We study the reactive synthesis problem for hyperproperties given as formulas of the temporal logic HyperLTL. Hyperproperties generalize trace properties, i.e., sets of traces, to sets of sets of traces. Typical examples are information-flow policies like noninterference, which stipulate that no sensitive data must leak into the public domain. Such properties cannot be expressed in standard linear or branching-time temporal logics like LTL, CTL, or $$\hbox {CTL}^*$$ CTL ∗ . Furthermore, HyperLTL subsumes many classical extensions of the LTL realizability problem, including realizability under incomplete information, distributed synthesis, and fault-tolerant synthesis. We show that, while the synthesis problem is undecidable for full HyperLTL, it remains decidable for the $$\exists ^*$$ ∃ ∗ , $$\exists ^*\forall ^1$$ ∃ ∗ ∀ 1 , and the $${{ linear }}\;\forall ^*$$ linear ∀ ∗ fragments. Beyond these fragments, the synthesis problem immediately becomes undecidable. For universal HyperLTL, we present a semi-decision procedure that constructs implementations and counterexamples up to a given bound. We report encouraging experimental results obtained with a prototype implementation on example specifications with hyperproperties like symmetric responses, secrecy, and information flow.

中文翻译：

---

超属性的合成

我们研究了作为时间逻辑 HyperLTL 公式给出的超属性的反应合成问题。超属性将迹属性（即迹集）概括为迹集的集合。典型的例子是不干涉等信息流政策，它规定敏感数据不得泄露到公共领域。此类属性无法用标准线性或分支时间时序逻辑（如 LTL、CTL 或 $$\hbox {CTL}^*$$ CTL ∗ ）表达。此外，HyperLTL 包含了 LTL 可实现性问题的许多经典扩展，包括不完全信息下的可实现性、分布式综合和容错综合。我们表明，虽然合成问题对于完整的 HyperLTL 是不可判定的，但对于 $$\exists ^*$$ ∃ ∗ , $$\exists ^*\forall ^1$$ ∃ ∗ ∀ 1 ，它仍然是可判定的，和 $${{ linear }}\;\forall ^*$$ linear ∀ ∗ 片段。除了这些片段之外，合成问题立即变得不可判定。对于通用 HyperLTL，我们提出了一个半决策过程，该过程可以构建达到给定界限的实现和反例。我们报告了通过具有对称响应、保密性和信息流等超属性的示例规范的原型实现获得的令人鼓舞的实验结果。