisfied:Predicate isReq(s) identifies whether a request is initiated in state s, and predicate isRespToReq(s , s) identifies whether state s completes the response to the request initiated in state s.
HyperpropertiesA hyperproperty is a set of sets of infinite traces, or equivalently a set of trace properties. The set of all hyperproperties is HP P(P(Ψ inf )) = P(Prop).The interpretation of a hyperproperty as a security policy is that the hyperproperty is the set of systems allowed by that policy. 4 Each trace property in a hyperproperty is an allowed system, specifying exactly which executions must...
