A Sequent Calculus for Counterfactual Reasoning (CMU-CyLab-17-003)

Counterfactual conditions such as “if A were not true, then C would not have been true” have been formally studied by philosophers for causal claims for decades. Counterfactuals are often used informally in practice for diagnosing systems and identifying errors or misconfigurations. This paper develops a proof theory for counterfactual reasoning of Horn clauses, which have applications in domains including security and database and program analysis. The application to security that this paper focuses on is modeling and reasoning about probing attacks in Datalog-based trust management systems, where an attacker can apply counterfactual reasoning to obtain sensitive information embedded in the system. Our work is inspired by a Hilbert style axiomatized system for counterfactual reasoning for Horn clauses, which are hard to use to construct proofs or study properties of the system. To alleviate this difficulty, we develop a sequent calculus from first principles. We show that the sequent calculus has cut elimination and is sound and complete with regard to the corresponding Hilbert style axiomatized system. We also show how to construct proofs that model practical counterfactual reasoning scenarios in trust management systems using our sequent calculus rules.