We have implemented a prototype tool that can solve the HyperQPTL realiz- ability problem using the bounded synthesis approach [18]. More concretely, we extended the HyperLTL synthesis tool BoSy [7,9,12]. Bosy reduces the HyperLTL synthesis problem to a SMT constraint system which is then solved by z3 [8] (for more see [12]). We implemented the reduction of HyperQPTL synthesis to HyperLTL synthesis (Corollary 2) in BoSy, such that the tool can also handle HyperQPTL formulas. We evaluated the tool against a range of

Table 1.Experimental results for prompt arbiter

Instance Bound on system Bound on∃-strategy Result Time [sec.]

arbiter-2-prompt 2 1 unsat <1

2 2 sat <1

arbiter-2-full-prompt 3 1 unsat 2.4

3 2 sat 6.0

arbiter-3-prompt 3 1 unsat 4.2

3 2 sat 9.5

arbiter-4-prompt 4 1 unsat 97

4 2 ? TO

benchmarks sets, shown in Table1. The first column indicates the parameter- ized benchmark name. The second and third columns indicate the bounds given to the bounded synthesis procedure. The second column is the bound on the size of the system. The newest version of BoSy also bounds the size of the strategy for the existential player, this bound is given in column three. For a detailed explanation of how existential strategies are bounded in BoSy, we refer to [7].

We synthesized a range of resource arbiters. Our benchmark set is parametric in the number of clients that can request access to the shared resource (written arbiter-k-prompt where k is the number of clients in Table1). Unlike normal arbiters, we require the arbiter to fulfill promptness for some of the clients, i.e., requests must be answered within a bounded number of steps [33]. We state the promptness requirement in HyperQPTL by applying the alternating-color technique from [24]. Intuitively, the alternating-color technique works as follows:

We quantify a q-sequence that “changes color” betweenq and¬q. Each change of color is used as a potential bound. Once a request occurs, the grant must be given withing two changes of color. Thus, the HyperQPTL formulation amounts to the following specifications, here exemplary for 2 clients, where we require promptness only for client 1.

∀π. ¬(g¹_π∧g²_π) (1)

∀π. (r_π² → g_π²) (2)

∃q.∀π. q∧ ¬q (3)

∧ (r¹_π→(q→(qU(¬qUg¹_π)))

∧(¬q→(¬qU(qUg¹_π))))

∀π.(¬g¹_πWr_π¹)∧(¬g²_πWr²_π) (4)

Formula1states mutual exclusion. Formula2states that client 2 must be served eventually (but not within a bounded number of steps). Formula 3 states the promptness requirement for client 1. It quantifies an alternating q-sequence, which serves as a sequence of global bounds that must be respected on all traces π. Then, if client 1 poses a request, the grant must be given within two changes of the value of q. Formula 4is only added in benchmarks named arbiter-k-full- prompt. It specifies that no spurious grants should be given.

BoSy successfully synthesizes prompt arbiter of up to 3 states. For a 4-state prompt arbiter BoSy did not return in reasonable time.

6 Conclusion

We studied the hyperlogic HyperQPTL, which combines the concepts of trace relations and ω-regularity. We showed that HyperQPTL is very expressive, it can express properties like promptness, bounded waiting for a grant, epistemic properties, and, in particular, anyω-regular property. Those properties are not expressible in previously studied hyperlogics like HyperLTL. At the same time, we argued that the expressiveness of HyperQPTL is optimal in a sense that a more expressive logic for ω-regular hyperproperties would have an undecid- able model checking problem. We furthermore studied the realizability prob- lem of HyperQPTL. We showed that realizability is decidable for HyperQPTL fragments that contain properties like promptness. But still, in contrast to the satisfiability problem, propositional quantification does make the realizability problem of hyperlogics harder. More specifically, the HyperQPTL fragment of formulas with a universal-existential propositional quantifier alternation followed by a single trace quantifier is undecidable in general, even though the projection of the fragment to HyperLTL has a decidable realizability problem. Lastly, we implemented the bounded synthesis problem for HyperQPTL in the prototype tool BoSy. Using BoSy with HyperQPTL specifications, we have been able to synthesize several resource arbiters. The synthesis problem of non-linear-time hyperlogics is still open. For example, it is not yet known how to synthesize sys- tems from specifications given in branching-time hyperlogics like HyperCTL^∗.

References

1. Bonakdarpour, B., Finkbeiner, B.: Program repair for hyperproperties. In: Chen, Y.-F., Cheng, C.-H., Esparza, J. (eds.) ATVA 2019. LNCS, vol. 11781, pp. 423–441.

Springer, Cham (2019).https://doi.org/10.1007/978-3-030-31784-3 25

2. Bozzelli, L., Maubert, B., Pinchinat, S.: Unifying hyper and epistemic temporal logics. In: Pitts, A. (ed.) FoSSaCS 2015. LNCS, vol. 9034, pp. 167–182. Springer, Heidelberg (2015).https://doi.org/10.1007/978-3-662-46678-0 11

3. Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Commun. ACM 28(10), 1030–1044 (1985). https://doi.org/10.

1145/4372.4373

4. Clarkson, M.R., Finkbeiner, B., Koleini, M., Micinski, K.K., Rabe, M.N., S´anchez, C.: Temporal logics for hyperproperties. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 265–284. Springer, Heidelberg (2014).https://doi.org/

10.1007/978-3-642-54792-8 15

5. Clarkson, M.R., Schneider, F.B.: Hyperproperties. J. Comput. Secur.18(6), 1157–

1210 (2010).https://doi.org/10.3233/JCS-2009-0393

6. Coenen, N., Finkbeiner, B., Hahn, C., Hofmann, J.: The hierarchy of hyperlogics.

In: 34th Annual ACM/IEEE Symposium on Logic in Computer Science (LICS 2019), pp. 1–13 (2019).https://doi.org/10.1109/LICS.2019.8785713

7. Coenen, N., Finkbeiner, B., S´anchez, C., Tentrup, L.: Verifying hyperliveness. In:

Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11561, pp. 121–139. Springer, Cham (2019).https://doi.org/10.1007/978-3-030-25540-4 7

8. de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008).https://doi.org/10.1007/978-3-540-78800-3 24

9. Faymonville, P., Finkbeiner, B., Tentrup, L.: BoSy: an experimentation framework for bounded synthesis. In: Majumdar, R., Kunˇcak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 325–332. Springer, Cham (2017).https://doi.org/10.1007/978-3- 319-63390-9 17

10. Finkbeiner, B., Hahn, C.: Deciding hyperproperties. In: Proceedings of CONCUR.

LIPIcs, vol. 59, pp. 13:1–13:14. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik (2016).https://doi.org/10.4230/LIPIcs.CONCUR.2016.13

11. Finkbeiner, B., Hahn, C., Hans, T.: MGHyper: checking satisfiability of hyperltl formulas beyond the∃^∗∀^∗fragment. In: Lahiri, S.K., Wang, C. (eds.) ATVA 2018.

LNCS, vol. 11138, pp. 521–527. Springer, Cham (2018).https://doi.org/10.1007/

978-3-030-01090-4 31

12. Finkbeiner, B., Hahn, C., Lukert, P., Stenger, M., Tentrup, L.: Synthesizing reac- tive systems from hyperproperties. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 289–306. Springer, Cham (2018).https://doi.org/10.

1007/978-3-319-96145-3 16

13. Finkbeiner, B., Hahn, C., Lukert, P., Stenger, M., Tentrup, L.: Synthesis from hyperproperties. Acta Inf.57(1), 137–163 (2020).https://doi.org/10.1007/s00236- 019-00358-2

14. Finkbeiner, B., Hahn, C., Stenger, M.: EAHyper: satisfiability, implication, and equivalence checking of hyperproperties. In: Majumdar, R., Kunˇcak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 564–570. Springer, Cham (2017).https://doi.org/10.

1007/978-3-319-63390-9 29

15. Finkbeiner, B., Hahn, C., Torfah, H.: Model checking quantitative hyperproperties.

In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 144–

163. Springer, Cham (2018).https://doi.org/10.1007/978-3-319-96145-3 8 16. Finkbeiner, B., Rabe, M.N., S´anchez, C.: Algorithms for model checking hyperLTL

and hyperCTL^∗. In: Kroening, D., P˘as˘areanu, C.S. (eds.) CAV 2015. LNCS, vol. 9206, pp. 30–48. Springer, Cham (2015).https://doi.org/10.1007/978-3-319- 21690-4 3

17. Finkbeiner, B., Schewe, S.: Uniform distributed synthesis. In: Proceedings of LICS, pp. 321–330. IEEE Computer Society (2005).https://doi.org/10.1109/LICS.2005.

53

18. Finkbeiner, B., Schewe, S.: Bounded synthesis. STTT 15(5–6), 519–539 (2013).

https://doi.org/10.1007/s10009-012-0228-z

19. Finkbeiner, B., Zimmermann, M.: The first-order logic of hyperproperties. In: Pro- ceedings of STACS. LIPIcs, vol. 66, pp. 30:1–30:14. Schloss Dagstuhl - Leibniz- Zentrum fuer Informatik (2017).https://doi.org/10.4230/LIPIcs.STACS.2017.30 20. Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proceedings

of S&P, pp. 11–20. IEEE Computer Society (1982). https://doi.org/10.1109/SP.

1982.10014

21. Hahn, C.: Algorithms for monitoring hyperproperties. In: Finkbeiner, B., Mariani, L. (eds.) RV 2019. LNCS, vol. 11757, pp. 70–90. Springer, Cham (2019).https://

doi.org/10.1007/978-3-030-32079-9 5

22. Halpern, J.Y., Vardi, M.Y.: The complexity of reasoning about knowledge and time. i. lower bounds. J. Comput. Syst. Sci. 38(1), 195–237 (1989). https://doi.

org/10.1016/0022-0000(89)90039-1

23. Kaivola, R.: Using automata to characterise fixed point temporal logics. Ph.D.

thesis (1997)

24. Kupferman, O., Piterman, N., Vardi, M.Y.: From liveness to promptness. For- mal Methods Syst. Des. 34(2), 83–103 (2009). https://doi.org/10.1007/s10703- 009-0067-z

25. Nguyen, L.V., Kapinski, J., Jin, X., Deshmukh, J.V., Johnson, T.T.: Hyperprop- erties of real-valued signals. In: Proceedings of MEMOCODE, pp. 104–113. ACM (2017).https://doi.org/10.1145/3127041.3127058

26. Pnueli, A.: The temporal logic of programs. In: Proceedings of FOCS, pp. 46–57.

IEEE Computer Society (1977).https://doi.org/10.1109/SFCS.1977.32

27. Pnueli, A., Rosner, R.: Distributed reactive systems are hard to synthesize. In:

Proceedings of FOCS, pp. 746–757. IEEE Computer Society (1990). https://doi.

org/10.1109/FSCS.1990.89597

28. Post, E.L.: A variant of a recursively unsolvable problem. Bull. Am. Math. Soc.

52(4), 264–268 (1946)

29. Rabe, M.N.: A temporal logic approach to information-flow control. Ph.D. thesis, Saarland University (2016)

30. Sistla, A.P., Vardi, M.Y., Wolper, P.: The complementation problem for B¨uchi automata with applications to temporal logic. In: Brauer, W. (ed.) ICALP 1985.

LNCS, vol. 194, pp. 465–474. Springer, Heidelberg (1985).https://doi.org/10.1007/

BFb0015772

31. Sistla, A.P.: Theoretical issues in the design and verification of distributed systems, Ph.D. thesis (1983)

32. Stucki, S., S´anchez, C., Schneider, G., Bonakdarpour, B.: Gray-box monitoring of hyperproperties. In: ter Beek, M.H., McIver, A., Oliveira, J.N. (eds.) FM 2019.

LNCS, vol. 11800, pp. 406–424. Springer, Cham (2019).https://doi.org/10.1007/

978-3-030-30942-8 25

33. Tentrup, L., Weinert, A., Zimmermann, M.: Approximating optimal bounds in prompt-ltl realizability in doubly-exponential time. In: Proceedings of GandALF, EPTCS, vol. 226, pp. 302–315 (2016).https://doi.org/10.4204/EPTCS.226.21 34. Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program

security. In: Proceedings of CSFW, p. 29. IEEE Computer Society (2003).https://

doi.org/10.1109/CSFW.2003.1212703

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.

The images or other third party material in this chapter are included in the chapter’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.

AdamMC : A Model Checker for Petri Nets with Transits against Flow-LTL

Bernd Finkbeiner¹, Manuel Gieseking²⁽B⁾_, Jesko Hecking-Harbusch¹,

and Ernst-R¨udiger Olderog²

1 Saarland University, Saarbr¨ucken, Germany {finkbeiner,hecking-harbusch}@react.uni-saarland.de

2 University of Oldenburg, Oldenburg, Germany {gieseking,olderog}@informatik.uni-oldenburg.de

Abstract. The correctness of networks is often described in terms of the individual data flow of components instead of their global behavior.

In software-defined networks, it is far more convenient to specify the cor- rect behavior of packets than the global behavior of the entire network.

Petri nets with transits extend Petri nets and Flow-LTL extends LTL such that the data flows of tokens can be tracked. We present the tool AdamMCas the first model checker for Petri nets with transits against Flow-LTL. We describe howAdamMC can automatically encode con- current updates of software-defined networks as Petri nets with transits and how common network specifications can be expressed in Flow-LTL.

UnderlyingAdamMC is a reduction to a circuit model checking prob- lem. We introduce a new reduction method that results in tremendous performance improvements compared to a previous prototype. Thereby, AdamMCcan handle software-defined networks with up to 82 switches.

1 Introduction

In networks, it is difficult to specify correctness in terms of the global behavior of the entire system. Instead, the individual flow of components is far more convenient to specify correct behavior. For example, loop and drop freedom can be easily specified for the flow of each packet. Petri nets and LTL lack this local view. Petri nets with transits and Flow-LTL have been introduced to overcome this restriction [10]. A transit relation is introduced to follow the flow induced by tokens. Flow-LTL is a temporal logic to specify both the local flow of data and theglobal behavior of markings. The global behavior as in Petri nets and LTL is still important for maximality and fairness assumptions. In this paper,

1 AdamMCis available online athttps://uol.de/en/csd/adammc[12].

This work was supported by the German Research Foundation (DFG) Grant Petri Games (392735815) and the Collaborative Research Center “Foundations of Perspicu- ous Software Systems” (TRR 248, 389792660), and by the European Research Council (ERC) Grant OSARES (683300).

c The Author(s) 2020

S. K. Lahiri and C. Wang (Eds.): CAV 2020, LNCS 12225, pp. 64–76, 2020.

https://doi.org/10.1007/978-3-030-53291-8_5

airport start

queue en

cp1

terminal

cp2

check

booth ret

work

home

comeToWork

idle Fig. 1.Access control at an airport modeled as Petri net with transits. Colored arrows display the transit relation and define flow chains to model the passengers.

we present the tool AdamMC¹ as the first model checker for Petri nets with transits against Flow-LTL and its application to software-defined networking.

In Fig.1, we present an example of a Petri net with transits that models the security check at an airport where passengers are checked by a security guard.

The number of passengers entering the airport is unknown in advance. Rather than introducing the complexity of an infinite number of tokens, we use a fixed number of tokens to model possibly infinitely manyflow chains. This is done by the transit relation which is depicted with colored arrows.

The left-hand side of Fig.1 models passengers who want to reach the ter- minal. There are three tokens in the places airport,queue, andterminal. Thus, transitions start and en are always enabled. Each firing of start creates a new flow chain as depicted by the green arrow. This models a new person arriving at theairport. Meanwhile, the double-headed blue arrow maintains all flow chains that are still in placeairport. Passengers have toenter thequeue and wait until the security check is performed. Therefore, transition en continues every flow chain in airport to queue. Checking the passengers is carried out by transition check which becomes enabled if the security guardworks. Thus, passengers resid- ing in queue have to wait until the guard checks them. Afterwards, they reach theterminal. The security guard is modeled on the right-hand side of Fig.1. By firing comeToWork and thus moving the token in place home, her flow chain starts and she can repeatedly eitheridle orwork,check passengers, and return.

Her transit relation is depicted in orange and models exactly one flow chain.

In Fig.1, we define the checkpointscp1 andcp2 and the booth as a security zone and require that passengers never enter the security zone and eventually reach theterminal. The flow formulaϕ=A(airport→( ¬(cp₁∨cp₂∨booth)∧ terminal)) specifies this. AdamMC verifies the example from Fig.1 against the formula check → ϕspecifying that if passengers are checked regularly then they cannot access the security zone and eventually reach the terminal.

In this paper, we presentAdamMCas a full-fledged tool. First, AdamMC can handle Petri nets with transits and Flow-LTL formulas in general. Sec- ond, AdamMChas an input interface for a concurrent update and a software- defined network and encodes both of them as a Petri nets with transits. Common assumptions on fairness and requirements for network correctness are also pro- vided as Flow-LTL formulas. This allows users of the tool to model check the

correctness of concurrent updates and to prevent packet loss, routing loops, and network congestion. Third, AdamMC provides algorithms to check safe Petri nets against LTL withboth places and transitions as atomic propositions which makes it especially easy to specify fairness and maximality assumptions.

The tool reduces the model checking problem for safe Petri nets with transits against Flow-LTL to the model checking problem for safe Petri nets against LTL.

We develop the new parallel approach to check global and local behavior in parallel instead of sequentially. This approach yields a tremendous speed-up for a few local requirements and realistic fairness assumptions in comparison to the sequential approach of a previous prototype [10]. In general, the parallel approach has worst-case complexity inferior to the sequential approach even though the complexities of both approaches are the same when using only one flow formula.

As last step, AdamMC reduces the model checking problem of safe Petri nets against LTL to a circuit model checking problem. This is solved by ABC [2,4] with effective verification techniques like IC3 and bounded model checking.

AdamMC verifies concurrent updates of software-defined networks with up to 38 switches (31 more than the prototype) and falsifies concurrent updates of software-defined networks with up to 82 switches (44 more than the prototype).

The paper is structured as follows: In Sect.2, we recall Petri nets with transits and Flow-LTL. In Sect.3, we outline the three application areas of AdamMC:

checking safe Petri nets with transits against Flow-LTL, checking concurrent updates of software-defined networks against common assumptions and specifi- cations, and checking safe Petri nets against LTL. In Sect.4, we algorithmically encode concurrent updates of software-defined networks in Petri nets with tran- sits. In Sect. 5, we introduce the parallel approach for the underlying circuit model checking problem. In Sect.6, we present our experimental evaluation.

Further details can be found in the full paper [13].