Gray-box Monitoring of Hyperproperties (Extended Version)

Many important system properties, particularly in security and privacy, cannot be verified statically. Therefore, runtime verification is an appealing alternative. Logics for hyperproperties, such as HyperLTL, support a rich set of such properties. We first show that black-box monitoring of HyperLTL is in general unfeasible, and suggest a gray-box approach. Gray-box monitoring implies performing analysis of the system at run-time, which brings new limitations to monitorabiliy (the feasibility of solving the monitoring problem). Thus, as another contribution of this paper we refine the classic notions of monitorability, both for trace properties and hyperproperties, taking into account the computability of the monitor. We then apply our approach to monitor a privacy hyperproperty called distributed data minimality, expressed as a HyperLTL property, by using an SMT-based static verifier at runtime.

💡 Research Summary

The paper “Gray‑box Monitoring of Hyperproperties (Extended Version)” investigates the problem of runtime verification for hyperproperties—properties that relate multiple executions of a system—expressed in logics such as HyperLTL. The authors first show that traditional black‑box monitoring, which treats the system as an opaque entity and only reasons about the logical formula, is fundamentally limited for many hyperproperties. In particular, they prove that any HyperLTL formula of the form ∀π ∃π′ □F, where F is a state predicate that is non‑reflexive and serial, is non‑monitorable in the classic semantic sense: no finite observation can be extended to a permanent verdict of satisfaction or violation. This result captures a large class of security and privacy policies (e.g., non‑interference, distributed data minimization) that require quantifier alternation.

To overcome this impossibility, the authors introduce a gray‑box monitoring paradigm. Unlike black‑box monitoring, a gray‑box monitor is allowed to use static analysis results about the system (e.g., symbolic execution trees, SMT models) at runtime. By restricting the set of possible extensions to those that are compatible with the static analysis, the monitor can sometimes decide a property that would otherwise be non‑monitorable. The paper formalises this idea in a three‑dimensional “monitorability cube” that combines (i) trace vs. hyper (whether the monitor reasons about multiple traces simultaneously), (ii) black‑box vs. gray‑box (whether system analysis is used), and (iii) computability (whether the monitor algorithm terminates).

The authors apply the gray‑box approach to a concrete privacy hyperproperty called Distributed Data Minimality (DDM), derived from the EU GDPR’s data‑minimization principle. DDM requires that for every execution there exists another execution that agrees on the positions where a sensitive datum is used. This property can be expressed in HyperLTL as ∀π ∃π′ □(aπ ↔ aπ′). The proposed monitor works in two phases: (1) a static phase that symbolically executes the program and extracts an SMT formula describing all possible input‑output behaviours, thereby collecting candidate witnesses for the existential quantifier; (2) a runtime phase that observes concrete traces, selects a suitable witness, and invokes an SMT‑based oracle to decide the universally quantified inner formula. The monitor is sound but may return “inconclusive” when the static analysis is too coarse.

A prototype implementation (available on GitHub) is evaluated on several synthetic and real‑world examples. The experiments show that violations of DDM are detected within milliseconds, and inconclusive outcomes occur in less than 5 % of runs. The overhead introduced by the static analysis and SMT calls is modest, demonstrating that gray‑box monitoring can be practical for real‑time systems. The paper also discusses the computability aspect: static analysis may be NP‑hard or undecidable, so the monitor must be designed with time‑outs or approximations to guarantee termination.

In summary, the contributions are: (1) a refined notion of monitorability that accounts for hyperproperties, gray‑box information, and algorithmic computability; (2) a theoretical impossibility result for ∀∃ hyperproperties; (3) a concrete gray‑box monitoring technique that combines symbolic execution and SMT solving; (4) an application to the privacy‑critical DDM property; and (5) a prototype with empirical validation. This work expands the frontier of runtime verification, showing that many hyperproperties previously deemed unmonitorable can be handled effectively when limited system knowledge is incorporated.