Bounded satisfiability checking of \(\hbox {FOL}^*\) formulas with aggregations

Abstract

Software systems handling data are increasingly required to comply with legal properties (LPs) aimed at ensuring security and data privacy. Automated reasoning of LPs can be carried out by solving constraint satisfiability problems in first-order logic. However, the current logic-based reasoning approaches have limited support for capturing and reasoning about LPs with aggregation constraints, which are commonly found in financial and privacy policies. In this work, we extend first-order logic with quantifiers over relational objects (\(\hbox {FOL}^*\)) to support aggregation, resulting in a language \(\hbox {FOL}^{*+}\), and propose a satisfiability checking algorithm, LEGOS-A, for \(\hbox {FOL}^{*+}\) which supports reasoning about aggregation by over- and under-approximating the aggregated values and incrementally refining these approximations to derive the satisfiability result. Running LEGOS-A on real world and academic examples with aggregation from various domains showed that LEGOS-A was able to solve many previously intractable problems and provided substantial speed-ups compared to the state-of-the-art \(\hbox {FOL}^*\) satisfiability checker and other SMT-based alternatives.

Appendix: Modeling aggregation in \(\hbox {FOL}^*\)

Below we describe the approach used to model \(\hbox {FOL}^{*+}\) aggregation in \(\hbox {FOL}^*\) following the recursive definition of aggregation [7].

Let S be a class of relational objects, \(A \in {{Sum}, {Count}, {Max}, {Min}}\), p be a \(\hbox {FOL}^{*+}\) predicate, and \({val}\) be an \(\hbox {FOL}^{*+}\) function. In any given domain \(D\), the \(\hbox {FOL}^{*+}\) aggregation \(A(S, p, {val})\) captures a value by applying the aggregation function A over the bag (multi-set) of values defined by \({val}(o)\) for every relational object o in class S within the domain \(D\) that satisfies the predicate p. As the domain \(D\) is finite but not fixed, we model the aggregation in \(\hbox {FOL}^*\) using the recursive definition of aggregation over a symbolic, finite, and ordered list.

To begin, we establish an ordering for relational objects of class S. We define a function, denoted by \(ord_{S}\), which maps each relational object o of class S to a natural number with the following \(\hbox {FOL}^*\) rules:

• \(\forall o, o':S \cdot o\equiv o' \Rightarrow ord(o) = ord(o')\) (deterministic)

• \(\forall o: S \cdot ord(o) \ge 0\) (range)

Now that we have established an ordering for relational objects, we can proceed to define the aggregation rules. We denote an empty list by [], a list with a single element x by [x], and a concatination of lists N and [x] by \(N + [x]\).

1. (1)

   \({Sum}([]) = 0\), \({Sum}(N + [x]) = {Sum}(N) + {\textbf {ite}}(p(x), {val}(x), 0)\);

2. (2)

   \({Count}([]) = 0\), \({Count}(N + [x]) = {Count}(N) + {\textbf {ite}}(p(x), 1, 0)\);

3. (3)

   \({Max}([]) = -\infty\), \({Max}(N + [x]) = {max}({Max}(N), {\textbf {ite}}(p(x), {val}(x), -\infty ))\); and

4. (4)

   \({Min}([]) = \infty\), \({Min}(N + [x]) = {min}({Min}(N), {\textbf {ite}}(p(x), {val}(x), \infty ))\).

Since the list is ordered, the last relational object in the list (e.g., x) has the greatest order. Moreover, since the list captures all relational objects of class S in a domain where duplicates are collapsed, we can use the relational object with the greatest ordering to uniquely define a list whose last element is the object. Therefore, we can model the intermediate result of aggregation over any list with a new class of relational objects \(A_{S}\) (where A is the aggregation function) with two attributes: \({lst}\) and \({value}\). The attribute \({lst}\) is the order of the last relational object in the list which has been aggregated over, and \({value}\) is the intermediate aggregation result. We can then define the aggregation rules in \(\hbox {FOL}^*\). We show the rule for Sum ,and the others can be defined analogously.

• \(\forall s:{Sum}_{S} \cdot s.lst < 0 \Rightarrow s.{value} = 0\) (over an empty list)

• \(\forall s:{Sum}_{S} \cdot s.lst \ge 0 \Rightarrow \exists s': {Sum}_{S}\exists o:S (ord(o) =s.{lst} \wedge {\textbf {Pred}}(s', s) \wedge s.{value} = s'.{value} + {\textbf {ite}}(p(o), {val}(o), 0))\) (step backward consistency)

• \({\textbf {Pred}}(s, s') = \lnot (\exists s*:{Sum}_{S} \cdot s'.{lst}< s*.{lst} < s.{lst})\)

• \(\forall o:S \exists s:{Sum}_{S} \cdot s.{lst} = ord(o)\) (step forward consistency)

• \(\forall s,s': {Sum}_{S} s.lst = s'.lst \Rightarrow s.{value} = s'.{value}\) (aggregation determinism)

We can then capture the final aggregation result with the relational object s in \(A_{S}\) that contains the element with the greatest order:

$$\begin{aligned} \exists s: A_{S} \cdot \forall s':A_{S} (s'.{lst} \le s.{lst}) \wedge s.{\textbf {value}} = A(S, p, {val}) \end{aligned}$$

We use the above encoding for aggregation Sum and Count. On the other hand, for aggregation functions Max and Min, we uses an alternative and more succinct \(\hbox {FOL}^*\) encoding depending on the usage context of the aggregated term:

• \({Max}(S,p,val) \ge t:= \exists s:S. p(s) \wedge val(s) \ge t \wedge \forall s':S \cdot p(s') \Rightarrow val(s') \le val(s)\)

• \({Max}(S,p,val) \le t:= \forall s':S \cdot p(s') \Rightarrow val(s') \le t\)

• \({Max}(S,p,val) \ge t:= \forall s':S \cdot p(s') \Rightarrow val(s') \ge t\)

• \({Min}(S,p,val) \le t:= \exists s:S. p(s) \wedge val(s) \le t \wedge \forall s':S \cdot p(s') \Rightarrow val(s') \ge val(s)\)

where t is a term in \(\hbox {FOL}^{*+}\). Other \(\hbox {FOL}^{*+}\) usage of \(\hbox {FOL}^{*+}\) terms in the resulting formulas are recursively encoded into \(\hbox {FOL}^*\) formulas. For example, the formula \(Max(S, p_1, val_1) \ge Min(S, p_2, val_s)\) is first encoded into \(\exists :S \cdot p_1(s) \wedge val_1(s) \ge {Min}(S, p_2, val_s) \wedge \forall s':S \cdot p_1(s') \Rightarrow p_1(s') \le p_1(s)\) by expanding \({Max}(S, p_1, val_1)\). Then, we can encode the usage of \({Min}(S, p_2, val_s)\) in \(val_1(s) \ge {Min}(S, p_2, val_s)\) and yield a final \(\hbox {FOL}^*\) formula: \(\exists :S \cdot p_1(s) \wedge (\exists s'': S: \cdot p_2(s'') \wedge val_2(s'') \le val_1(s) \wedge \forall s*:S \cdot p_2(s*) \Rightarrow val_2(s*) \ge val_2(s''))(S, p_2, val_s) \wedge \forall s':S \cdot p_1(s') \Rightarrow p_1(s') \le p_1(s)\).