StkTokens: Enforcing Well-bracketed Control Flow and Stack Encapsulation
  using Linear Capabilities - Technical Report with Proofs and Details by Skorstengaard, Lau et al.
StkTokens: Enforcing Well-bracketed Control Flow and Stack
Encapsulation using Linear Capabilities
Technical Report with Proofs and Details
Lau Skorstengaard Dominique Devriese Lars Birkedal
April 15, 2019
This document is a technical report accompanying a paper by the same title and authors, published at POPL
2019. It contains proofs and details that were omitted from the paper for space and presentation reasons.
Contents
1 The two capability machines 2
1.1 Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 Useful definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4.1 Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4.2 Helpful functions, sets, and conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4.3 Step relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4.4 Instruction Interpretation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.5 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.6 Linking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.7 Programs, contexts, initial execution configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2 Compiler 15
3 Logical Relation 15
3.1 Worlds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 Future world . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Memory satisfaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.4 Relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5 Permission based conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.6 Standard regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.7 Reasonable Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.8 Fundamental Theorem of Logical Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.9 Related components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.10 FTLR for components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.11 Related execution configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4 Full Abstraction 43
5 Lemmas 44
6 Proofs 45
6.1 Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.2 FTLR proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
7 Notes 83
7.1 Notes on linear capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7.2 Calling convention design decisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7.2.1 Returning the full stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7.2.2 Restriction on stack allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
1
ar
X
iv
:1
81
1.
02
78
7v
1 
 [c
s.P
L]
  7
 N
ov
 20
18
8 Related Work 85
8.1 Conditional Full-Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Disclaimer: While the proofs in this technical report are done, the text can be lacklustre and from time to time
out of date. We will make the technical report up to date as soon as possible. Further, the use of coloring in the
later parts of this document has not always been done with as much care as it ought to. This means that not all
source specific things are colored blue, but it should be evident from the context that they belong to the source
language.
1 The two capability machines
1.1 Domains
a,base ∈ Addr def= N
σbase, σ ∈ Seal def= N
w ∈ Word def= Z unionmulti Cap
perm ∈ Perm ::= . . .
l ::= linear | normal
end ∈ Addr unionmulti {∞}
σend ∈ Seal unionmulti {∞}
sc ∈ SealableCap ::= ((perm, l),base, end, a) | seal(σbase, σend, σ)
| stack-ptr(perm,base, end, a)
| ret-ptr-data(base, end) | ret-ptr-code(base, end, a)
c ∈ Cap ::= sc | sealed(σ, sc)
r ∈ RegisterName ::= pc | rretdata | rretcode | rstk | rdata | rt1 | rt2 | . . .
RegisterFile
def
= RegisterName→Word
Memory
def
= Addr→Word
MemorySegment
def
= Addr ⇀ Word
frame ∈ StackFrame def= Addr×MemorySegment
stk ∈ Stack def= StackFrame∗
Φ ∈ ExecConf def= Memory × RegisterFile × Stack×MemorySegment
Conf
def
= ExecConf unionmulti {failed} unionmulti {halted}
The target language domains are all the non blue parts in the above. The source language domains are the black
and blue parts in the above. Further
• l defines domain Linear
• sc defines domain SealableCap
• c defines domain Cap
• r defines the finite set RegisterName.
• Perm is defined as the set of permissions in Figure 1.
In the source language, Stack is a call stack that contains the data for each call. The call stack consists of a
number of StackFrame’s that contains 1) the old pc and 2) caller’s private stack.
In both languages, the base address of the stack is known (the stack grows downwards in memory, so the base
address marks the end of the stack). In the target language, this will be the base address of some linear capability.
The base address can be any address on the machine, but it will have to remain the same during all of execution.
We write this constant as
stk base
1.1.1 Useful definitions
Definition 1. For a capability c = (( , ), b, e, ) we say it has range [b, e] and we define
range(c) = [b, e]
Similarly for seals and stack pointers:
range(seal(σb , σe , )) = [σb , σe ]
and
range(stack-ptr( , b, e, )) = [b, e]

2
1.2 Syntax
The target machine is a simple capability machine with memory capabilities and sealed capabilities1 (inspired by
CHERI). The syntax of the instructions of the target machine is defined as follows:
n ∈ Z
r ∈ RegisterName
rn ::= r | n
i ::= fail | halt | jmp r | jnz r rn | gettype r r | geta r r | getb r r |
gete r r | getp r r | getl r r | move r rn | store r r |
load r r | cca r rn | restrict r rn | lt r rn rn |
plus r rn rn | minus r rn rn | seta2b r | xjmp r r | cseal r r |
split r r r rn | splice r r r
i defines the set Instr
The source machine is also a capability machine with memory capabilities and sealed capabilities. Unlike the
target machine, the source machine has a built in stack along with special stack and return tokens used in place
of the actual capabilities. The syntax of the source machine language is as follows:
off pc, off σ ∈ N
i ::= i | calloff pc,off σ r r
There is one syntactic difference between the source language and the target language, namely the target language
has an extra instruction in the calloff pc,off σ instruction (the o refers to the seal it uses, namely the offset in the
seals made available by linking).
The source machine allows for variable length instructions which we utilise for calloff pc,off σ . In other words,
when calloff pc,off σ is decoded, a series of addresses in memory must contain what corresponds to the call instruction
(and be within the range of the pc capability). This is described in more detail when we present the decoding
function.
1.3 Permissions
rwx
rxrw
r
0
Figure 1: Permission hierarchy
We assume functions decodePerm and encocePerm.
1.4 Operational Semantics
The source machine is parameterized with a set of trusted addresses TA. TA are the only addresses from which
the call will be interpreted. The source machine represents a virtual intermediate machine which we use to argue
well-bracketedness and local state encapsulation. It is not meant to be the machine that the actual code is executed
on. Further, it is the well-bracketedness and local state encapsulation of the compiled code, not the context we
are concerned with. On the other hand, the target machine is not parameterized with TA as all the instructions
on the target machine is available to the adversary.
1.4.1 Notes
Generally:
• Linear capabilities are cleared when they move around in memory.
Source language:
• Variable length instructions that match the length of the compiled instructions
1In previous work, we used enter capabilities but for this the complexity introduced by mixing writable and executable memory is
difficult to handle.
3
– This is needed for correctness.
– It is only used for the call instruction.
Target language:
•
1.4.2 Helpful functions, sets, and conventions
pib(sc) =

b if sc = (( , ), b, , )
pib(c) if sc = sealed( , c)
b if sc = stack-ptr( , b, , )
b if sc = ret-ptr-data(b, )
b if sc = ret-ptr-code(b, , )
pie(sc) =

e if sc = (( , ), , e, )
pie(c) if sc = sealed( , c)
e if sc = stack-ptr( , , e, )
e if sc = ret-ptr-data( , e)
e if sc = ret-ptr-code( , e, )
pil(sc) =

l if sc = (( , ), , e, )
pil(c) if sc = sealed( , c)
linear if sc = stack-ptr( , , e, )
linear if sc = ret-ptr-data( , )
normal if sc = ret-ptr-code( , , )
updatePc(Φ)
def
=
{
Φ[pc 7→ ((perm, l), b, e, a + 1)] if Φ(pc) = ((perm, l), b, e, a)
failed otherwise
readAllowed
def
= {rwx,rw,rx,r}
writeAllowed
def
= {rwx,rw}
isLinear(c)
def
=

> c = (( , linear), , , ) or
c = sealed( , sc′) and isLinear(sc′)
> c = stack-ptr( , , , )
c = ret-ptr-data( , )
⊥ otherwise
We now define
nonLinear(sc)
def
= ¬isLinear(sc)
linearityConstraint(w)
def
=
{
0 isLinear(w)
w otherwise
linearityConstraintPerm(perm, w)
def
=
{
perm ∈ writeAllowed isLinear(w)
true otherwise
executable(sc)
def
= sc = ((perm, ), , , ) and perm ∈ {rwx,rx}
nonExecutable(sc)
def
= ¬executable(sc)
withinBounds(sc)
def
=

b ≤ a ≤ e sc = (( , ), b, e, a) or
sc = stack-ptr( , b, e, a)
σb ≤ σa ≤ σe sc = seal(σb , σe , σ)
⊥ otherwise
4
nonZero(w)
def
=
{
⊥ w ∈ Z and w = 0
> otherwise
For convenience, we introduce the following notation:
Φ(r)
def
= Φ.reg(r)
where r ∈ RegisterName.
For rn which can be a register or an integer, we take
Φ(rn) = n
to mean
either n = rn or n = Φ.reg(rn) and in either case n ∈ Z
1.4.3 Step relations
Decode and encode functions We assume functions decodeInstruction : Word→ Instr and encodeInstruction :
Instr→ Z where Instr is the set of target level instructions.
The decodeInstruction function must be surjective and injective for all non-fail instructions. For any c ∈
Cap, we have that decodeInstruction(c) = fail. The encodeInstruction function must be injective. Further
decodeInstruction must be the left inverse of encodeInstruction that is for all i ∈ Instr
decodeInstruction(encodeInstruction(i)) = i
These functions are used for both the target and source level machine. When we write instructions in places
where words are required, we will assume that encodeInstruction is implicit.
Step relation The instruction calloff pc,off σ has length call len which means that it does not fit in one memory
address. In fact, calloff pc,off σ should be seen as a different way of interpreting a series of instruction rather than
an instruction on its own. We therefore introduce call
off pc,off σ
0 r1 r2, . . . , call
off pc,off σ
call len−1 r1 r2 as aliases for the
instructions that constitute calloff pc,off σ r1 r2 (see Paragraph 1.4.3 for details). We define the following condition
that indicates that a is the first address of a calloff pc,off σ r1 r2 instruction in the configuration Φ:
callCondition(Φ, r1, r2, off pc, off σ, a) =

Φ.mem(a) = call
off pc,off σ
0 r1 r2 and
...
Φ.mem(a + call len− 1) = calloff pc,off σcall len−1 r1 r2
We use the following step relation:
Φ→TA,stk base qcalloff pc,off σ r1 r2y (Φ) if Φ(pc) = ((perm, ), b, e, a) and
callCondition(Φ, r1, r2, off pc, off σ, a) and
[a, a + call len− 1] ⊆ TA and
[a, a + call len− 1] ⊆ [b, e] and
executable(Φ(pc))
Φ→TA,stk base JdecodeInstruction(Φ.mem(a))K (Φ) if Φ(pc) = ((perm, ), b, e, a) and
(¬callCondition(Φ, r1, r2, off pc, off σ, a) or
e < a + call len− 1) and
withinBounds(Φ(pc)) and
executable(Φ(pc))
Φ→TA,stk base failed otherwise
On the source machine, the instruction interpretation also takes gc, the global constants. It does, however, just
pass it around and never makes changes to it, so we will leave it implicit.
Terminating computations We use the following notation to write that a configuration Φ successfully termi-
nates:
Φ⇓TA,stk basei def= Φ→TA,stk basei halted
if we just know Φ terminates in some number of steps, then we write
Φ⇓TA,stk base− def= ∃i.⇓TA,stk basei
5
Call implementation This paragraph contains the implementation of calloff pc,off σ . That is each of the in-
structions in the implementation corresponds to call
off pc,off σ
1 r1 r2 . . . call
off pc,off σ
call len−1 r1 r2, respectively.
// push 42 on the stack (so it is non-empty).
move rt1 42
store rstk rt1
cca rstk (−1)
// split the stack at its current address - rstk done.
geta rt1 rstk
split rstk rretdata rstk rt1
// load the seal for the return pointer through the pc capability.
move rt1 pc
cca rt1 (off pc − 5) // off pc is the offset from pc to the location of the seal for this code. 2
load rt1 rt1
cca rt1 off σ // off σ is the offset for the seal used by this call.
// seal the used stack frame as the data part of the return pointer pair.
cseal rretdata rt1
// obtain the code part of the return pointer pair and seal it too.
move rretcode pc
cca rretcode 5 //magic number is offset to return code
cseal rretcode rt1
// now clear temporary register and jump to the adversary.
move rt1 0
xjmp r1 r2
// the following is the return code
// check that the stack pointer is the same we handed out.
getb rt1 rstk
minus rt1 rt1 stk base //stk base is the stack base constant
move rt2 pc
cca rt2 5 //magic number is the offset to fail
jnz rt2 rt1
cca rt2 1 //magic number is the offset to after fail
jmp rt2
fail
// join our stored private stack frame with the rest of the stack (this also finishes the stack pointer check).
splice rstk rstk rdata
// pop the magic number 42
cca rstk 1
// clear temporary registers used
move rt2 0
// continue program after invocation.
The call code does the following:
• Store 42 (it could be anything) to the stack (this ensures the stack is non-empty), and decrement the pointer
according to convention.
• Get the current address of the stack pointer and split according to it.
• Retrieve the seal of the program.
• cca the seal, so the seal to be used is active
• seal our private part of the stack capability.
• Move the pc out of the pc register, adjust it to point to the first address of the return code, and seal it.
• clear the temporary register.
• cross jump to the two specified registers.
• Upon return:
– get the base of the stack and check that it matches up with the global base of the stack.If not, fail.
– splice the returned stack pointer and the stack pointer for our private stack.
6
– adjust stack pointer to first empty address (the address with the end address is considered free)
– clear the temporary registers. (Note that rt1 is not cleared with 0 as it already contains 0 after the
stk base check. If it didn’t contain 0, then the execution would have failed.)
For convenience, we will add the convention that the memory update [mem.a 7→ calloff pc,off σ r1 r2] corresponds
to
[mem.a 7→ calloff pc,off σ0 r1 r2]
[mem.a+ 1 7→ calloff pc,off σ1 r1 r2]
. . .
[mem.a+ call len− 1 7→ calloff pc,off σcall len−1 r1 r2]
1.4.4 Instruction Interpretation
We have unified the two languages in the below definitions. Everything written in black is common for both source
and target language. Everything written in blue is specific to the source language.
fail and halt
JfailK (Φ) = failedJhaltK (Φ) = halted
jmp and jnz
Jjmp rK (Φ) ={Φ[reg .r 7→ w][reg .pc 7→ Φ(r)] w = linearityConstraint(Φ(r))
Jjnz r rnK (Φ) =

Φ[reg .r 7→ w]
[reg .pc 7→ Φ(r)]
w = linearityConstraint(Φ(r)) and nonZero(Φ(rn))
updatePc(Φ) otherwise
gettype
In the definitions of the semantics below, we use a function encodeType : Word→ Z. This is an encoding function
for which the specific implementation does not matter. As the words of the two machines differ, we really need two
functions which we call encodeTypesrc and encodeTypetrg . These two functions need to be related in the following
way:
• encodeType((( , ), , , )), encodeType(seal( , , )), encodeType(sealed( , )), and encodeType(i) where i ∈ Z
are all distinct.
• For all w ∈ SealableCap (only the words on the target machine), encodeTypetrg(w) = encodeTypesrc(w).
• Finally,
encodeTypesrc(stack-ptr( , , , )) = encodeTypetrg((( , ), , , ))
and
encodeTypesrc(ret-ptr-data( , )) = encodeTypesrc(ret-ptr-code( , , )) = encodeTypetrg((( , ), , , ))
In English this means that each type of word is represented by a distinct value and that the tokens on the source
machine has the type of the capability they represent on the target machine.
Jgettype r1 r2K (Φ) = updatePc(Φ[reg .r1 7→ encodeType(Φ(r2))])
geta, getb, gete, getp, and getl
We assume functions to encode and decode permissions as well as a function to encode linearity. The functions
are used implicitly when a permission or linearity is used in a place where they need to be a word.
Specifically for the permission function, encocePerm : Perm → Z and decodePerm : Z → Perm encodes and
decodes permissions, respectively. Where decodePerm is the left inverse of encocePerm, encocePerm is injective
and for all perm ∈ Perm encocePerm(perm) 6= −1 (as this is used as an error value). decodePerm is surjective.
7
For the linearity encoding, we make similar assumptions: encoceLin : Linear→ Z encodes linearity. encoceLin
is injective and for all l ∈ Linear encocePerm(l) 6= −1 (as this is used as an error value). As a capabilities linearity
stays the same, we do not need a decoding function for linearity.
Jgeta r1 r2K (Φ) =

updatePc(Φ[reg .r1 7→ a]) Φ(r2) = (( , ), , , a)
or Φ(r2) = seal( , , a)
or Φ(r2) = stack-ptr( , , , a)
updatePc(Φ[reg .r1 7→ −1]) otherwise
Jgetb r1 r2K (Φ) =

updatePc(Φ[reg .r1 7→ b]) Φ(r2) = (( , ), b, , )
or Φ(r2) = seal(b, , )
or Φ(r2) = stack-ptr( , b, , )
updatePc(Φ[reg .r1 7→ −1]) otherwise
Jgete r1 r2K (Φ) =

updatePc(Φ[reg .r1 7→ e]) Φ(r2) = (( , ), , e, )
or Φ(r2) = seal( , e, )
or Φ(r2) = stack-ptr( , , e, )
updatePc(Φ[reg .r1 7→ −1]) otherwise
Jgetp r1 r2K (Φ) =

updatePc(Φ[reg .r1 7→ perm]) Φ(r2) = ((perm, ), , , )
or Φ(r2) = stack-ptr(perm, , , )
updatePc(Φ[reg .r1 7→ −1]) otherwise
Jgetl r1 r2K (Φ) ={updatePc(Φ[reg .r1 7→ linear]) isLinear(Φ(r2))
updatePc(Φ[reg .r1 7→ normal]) nonLinear(Φ(r2))
move
Jmove r rnK (Φ) =

updatePc(Φ[reg .r 7→ rn]) r 6= pc ∧ rn ∈ Z
updatePc(Φ[reg .rn 7→ w][reg .r 7→ Φ(rn)]) r 6= pc ∧ w = linearityConstraint(Φ(rn))
failed otherwise
(Notice that in the case where we are moving a linear capability and r = rn the order of the updates matter.)
store
Jstore r1 r2K (Φ) =

updatePc
(
Φ[reg .r2 7→ w2]
[mem.a 7→ Φ(r2)]
)
Φ(r1) = ((perm, l), b, e, a) and
perm ∈ writeAllowed and
withinBounds(Φ(r1)) and
w2 = linearityConstraint(Φ(r2)) and r2 6= pc
a ∈ dom(Φ.mem)
updatePc
(
Φ[reg .r2 7→ w2]
[msstk .a 7→ Φ(r2)]
)
Φ(r1) = stack-ptr(perm, b, e, a) and
perm ∈ writeAllowed and
withinBounds(Φ(r1)) and
a ∈ dom(Φ.msstk ) and
w2 = linearityConstraint(Φ(r2)) and r2 6= pc
failed otherwise
8
load
Jload r1 r2K (Φ) =

updatePc
(
Φ[mem.a 7→ w2]
[reg .r1 7→ w]
)
Φ(r2) = ((perm, l), b, e, a) and
perm ∈ readAllowed and
withinBounds(Φ(r2)) and
w = Φ.mem(a) and r1 6= pc and
w2 = linearityConstraint(w) and linearityConstraintPerm(perm, w)
updatePc
(
Φ[msstk .a 7→ w2]
[reg .r1 7→ w]
)
Φ(r2) = stack-ptr(perm, b, e, a) and
perm ∈ readAllowed and
withinBounds(Φ(r2)) and
a ∈ dom(Φ.msstk ) and
w = Φ.msstk (a) and r1 6= pc and
w2 = linearityConstraint(w) and linearityConstraintPerm(perm, w)
failed otherwise
cca
Change Current Address
Jcca r rnK (Φ) =

updatePc(Φ[reg .r 7→ c]) Φ(rn) = n and
Φ(r) = ((perm, l), b, e, a) and
c = ((perm, l), b, e, a + n) and
r 6= pc
updatePc(Φ[reg .r 7→ s]) Φ(rn) = n and
Φ(r) = seal(σb , σe , σ) and
s = seal(σb , σe , σ + n)
updatePc(Φ[reg .r 7→ c]) Φ(rn) = n and
Φ(r) = stack-ptr(perm, b, e, a) and
c = stack-ptr(perm, b, e, a + n)
failed otherwise
restrict
This instruction uses the decodePerm function.
Jrestrict r1 rnK (Φ) =

updatePc
(
Φ[reg .r1 7→ c]
)
Φ(r1) = ((perm, l), b, e, a) and
Φ(rn) = n and
decodePerm(n) v perm and
c = ((decodePerm(n), l), b, e, a) and
r1 6= pc
updatePc
(
Φ[reg .r1 7→ c]
)
Φ(r1) = stack-ptr(perm, b, e, a) and
Φ(rn) = n and
decodePerm(n) v perm and
c = stack-ptr(decodePerm(n), b, e, a)
failed otherwise
lt
Jlt r0 rn1 rn2K (Φ) =

updatePc(Φ[reg .r0 7→ 1]) if for i ∈ {1, 2}
Φ(rni) = ni and
n1 < n2
updatePc(Φ[reg .r0 7→ 0]) if for i ∈ {1, 2}
Φ(rni) = ni and
n1 6< n2
failed otherwise
9
plus and minus
Jplus r0 rn1 rn2K (Φ) =

updatePc(Φ[reg .r0 7→ n1 + n2]) if for i ∈ {1, 2}
Φ(rni) = ni
failed otherwise
Jminus r0 rn1 rn2K (Φ) =

updatePc(Φ[reg .r0 7→ n1 − n2]) if for i ∈ {1, 2}
Φ(rni) = ni
failed otherwise
seta2b
Jseta2b r1K (Φ) =

updatePc (Φ[reg .r1 7→ c]) Φ(r1) = ((perm, l), b, e, ) and
c = ((perm, l), b, e, b) and
r1 6= pc
updatePc (Φ[reg .r1 7→ c]) Φ(r1) = seal(σb , σe , ) and
c = seal(σb , σe , σb)
updatePc (Φ[reg .r1 7→ c]) Φ(r1) = stack-ptr(perm, b, e, ) and
c = stack-ptr(perm, b, e, b)
failed otherwise
xjmp
Jxjmp r1 r2K (Φ) =

Φ′′ Φ(r1) = sealed(σ1, c1) and Φ(r2) = sealed(σ2, c2) and
σ1 = σ2 and
w1 = linearityConstraint(c1) and
w2 = linearityConstraint(c2) and
Φ′ = Φ[reg .r1 7→ w1][reg .r2 7→ w2] and
Φ′′ = xjumpResult(c1, c2,Φ′)
failed otherwise
xjumpResult(c1, c2,Φ) =

Φ[reg .pc 7→ c1]
[reg .rdata 7→ c2]
c1 6= ret-ptr-code( ) and
c2 6= ret-ptr-data( ) and
nonExecutable(c2)
Φ′[reg .pc 7→ copc ]
[reg .rdata 7→ 0]
[reg .rstk 7→ cstk ]
[reg .rt1 7→ 0]
[reg .rt2 7→ 0]
c1 = ret-ptr-code(b, e, a) and
c2 = ret-ptr-data(astk , estk ,priv ) and
Φ(rstk) = stack-ptr(rw, stk base, estk , ) and
stk base ≤ estk and
Φ = (mem, reg , stk frame :: stk ,msstk ) and
stk frame = (opc,msstk ,priv ) and
opc = a and
copc = ((rx,normal), b, e, opc) and
dom(msstk ,priv ) = [estk + 1, estk ,priv ] and
estk + 1 = astk and
cstk = stack-ptr(rw, stk base, estk ,priv , astk ) and
Φ′ = (mem, reg , stk ,msstk ,priv unionmultimsstk )
failed otherwise
cseal
10
Jcseal r1 r2K (Φ) =

updatePc
(
Φ[reg .r1 7→ sc]
)
Φ(r1) ∈ SealableCap and
Φ(r2) = seal(σb , σe , σ) and
σb ≤ σ ≤ σe and
sc = sealed(σ,Φ(r1))
failed otherwise
split and splice
We would like splice and split to have following properties
1. No authority amplification - splitting or splicing capabilities should give you no more authority than you
already had.
2. Split should be dual to splice in the sense that a split on a capability followed by a splice of the two resulting
capabilities should yield the same capability.
3. Take the addresses governed by a linear capability to be a multiset. If this capability is split, then the
union of the two multisets of addresses governed by the resulting capabilities should be the same as the first
multiset. In other words, splice and split should not break linearity.
Split cannot create “empty capabilities” (a capability that governs no segment of the memory, i.e. a capability
where the base address is greater than the end address). We partly do not allow this out of convenience as it
makes the implementation of call simpler. We do not need empty capabilities as they have no semantic value in
the sense that they allow you to do essentially the same as a piece of data.
Jsplit r1 r2 r3 rn4K (Φ) =

updatePc
Φ[reg .r3 7→ w][reg .r1 7→ c1]
[reg .r2 7→ c2]
 Φ(r3) = ((perm, l), b, e, a) and
Φ(rn4) = n and
b ≤ n and n < e and
c1 = ((perm, l), b, n, a) and
c2 = ((perm, l), n+ 1, e, a) and
w = linearityConstraint(Φ(r3)) and
r1, r2, r3 6= pc
updatePc
(
Φ[reg .r1 7→ c1]
[reg .r2 7→ c2]
)
Φ(r3) = seal(σb , σe , σ) and
Φ(rn4) = n and
σb ≤ n and n < σe and
c1 = seal(σb , n, σ) and
c2 = seal(n+ 1, σe , σ)
updatePc
Φ[reg .r3 7→ 0][reg .r1 7→ c1]
[reg .r2 7→ c2]
 Φ(r3) = stack-ptr(perm, b, e, a) and
Φ(rn4) = n and
b ≤ n and n < e and
c1 = stack-ptr(perm, b, n, a) and
c2 = stack-ptr(perm, n+ 1, e, a)
failed otherwise
Two important points about splice related to the calling convention: (1) Splice fails if two capabilities are not
adjacent. This means that if a caller tries to use a return pointer with a stack that is not immediately adjacent
to the private stack, then it fails. (2) Splice prohibit splicing with an empty capability! This means that a callee
cannot return an empty stack (this also means that it is impossible to make a call when all of the stack is used
- this may indeed be undesirable, but without this restriction we need to handle other things). Note: because
splice does not allow empty stacks, it is not “left inverse” to split (because of the empty case). Intuitively, it
11
is weird that a split followed by a splice does not yield the same capability.
Jsplice r1 r2 r3K (Φ) =

updatePc
Φ[reg .r2 7→ w2][reg .r3 7→ w3]
[reg .r1 7→ c]
 Φ(r2) = ((perm, l), b2, e2, ) and
Φ(r3) = ((perm, l), b3, e3, a3) and
e2 + 1 = b3 and b2 ≤ e2 and b3 ≤ e3 and
c = ((perm, l), b2, e3, a3) and
w2 = linearityConstraint(Φ(r2)) and
w3 = linearityConstraint(Φ(r3)) and
r1, r2, r3 6= pc
updatePc
(
Φ[reg .r1 7→ c]
)
Φ(r2) = seal(σb,2, σe,2, ) and
Φ(r3) = seal(σb,3, σe,3, σ) and
σe,2 + 1 = σb,3 and σb,2 ≤ σe,2 and
σb,3 ≤ σe,3 and
c = seal(σb,2, σe,3, σ)
updatePc
Φ[reg .r2 7→ 0][reg .r3 7→ 0]
[reg .r1 7→ c]
 Φ(r2) = stack-ptr(perm, b2, e2, ) and
Φ(r3) = stack-ptr(perm, b3, e3, a3) and
e2 + 1 = b3 and b2 ≤ e2 and b3 ≤ e3 and
c = stack-ptr(perm, b2, e3, a3)
failed otherwise
call
q
calloff pc,off σ r1 r2
y
(Φ) =
xjumpResult

c1, c2,
Φ′[reg .r1 7→ w1]
[reg .r2 7→ w2]
[reg .rstk 7→ cstk ]
[reg .rretcode 7→ sealed(σ?, copc)]
[reg .rretdata 7→ sealed(σ?, cpriv data)]
[reg .rt1 7→ 0]

r1 6= rt1 and r2 6= rt1 and
Φ(r1) = sealed(σ1, c1) and
Φ(r2) = sealed(σ2, c2) and
σ1 = σ2 and
nonExecutable(c2) and
Φ = (mem, reg , stk ,msstk ) and
Φ(rstk) = stack-ptr(rw, bstk , estk , astk ) and
bstk < astk ≤ estk and
msstk ,priv = msstk |[astk ,estk ][astk 7→ 42] and
msstk ,rest = msstk −msstk |[astk ,estk ] and
cstk = stack-ptr(rw, bstk , astk − 1, astk − 1) and
cpriv data = ret-ptr-data(astk , estk ) and
Φ(pc) = (( , ), b, e, a) and
opc = a + call len and
copc = ret-ptr-code(b, e, a + call len) and
stk ′ = (opc,msstk ,priv ) :: stk and
Φ′ = (mem, reg , stk ′,msstk ,rest) and
mem(a + off pc) = seal(σb , σe , σa) and
b ≤ a + off pc ≤ e and
σ? = σa + off σ and
σb ≤ σ? ≤ σe and
w1 = linearityConstraint(Φ(r1)) and
w2 = linearityConstraint(Φ(r2))
failed otherwise
12
Note: the caller may have split part of the stack pointer off and even pass the fragments split off to the callee
in registers. This behavior is in principle fine. Source semantics will define that only the non-split-off part will be
encapsulated. The parts that were split off and passed to the adversary are not protected, as expected.
1.5 Components
A component can be either a component with a main (i.e. a program that still needs to be linked with library
implementations) or one without (i.e. a library implementation that will be used by other components). It contains
code memory, data memory a list of imported symbols, a list of exported symbols, a list of seals used for producing
return capability pairs and a list of seals used for producing closures.
We define a component as follows:
s ∈ Symbol
import ::= a← [ s
export ::= s 7→ w
comp0 ::= (mscode,msdata, import , export , σret, σclos, Alinear)
comp ::= comp0
| (comp0, cmain,c, cmain,d)
13
We define inductively when a component is valid (TA ` comp) by the below inference rules:
mscode(a) = seal(σb , σe , σb) [σb , σe ] = (σret ∪ σclos)
σret, σret,owned, σclos, TA `comp−code mscode, a
mscode(a) ∈ Z
([a · · · a+ call len− 1] ⊆ TA ∧mscode([a · · · a+ call len− 1]) = calloff pc,off σ0..call len−1 r1 r2)⇒
(mscode(a+ off pc) = seal(σb , σe , σb) ∧ σb + off σ ∈ σret,owned)
σret, σret,owned, σclos, TA `comp−code mscode, a
mscode has no hidden calls
σret # σclos
∃dσ : dom(mscode)→ P(Seal). σret =
⊎
a∈dom(mscode) dσ(a) and
∀a ∈ dom(mscode). σret, dσ(a), σclos, TA `comp−code mscode, a
∃a.mscode(a) = seal(σb , σe , ) ∧ [σb , σe ] 6= ∅
σret, σclos, TA `comp−code mscode
Acode, Aown, Anon−linear, σret, σclos `comp−value z
perm v rw l = linear⇒ ∅ ⊂ [b, e] ⊆ Aown l = normal⇒ [b, e] ⊆ Anon−linear
Acode, Aown, Anon−linear, σret, σclos `comp−value ((perm, l), b, e, a)
Acode, Aown, Anon−linear, σret, σclos `comp−value sc
σ ∈ σclos
Acode, Aown, Anon−linear, σret, σclos `comp−value sealed(σ, sc)
[b, e] ⊆ Acode σ ∈ σclos
Acode, Anon−linear, σret, σclos `comp−export s 7→ sealed(σ, ((rx,normal), b, e, a))
Acode, ∅, Anon−linear, σret, σclos `comp−value w
Acode, Anon−linear, σret, σclos `comp−export s 7→ w
dom(mscode) = [b, e] [b − 1, e + 1] # dom(msdata)
mspad = [b − 1 7→ 0] unionmulti [e + 1 7→ 0]
σret, σclos, TA `comp−code mscode
∃Aown : dom(msdata)→ P(dom(msdata)) dom(msdata) = Anon−linear unionmultiAlinear
Alinear =
⊎
a∈dom(msdata)Aown(a)
∀a ∈ dom(msdata).dom(mscode), Aown(a), Anon−linear, σret, σclos `comp−value msdata(a)
export = sexport 7→ wexport import = aimport ←[ simport {aimport} ⊆ dom(msdata)
dom(mscode), Anon−linear, σret, σclos `comp−export wexport
simport # sexport (∅ 6= dom(mscode) ⊆ TA) ∨ (dom(mscode) # TA ∧ σret = ∅) dom(msdata) # TA
TA ` (mscode unionmultimspad,msdata, import , export , σret, σclos, Alinear)
comp0 = (mscode,msdata, import , export , σret, σclos, Alinear)
TA ` comp0 ( 7→ cmain,c), ( 7→ cmain,d) ∈ export
TA ` (comp0, cmain,c, cmain,d)
where the following definition is used
Definition 2 (No hidden calls). We say that a memory segment mscode has no hidden calls iff
∀a ∈ dom(mscode).
∀i ∈ [0, call len− 1]
mscode(a+ i) = call
off pc,off σ
i r1 r2 ⇒
(dom(mscode) ⊇ [a − i, a + call len− i− 1] ∧mscode([a − i, a + call len− i− 1]) = calloff pc,off σ0..call len−1 r1 r2)∨
∃j ∈ [a − i, a + call len− i− 1] ∩ dom(mscode).mscode(j) 6= calloff pc,off σj−a−i r1 r2

14
1.6 Linking
comp1 = (mscode,1,msdata,1, import1, export1, σret,1, σclos,1, Alinear,1)
comp2 = (mscode,2,msdata,2, import2, export2, σret,2, σclos,2, Alinear,2)
comp3 = (mscode,3,msdata,3, import3, export3, σret,3, σclos,3, Alinear,3)
mscode,3 = mscode,1 unionmultimscode,2
msdata,3 = (msdata,1 unionmultimsdata,2)[a 7→ w | (a← [ s) ∈ (import1 ∪ import2), (s 7→ w) ∈ export3]
export3 = export1 ∪ export2 import3 = {a← [ s ∈ (import1 ∪ import2) | s 7→ 6∈ export3}
σret,3 = σret,1 unionmulti σret,2 σclos,3 = σclos,1 unionmulti σclos,2 Alinear,3 = Alinear,1 unionmultiAlinear,2
dom(mscode,3) # dom(msdata,3) σret,3 # σclos,3
comp3 = comp1 ./ comp2
comp′′0 = comp0 ./ comp
′
0
(comp′′0 , cmain,c, cmain,d) = comp0 ./ (comp
′
0, cmain,c, cmain,d)
comp′′0 = comp0 ./ comp
′
0
(comp′′0 , cmain,c, cmain,d) = (comp0, cmain,c, cmain,d) ./ comp
′
0
1.7 Programs, contexts, initial execution configuration
A program is intuitively a component that is ready to be executed, i.e. it must have an empty import list and
a pair of capabilities to be used as main. A context for a given component is any other component that can be
linked with it to produce a program.
Definition 3 (Programs and Contexts). We define a program to be a component (comp0, cmain,c, cmain,d) with an
empty import list.
A context for a component comp is another component comp′ such that comp ./ comp′ is a program. 
Definition 4 (Initial execution configuration).
cmain,c = sealed(σ1, c
′
main,c) cmain,d = sealed(σ2, c
′
main,d) σ1 = σ2
nonExecutable(c′main,d) reg(pc) = c
′
main,c reg(rdata) = c
′
main,d
reg(rstk) = stack-ptr(rw, bstk , estk , estk ) reg(rstk) = ((rw, linear), bstk , estk , estk )
reg(RegisterName \ {pc, rdata, rstk}) = 0
range(msstk ) = {0} mem = mscode unionmultimsdata unionmulti msstk unionmultims frame
[bstk , estk ] = dom(msstk ) [bstk − 1, estk + 1] # (dom(mscode) ∪ dom(msdata)) import = ∅
((mscode,msdata, import , export , σret, σclos, Alinear), cmain,c, cmain,d) (mem, reg , ∅,msstk )

Definition 5 (Plugging a component into a context). When comp′ is a context for component comp and comp′ ./
comp  Φ, then we write comp′[comp] for the execution configuration Φ. 
Lemma 1. For components C and comp, if
• ∅ ` C
• dom(comp.mscode) ` comp
• C [comp] is defined
Then
dom(comp.mscode) ` C

Proof. Follows by definition.
2 Compiler
The compiler is the identity.
3 Logical Relation
In the following definitions, blue is used to indicate values related to the source machine. This is unlike previous
definitions, where blue was used to indicate source language specific parts of definitions.
15
3.1 Worlds
Theorem 1. There exists a c.o.f.e. Wor and preorder w such that (Wor,w) and there exists an isomorphism ξ
such that
ξ : Wor ∼= I(Worldheap ×Worldprivate stack ×Worldfree stack)
and for Wˆ , Wˆ ′ ∈Wor
Wˆ ′ w Wˆ iff ξ(Wˆ ′) w ξ(Wˆ )

Where Worldprivate stack, Worldheap, and Worldfree stack are defined as follows
Worldheap = RegionName ⇀ (Regionspatial + Regionshared)
and
Worldprivate stack = RegionName ⇀ (Regionspatial ×Addr)
and
Worldfree stack = RegionName ⇀ Regionspatial
where RegionName = N.
Regionshared = {pure} × (Wor mon, ne−−−−→ URel(MemorySegment2))×
(Seal ⇀ Wor
mon, ne−−−−→ URel(SealableCap× SealableCap))
and
Regionspatial =
 {spatial} × (Wor
mon, ne−−−−→ URel(MemorySegment2))unionmulti
{spatial owned} × (Wor mon, ne−−−−→ URel(MemorySegment2))unionmulti
{revoked}
where spatial and spatial owned are regions governing segments of memory addressed by linear capabilities.
spatial owned signifies that this region is addressable. spatial signifies that the region is not owned and can
thus not be addressed. At the same time it signifies that if something else addresses it, it is a linear capability.
Finally, pure signifies that the region is only addressed by non-linear capabilities. Notice that no region allows for
both linear and non-linear capabilities to address it. Notice also that pure regions have an additional component
that allows them to claim ownership of part of the address space of seals and impose a relational invariant on
everything signed with those seals.
We introduce a bit of notation for projecting out each part of the world:
W.heap = pi1(W )
W.priv = pi2(W )
W.free = pi3(W )
as well as projections for the regions:
(v, s, φpub, φ,H).v = v
revoked.v = revoked
We define erasure for worlds as follows:
b(Wheap,Wpriv,Wfree)c{S} =
(bWheapc{S}, bWprivc{S}, bWfreec{S})
where erasure for each part of a world is defined as follows:
bWheapc{S} = λr.
{
Wheap(r).v ∈ S
⊥
bWprivc{S} = λr.
{
Wpriv(r).region.v ∈ S
⊥
bWfreec{S} = λr.
{
Wfree(r).v ∈ S
⊥
The active function takes a world and filters away all the revoked regions, so
active(W ) = bW c{spatial,spatial owned,pure}
16
Disjoint union of worlds. Joins together two alike worlds with strictly disjoint ownership over spatial owned-
regions. Two worlds can be joined together if all of their three parts agree on the region names and each of their
regions can be joined together.
W1 ⊕W2 = W iff dom(W.heap) = dom(W1.heap) = dom(W2.heap) and
dom(W.free) = dom(W1.free) = dom(W2.free) and
dom(W.priv) = dom(W1.priv) = dom(W2.priv) and
∀r ∈ dom(W.heap).W.heap(r) = W1.heap(r)⊕W2.heap(r) and
∀r ∈ dom(W.free).W.free(r) = W1.free(r)⊕W2.free(r) and
∀r ∈ dom(W.priv). pi1(W.priv(r)) = pi1(W1.priv(r))⊕ pi1(W2.priv(r))
⊕ on regions is defined as follows
(pure, H,Hσ)⊕ (pure, H,Hσ) = (pure, H,Hσ)
(spatial, H)⊕ (spatial, H) = (spatial, H)
(spatial owned, H)⊕ (spatial, H) = (spatial, H)⊕ (spatial owned, H)
= (spatial owned, H)
and for all other cases ⊕ is undefined. Specifically, ⊕ is not defined when both sides are a spatial owned-region.
It is further not defined if the two sides do not agree on region type or heap or sealed value relations.
Lemma 2. ⊕ is associative and commutative. Also, left-hand sides in the commutativity and associativity laws
are defined whenever the right-hand sides are defined and vice versa. 
Proof. Follows easily from the definitions.
Lemma 3 (⊕ and future worlds). If W ′ w W1 ⊕W2, then there exist W ′1,W ′2 such that W ′ = W ′1 ⊕W ′2 and
W ′1 wW1 and W ′2 wW2. 
Proof. We define W ′1 and W
′
2 to have the same regions as W
′ with a possibly different visibility. For regions that
are present in W1 and W2, we give them the same visibility in W
′
1 and W
′
2 respectively. For regions that are new
in W ′, we make them pure or spatial in both W ′1 and W
′
2 if they are in W
′ and we make them spatial owned in
W ′1 but spatial in W
′
2 if they are spatial in W
′. It is then easy to check that the required equations hold.
We also define a second disjoint union operator of worlds:
W1 unionmultiW2 = W iff dom(W.heap) = dom(W1.heap) unionmulti dom(W2.heap) and
dom(W.free) = dom(W1.free) unionmulti dom(W2.free) and
dom(W.priv) = dom(W1.priv) unionmulti dom(W2.priv)
The two operators unionmulti and ⊕ are quite different. The difference is most clear in the treatment of pure regions: unionmulti
allows both worlds to have the same pure region, while ⊕ forbids this. To understand this different treatment
(W1 unionmultiW2 and W1 ⊕W2), you should understand that the two are intended for different usages of worlds. The
W1 ⊕W2 operator treats the worlds as specifications of authority: taking the disjoint union of worlds specifying
non-exclusive ownership of a block of memory is allowed and produces a new world that also specifies non-exclusive
ownership of world. The W1 unionmultiW2 operator treats worlds as specifications of memory contents: taking the disjoint
union of worlds specifying the presence of the same memory range is not allowed. The latter operator is used in the
logical relation for components which specifies (among other things) that the world should specify the presence of
the component’s data memory. Linking two components then produces a new component with both components’
data memory. The linked component is then valid in a world that has the combined memory presence specifications,
not the combined authority. In other words, ⊕ specifies disjoint authority distribution, while unionmulti specifies disjoint
memory allocation.
Note also that this picture is further complicated by our usage of non-authority-carrying spatial regions. They
are really only there in a world W as a shadow copy of a spatial owned region in another world W ′ that W
will be combined with. The shadow copy is used for specifying when a memory satisfies a world: the memory
should contain all memory ranges that anyone has authority over, not just the ones whose authority belongs to
the memory itself. For example, if a register contains a linear pointer to a range of memory, then the register file
will be valid in a world where the corresponding region is spatial owned, while the memory will be valid in a world
with the corresponding region only spatial. However, for the memory to satisfy the world, the block of memory
needs to be there, i.e. the memory should contain blocks of memory satisfying every region that is spatial owned,
pure, but also just spatial (because it may be spatial owned in, for example, the register file’s world).
Lemma 4. unionmulti is associative and commutative. 
Proof. Follows easily from the definitions.
17
Lemma 5 (Odd distributivity of ⊕ and unionmulti).
(W1 ⊕W2) unionmulti (W3 ⊕W4) = (W1 unionmultiW3)⊕ (W2 unionmultiW4)
Also, the left expression is defined iff the right expression is. 
Proof. Follows by definition-chasing.
3.2 Future world
The future world relation becomes:
for i ∈ {heap, free,priv}
∃mi : RegionName→ RegionName, injective.dom(W ′.i) ⊇ dom(mi(W.i)) ∧ ∀r ∈ dom(W.i).W ′.i(mi(r)) wW.i(r)
W ′ wW
Future regions allow spatial regions to become revoked. Also: the future region relation allows spatial regions
to become spatial owned, which expresses that our system is affine, rather than linear.
revoked w (spatial, ) revoked w revoked (spatial owned, H) w (spatial, H)
(spatial owned, H) w (spatial owned, H) (spatial, H) w (spatial, H)
Definition 6 (The pure part of a world). For any world W , we define
purePart(W )
def
= (purePart(W.heap), purePart(W.priv), purePart(W.free))
purePart(Wheap)
def
=

Wheap(r) if Wheap(r) = (pure, sm)
(spatial, sm) if Wheap(r) = (spatial, sm)
(spatial, sm) if Wheap(r) = (spatial owned, sm)
revoked if Wheap(r) = revoked
purePart(Wpriv )
def
=

((spatial, sm), opc) if Wpriv (r) = ((spatial, sm), opc)
((spatial, sm), opc) if Wpriv (r) = ((spatial owned, sm), opc)
(revoked, opc) if Wpriv (r) = (revoked, opc)
purePart(Wfree)
def
=

Wfree(r) if Wfree(r) = (pure, sm)
(spatial, sm) if Wfree(r) = (spatial, sm)
(spatial, sm) if Wfree(r) = (spatial owned, sm)
revoked if Wfree(r) = revoked

Lemma 6 (purePart is duplicable). For all W , we have that W = W ⊕ purePart(W ). 
Proof. Follows from the definition of purePart and ⊕.
Lemma 7 (purePart is idempotent). For all W , we have that purePart(W ) = purePart(purePart(W )) and
purePart(W ) = purePart(W )⊕ purePart(W ). 
Proof. The first part follows easily from the definition. The second statement follows from the first, together with
Lemma 6.
Lemma 8 (purePart respects⊕). For all W1,W2, we have that purePart(W1⊕W2) = purePart(W1)⊕purePart(W2) =
purePart(W1) = purePart(W2). Also, all worlds in the equations above are defined when W1 ⊕W2 is defined (but
not necessarily vice versa). 
Proof. Follows from the definition of purePart and ⊕.
Lemma 9 (purePart is monotone). For all W ′ wW , we have that purePart(W ′) w purePart(W ). 
Proof. Follows easily from the definition of purePart and w.
Lemma 10 (Increasing authority is the future). For all W1,W2, we have that: W1 ⊕W2 wW1 
Proof. Follows easily from the definitions.
18
Lemma 11 (Adding memory is the future). For all W1,W2, we have that: W1 unionmultiW2 wW1 
Proof. Follows easily from the definitions.
Lemma 12 (Purity is a thing of the past). For all W , we have that W w purePart(W ). 
Proof. Consequence of Lemmas 6 and 10.
Lemma 13 (Partial authority is better than nothing). If W = W1 ⊕W2, then W1 w purePart(W ). 
Proof. Follows easily from the definitions.
3.3 Memory satisfaction
Memory satisfaction for new worlds:
msS ,msstk , stk ,msT :
gc
n W iff

stk = (opc0,ms0) :: · · · :: (opcm,msm)∧
msS unionmultimsstk unionmultims0 unionmulti · · · unionmultimsm is defined∧
W = Wstack ⊕Wfree stack ⊕Wheap∧
∃msT ,stack ,msT ,free stack ,msT ,heap ,msT,f ,msS,f ,ms ′S , σ.
msS = msf,S unionmultims ′S∧
msT = msT ,stack unionmultimsT ,free stack unionmultimsT ,heap unionmultimsT,f∧
dom(msT ,stack unionmulti T , free stack) = [bstk , estk ]∧
{bstk − 1, estk + 1} ∈ dom(msT,f )∧
(n, (stk ,msT ,stack )) ∈ Sgc(Wstack )∧
(n, (msstk ,msT ,free stack )) ∈ Fgc(Wfree stack )∧
(n, (σ,ms ′S ,msT ,heap)) ∈ H(W.heap)(Wheap)
(n, (stk ,msT )) ∈ Sgc(W ) iff

Wstack = W.priv∧
stk = (opc0,ms0), . . . (opcm,msm)∧
∀i ∈ {0, . . . ,m}. (dom(msi) 6= ∅∧
∀i < j. ∀a ∈ dom(msi).∀a′ ∈ dom(msj). stk base < a < a′)∧
∃Rms : dom(active(Wstack ))→ MemorySegment×Addr×MemorySegment.
msT =
⊎
r∈dom(active(Wstack )) pi3(Rms(r))∧
ms0 unionmulti · · · unionmultimsm =
⊎
r∈dom(active(Wstack )) pi1(Rms(r))∧
∃RW : dom(active(Wstack ))→World.
W =
⊕
r∈dom(active(Wstack ))RW (r)∧
∀r ∈ dom(active(Wstack )), n′ < n.
(n′, (pi1(Rms(r)), pi3(Rms(r))) ∈Wstack (r).H ξ−1(RW (r))∧
pi2(Rms(r)) = Wstack (r).opc∧
∃i. opci = Wstack (r).opc ∧msi = pi1(Rms(r))
(n, (msstk ,msT )) ∈ Fgc(W ) iff

Wstack = W.free∧
∃Rms : dom(active(Wstack ))→ MemorySegment×MemorySegment∧
msT =
⊎
r∈dom(active(Wstack )) pi2(Rms(r))∧
msstk =
⊎
r∈dom(active(Wstack )) pi1(Rms(r))∧
stk base ∈ dom(msT ) ∧ stk base ∈ dom(msstk )∧
∃RW : dom(active(Wstack ))→World.
W = ⊕r∈dom(active(Wstack ))RW (r)∧
∀r ∈ dom(active(Wstack )), n′ < n.
(n′, Rms(r)) ∈Wstack (r).H ξ−1(RW (r))
H(W.heap)(W ′) =

(n, (σ,ms,msT ))
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
∃Rms : dom(active(W.heap))→ MemorySegment×MemorySegment∧
msT =
⊎
r∈dom(active(W.heap)) pi2(Rms(r))∧
ms =
⊎
r∈dom(active(W.heap)) pi1(Rms(r))∧
∃RW : dom(active(W.heap))→World.
W ′ = ⊕r∈dom(active(W.heap))RW (r)∧
∀r ∈ dom(active(W.heap)), n′ < n.
(n′, Rms(r)) ∈W.heap(r).H ξ−1(RW (r))∧
∃Rseal : dom(active(W.heap))→ P(Seal)∧⊎
r∈dom(active(W.heap))Rseal(r)) ⊆ σ∧
dom(W.heap(r).Hσ) = Rseal(r)
19
Lemma 14 (Combined independent heap memory satisfies disjoint world). If (n, (σ1,msS,1,msT,1)) ∈ H(W1.heap)(W )
and (n, (σ2,msS,2,msT,2)) ∈ H(W2.heap)(W ), then (n, (σ1 unionmulti σ2,msS,1 unionmultimsS,2,msT,1 unionmultimsT,2)) ∈ H(W1unionmultiW2.heap)(W ).

Proof. Unfolding the definitions, it’s easy to construct the memory and seal partitions Rms,3 and Rseal,3 and RW,3
from the corresponding partitions of the separate memories, seals and worlds.
3.4 Relation
Two expression relations: one for sealed code-data pairs being jumped to and one for capabilities being jumped to
in the regular way. The argument for having one relation relate pairs of pairs of capabilities and the other relate
pairs of capabilities is that that is how xjump and regular jumps work: xjump takes pairs while regular jumps take
single capabilities.
E,gcxjmp(W ) =

(n, (vc,S , vd,S , vc,T , vd,T ))
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
∀n′ ≤ n, regS , regT ,msS ,msT ,msstk , stk .
∀WR,WM.
(n′, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR)∧
(msS , stk ,msstk ,msT ) :
gc
n′ WM∧
ΦS = (msS , regS , stk ,msstk )∧
ΦT = (msT , regT )∧
W ⊕WR ⊕WM is defined
⇒ ∃Φ′S ,Φ′T .
Φ′S = xjumpResult(vc,S , vd,S ,ΦS) and
Φ′T = xjumpResult(vc,T , vd,T ,ΦT ) and
(n′, (Φ′S ,Φ
′
T )) ∈ O,gc

E,gc(W ) =

(n, (vc,S , vc,T ))
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
∀n′ ≤ n, regS , regT ,msS ,msT ,msstk , stk .
∀WR,WM.
(n′, (regS , regT )) ∈ R,gcuntrusted(WR)∧
(msS , stk ,msstk ,msT ) :
gc
n′ WM
ΦS = (msS , regS , stk ,msstk )
Φ′S = ΦS [reg .pc 7→ vc,S ]
ΦT = (msT , regT )
Φ′T = ΦT [reg .pc 7→ vc,T ]
W ⊕WR ⊕WM
⇒ (n′, (Φ′S ,Φ′T )) ∈ O,gc

O,(TA,stk base, , ) =

(
n,
(
(msS , regS , stkS ,msstk ,S),
(msT , regT )
))∣∣∣∣∣∣
∀i ≤ n.
(msS , regS , stkS ,msstk ,S)⇓TA,stk basei
⇒ (msT , regT )⇓−

O,(TA,stk base, , ) =

(
n,
(
(msS , regS , stkS ,msstk ,S),
(msT , regT )
))∣∣∣∣∣∣
∀i ≤ n.
(msT , regT )⇓i
⇒ (msS , regS , stkS ,msstk ,S)⇓TA,stk base−

R,gctst (R)(W ) =
(n, (regS , regT ))
∣∣∣∣∣∣∣∣
∃S : (RegisterName \ ({pc} ∪R))→World.
W =
⊕
r∈(RegisterName\({pc,rdata}∪R)) S(r)∧
∀r ∈ RegisterName \ ({pc} ∪R).
(n, (regS(r), regT (r))) ∈ V,gctst (S(r))

20
We write R,gcuntrusted(W ) to mean R,gcuntrusted(∅)(W ). That is, if we do not need to exclude extra registers, then we
simply omit that argument.
V,gcuntrusted(W ) = {(n, (i, i)) | i ∈ Z}∪
(
n,
(
sealed(σ, scS),
sealed(σ, scT )
))
∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣∣
(isLinear(scS) iff isLinear(scT ))∧
∃r ∈ dom(W.heap), σret, σclos,mscode.W.heap(r) = (pure, , Hσ) and
Hσ σ
n
= Hcode,σ σret σclos mscode gc σ and
(n′, (scS , scT )) ∈ Hσ σ ξ−1(W ) for all n′ < n∧
(isLinear(scS)⇒
∀W ′ wW,Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ Hσ σ ξ−1(Wo).
(n′, scS , sc′S , scT , sc
′
T ) ∈ E,gcxjmp(W ′ ⊕Wo))∧
(nonLinear(scS)⇒
∀W ′ w purePart(W ),Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ Hσ σ ξ−1(Wo).
(n′, scS , sc′S , scT , sc
′
T ) ∈ E,gcxjmp(W ′ ⊕Wo))

∪

(
n,
(
seal(σb , σe , σ),
seal(σb , σe , σ)
)) ∣∣∣∣∣∣
[σb , σe ] # (σglob ret ∪ σglob clos) and
∀σ′ ∈ [σb , σe ].∃r ∈ dom(W.heap).
W.heap(r) = (pure, , Hσ) and Hσ σ
′ n= (V,gcuntrusted ◦ ξ)
∪
(
n,
(
stack-ptr(perm, b, e, a),
((perm, linear), b, e, a)
)) ∣∣∣∣∣∣
perm 6∈ {rx,rwx}∧
perm ∈ readAllowed ⇒ (n, [b, e]) ∈ stackReadCondition,gc(W )∧
perm ∈ writeAllowed ⇒ (n, [b, e]) ∈ stackWriteCondition,gc(W )
∪
(
n,
(
((perm, l), b, e, a),
((perm, l), b, e, a)
))
∣∣∣∣∣∣∣∣∣∣∣∣∣∣
[b, e] # TA and
perm ∈ readAllowed ⇒ (n, [b, e]) ∈ readCondition,gc(l ,W )∧
perm ∈ writeAllowed ⇒ (n, [b, e]) ∈ writeCondition,gc(l ,W )∧
perm 6= rwx∧
perm = rx ⇒ (n, [b, e]) ∈ executeCondition,gc(W )∧
(n, [b, e]) ∈ readXCondition,gc(W )∧
l = normal

V,gctrusted(W ) = V,gcuntrusted(W )∪
(
n,
(
seal(σb , σe , σ),
seal(σb , σe , σ)
)) ∣∣∣∣∣∣∣∣∣∣
gc = (TA, stk base, σglob ret, σglob clos)∧
∃r ∈ dom(W.heap).
W.heap(r)
n
= ιcode,σret,σclos,code,(TA,stk base,σglob ret,σglob clos)∧
dom(code) ⊆ TA ∧ [σb , σe ] ⊆ (σret ∪ σclos)∧
σret ⊆ σglob ret ∧ σclos ⊆ σglob clos
∪
(
n,
(
((perm,normal), b, e, a),
((perm,normal), b, e, a)
)) ∣∣∣∣∣∣∣∣
perm v rx∧
gc = (TA, stk base, σglob ret, σglob clos)∧
[b, e] ⊆ TA∧
(n, [b, e]) ∈ readXCondition,gc(W )

Lemma 15 (Untrusted is trusted). • V,gctrusted(W ) ⊇ V,gcuntrusted(W )
• R,gctrusted(W ) ⊇ R,gcuntrusted(W )

Proof. Follows easily by definition.
Note: the case for sub-rx capabilities in the trusted value relation allows for pointers to trusted code blocks.
Such pointers will not satisfy the read condition, which requires the standard region, which is defined in terms of the
untrusted value relation. Trusted code blocks contain trusted seal capabilities which do not satisfy the untrusted
code relation. An alternative might be to introduce a trust parameter to the readcondition and standard region
and merge the case with the regular case for rx capabilities.
3.5 Permission based conditions
.
addressable(l ,W ) =
{
{r |W (r) = (pure, )} if l = normal
{r |W (r) = (spatial owned, )} otherwise (i.e. l = linear)
readCondition,gc(l ,W ) =

(n,A)
∣∣∣∣∣∣∣∣∣∣∣
∃S ⊆ addressable(l ,W.heap).
∃R : S → P(N).⊎
r∈S R(r) ⊇ A∧
(l = linear⇒ ∀r. |R(r)| = 1)∧
∀r ∈ S.W.heap(r).H n⊆ ιstd,p,R(r),gc .H

21
where ιA is a standard region defined in Section 3.6.
stackReadCondition,gc(W ) =

(n,A)
∣∣∣∣∣∣∣∣∣∣∣
∃S ⊆ addressable(linear,W.free).
∃R : S → P(N).
∀r ∈ S. |R(r)| = 1⊎
r∈S R(r) ⊇ A∧
∀r ∈ S.W.free(r).H n⊆ ιstd,p,R(r),gc .H

where ιA is a standard region defined in Section 3.6.
readXCondition,gc(W ) =
(n,A)
∣∣∣∣∣∣
∃r ∈ addressable(normal,W.heap).
W.heap(r)
n
= ιcode,, ,code,gc∧
dom(code) ⊇ A

Definition 7. We say that a region ι = ( , H, ) is address stratified iff
∀n,msS ,msT ,ms ′S ,ms ′T , s, Wˆ .
(n, (msS ,msT )) , (n, (ms
′
S ,ms
′
T )) ∈ H Wˆ∧
dom(msS) = dom(msT ) = dom(ms
′
S) = dom(ms
′
T )
⇒
∀a ∈ dom(msS). (n, (msS [a 7→ ms ′S(a)],msT [a 7→ ms ′T (a)])) ∈ H Wˆ

writeCondition,gc(l ,W ) =

(n,A)
∣∣∣∣∣∣∣∣∣∣∣∣∣
∃S ⊆ addressable(l ,W.heap).
∃R : S → P(N)⊎
r∈S R(r) ⊇ A∧
(l = linear⇒ ∀r. |R(r)| = 1)∧
∀r ∈ S.W.heap(r).H n⊇ ιstd,p,R(r),gc .H∧
W.heap(r) is address-stratified

where ιA is a standard region defined in Section 3.6.
stackWriteCondition,gc(W ) =

(n,A))
∣∣∣∣∣∣∣∣∣∣∣∣∣
∃S ⊆ addressable(linear,W.free).
∃R : S → P(N)⊎
r∈S R(r) ⊇ A∧
∀r ∈ S. |R(r)| = 1∧
∀r ∈ S.W.free(r).H n⊇ ιstd,p,R(r),gc .H∧
W.free(r) is address-stratified

where ιA is a standard region defined in Section 3.6. Note: this new version of execCond uses the expression
relation for regular jumps since it expresses the validity of jumping to an address pointed to by an executable
capability.
executeCondition,gc(W ) =
{
(n,A)
∣∣∣∣ ∀n′ < n,W ′ w purePart(W ), a ∈ [b′, e ′] ⊆ A.(n′, (((rx,normal), b′, e ′, a), ((rx,normal), b′, e ′, a))) ∈ E,gc(W ′)
}
3.6 Standard regions
Standard region:
ιstd,v,A,gc
def
= (v,Hstd,A gc), v ∈ {s, so}
for readability, we use so short for spatial owned, s short for spatial, and p as short for pure.
ιstd,p,A,gc
def
= (p, Hstd,A gc, λ . ∅)
where Hstd,A is defined as follows:
Hstd,A gc Wˆ
def
=
(n,msS ,msT )
∣∣∣∣∣∣
dom(msS) = dom(msT ) = A∧
∃S : A→World. ξ(Wˆ ) = ⊕a∈AS(a)∧
∀a ∈ A. (n, (msS(a),msT (a))) ∈ V,gcuntrusted(S(a))

ιsta,v,(msS ,msT ),gc = (v,H
sta,
(msS ,msT )
gc)
22
Hsta,(msS ,msT ) gc =
{
(n, (msS ,msT ))
∣∣∣∣ ∃S : dom(ms)→World. ξ(W ) = ⊕a∈dom(ms)S(a)∧∀a ∈ dom(ms). (n, (msS(a),msT (a))) ∈ V,gcuntrusted(S(a))
}
ιcode,σret,σclos,code,gc
def
= (pure, Hcode, σret σclos code gc, Hcodeσ σret σclos code gc)
Hcode σret σclos code (TA, , σglob ret, σglob clos) Wˆ =
(
n,
(
code unionmultimspad,
code unionmultimspad
))
∣∣∣∣∣∣∣∣∣∣∣∣∣∣
dom(code) = [b, e]∧
([b − 1, e + 1] ⊆ TA ∧ σret ⊆ σglob ret ∧ σclos ⊆ σglob clos ∧ tst = trusted)∨
([b − 1, e + 1] # TA ∧ σret = ∅ ∧ tst = untrusted)∧
mspad = [b − 1 7→ 0] unionmulti [e + 1 7→ 0]∧
σret, σclos, TA `comp−code code∧
∀a ∈ dom(code).
(n, (code(a), code(a))) ∈ V,gctst (purePart(ξ(Wˆ )))

Hcode,σ σret σclos code (TA, stk base) σ Wˆ =
(
n,
(
ret-ptr-code(b, e, a ′ + call len),
((rx,normal), b, e, a)
))∣∣∣∣
σret ⊆ σglob ret and
dom(code) ⊆ TA and
decodeInstruction(code([a ′, a ′ + call len− 1])) = calloff pc,off σ r1 r2 and
a = a ′ + ret pt offset and
code(a ′ + off pc) = seal(σb, σe, σb) and σ = σb + off σ ∈ σret and
[a ′, a ′ + call len− 1] ⊆ [b, e]

unionmulti

(
n,
(
ret-ptr-data(b, e),
((rw, linear), b, e, b − 1)
))∣∣∣∣
σret ⊆ σglob ret and
dom(code) ⊆ TA and
∃r ∈ addressable(linear, ξ(Wˆ ).priv). ξ(Wˆ ).priv(r).H n= (ιsta,so,(msS ,msT ),(TA,stk base), a ′ + call len) and
dom(msS) = dom(msT ) = [b, e] and
decodeInstruction(code([a ′, a ′ + call len− 1])) = calloff pc,off σ r1 r2 and
code(a ′ + off pc) = seal(σb, σe, σb) and σ = σb + off σ ∈ σret

if σ ∈ σret
and
Hcode,σ σret σclos code (TA, stk base) σ Wˆ =
(n, (sc, sc′))|
(dom(code) # TA and (n, (sc, sc
′)) ∈ V,gcuntrusted ξ(Wˆ )) or
(dom(code) ⊆ TA and σclos ⊆ σglob clos and σret ⊆ σglob ret and
((executable(sc) ∧ (n, (sc, sc′)) ∈ V,gctrusted ξ(Wˆ ))∨
(nonExecutable(sc) ∧ (n, (sc, sc′)) ∈ V,gcuntrusted ξ(Wˆ ))))

if σ ∈ σclos
3.7 Reasonable Components
Take a set of trusted addresses TA and sets of return pointer and closure seals σglob ret and σclos. We define that a
word w is reasonable up to n steps in memory ms and free stack msstk if n = 0 or the following implications hold.
Definition 8 (Reasonable word). • If w = seal(σb , σe , ), then [σb , σe ] # (σglob ret ∪ σglob clos)
• If w = ((perm, ), b, e, ), then [b, e]#dom(TA)
• If w = sealed(σ, sc) and σ 6∈ (σglob ret ∪ σglob clos) then sc is reasonable up to n− 1 steps.
• If w = ((perm, ), b, e, ) and perm ∈ readAllowed and n > 0, then ms(a) is reasonable up to n− 1 steps for
all a ∈ ([b, e] \ TA)
23
• If w = stack-ptr(perm, b, e, ) and perm ∈ readAllowed and n > 0, then msstk (a) is reasonable up to n − 1
steps for all a ∈ [b, e]

Definition 9 (Reasonable configuration). We say that an execution configuration Φ is reasonable up to n steps
with (TA, stk base, σglob ret, σglob clos) iff for n
′ ≤ n:
• Guarantee stack base address before call If
– Φ points to calloff pc,off σ r1 r2 in TA for some r1 and r2
Then all of the following hold:
– Φ(rstk ) = stack-ptr( , stk base, , )
– r1 6= rt1
– n′ = 0 or Φ(pc) + call len behaves reasonably up to n′ − 1 steps
• Use return seals only for calls, use closure seals appropriately If
– Φ points to cseal r1 r2 in TA and Φ(r2) = seal(σb , σe , σ)
Then one of the following holds:
– Φ is inside calloff pc,off σ r′1 r
′
2 and σ ∈ σglob ret
– σ ∈ σglob clos and one of the following holds:
∗ executable(Φ(r1)) and n′ = 0 or Φ(r1) behaves reasonably up to n′ − 1 steps.
∗ nonExecutable(Φ(r1)) and n′ = 0 or Φ(r1) is reasonable up to n′ − 1 steps in memory Φ.ms and
free stack Φ.msstk .
• Don’t store private stuff... If
– Φ points to store r1 r2 in TA, then
Then n′ = 0 or Φ.reg(r2) is reasonable in memory Φ.mem up to n′ − 1 steps.
• Don’t leak private stuff... If
– Φ→TA,stk base Φ′
Then one of the following holds:
– All of the following hold:
∗ Φ′.reg(pc) = ((perm, l), b, e, a ′) and Φ.reg(pc) = ((perm, l), b, e, a)
∗ Φ does not point to xjmp r1 r2 for some r1 and r2
∗ Φ does not point to calloff pc,off σ r1 r2 for some r1 and r2, off pc, off σ
∗ n′ = 0 or Φ′ is reasonable up to n′ − 1 steps
– ∗ Φ points to calloff pc,off σ r1 r2 for some r1 and r2
∗ n′ = 0 or Φ.reg(r) is reasonable in memory Φ.mem and free stack Φ.msstk up to n′ − 1 steps for
all r 6= pc
– ∗ Φ points to xjmp r1 r2 for some r1 and r2
∗ n′ = 0 or Φ.reg(r) is reasonable in memory Φ.mem and free stack Φ.msstk up to n′ − 1 steps for
all r 6= pc

Lemma 16. For all n′ ≤ n if
• Φ is reasonable up to n steps
Then
• Φ is reasonable up to n′ steps

Proof. Follows from the definition.
24
Definition 10 (Reasonable pc). We say that an executable capability c = ((perm,normal), b, e, a) behaves reason-
ably up to n steps if for any Φ such that
• Φ.reg(pc) = c
• Φ.reg(r) is reasonable up to n steps in memory Φ.mem and free stack Φ.msstk for all r 6= pc
• Φ.mem, Φ.msstk and Φ.stk are all disjoint
We have that Φ is reasonable up to n steps. 
Definition 11 (Reasonable component). We say that a component (mscode,msdata, import , export , σret, σclos, Alinear)
is reasonable if the following hold: For all (s 7→ sealed(σ, sc)) ∈ cexport, with executable(sc), we have that sc behaves
reasonably up to any number of steps n.
We say that a component (comp0, cmain,c, cmain,d) is reasonable if comp0 is reasonable. 
Lemma 17. If W.heap(rcode)
n
= ιcode,σret,σclos,code,gc and msS , stk ,msstk ,msT :
gc
n W , then there exists W
′′ and W ′
such that W = W ′ ⊕W ′′ and (n′, (code, code)) ∈ Hcode σret σclos code gc ξ−1(W ′) for all n′ < n 
Proof. By definition of msS , stk ,msstk ,msT :
gc
n W , we get that W = Wstack ⊕Wfree stack ⊕Wheap and
(n, (σ,ms ′S ,msT ,heap)) ∈ H(W.heap)(Wheap)
for some ms ′S ⊆ msS and msT,heap ⊆ msT .
By definition of (n, (σ,ms ′S ,msT ,heap)) ∈ H(W.heap)(Wheap), we get an Rms : dom(active(W.heap)) →
MemorySegment×MemorySegment and ∃RW : dom(active(W.heap))→World such that
• W ′ = ⊕r∈dom(active(W.heap))RW (r) and
• (n′, Rms(rcode)) ∈W.heap(rcode).H ξ−1(RW (rcode)) for all n′ < n
SinceW.heap(rcode)
n
= ιcode,σret,σclos,code,gc , this implies that also (n
′, Rms(rcode)) ∈ ιcode,σret,σclos,code,gc .H ξ−1(RW (rcode)),
i.e. (n′, Rms(rcode)) ∈ Hcode σret σclos code gc ξ−1(RW (rcode)) as required.
Lemma 18 (Untrusted source values are reasonable). If
• gc = (TA, stk base, σglob ret, σglob clos)
• (n, (w, )) ∈ V,gcuntrusted(Ww)
• msS , stk ,msstk , :gcn WM
• purePart(Ww)⊕ purePart(WM ) is defined
then, with respect to TA, σglob ret, σglob clos, w is reasonable up to n steps in memory msS and free stack msstk . 
Proof. Induction over n. For n = 0 all words are reasonable. For n > 0, we need to prove four implications:
• If w = seal(σb , σe , ), then [σb , σe ] # (σglob ret ∪ σglob clos):
This follows directly from (n, (w, )) ∈ V,gcuntrusted(Ww) by definition of V,gcuntrusted.
• If w = ((perm, ), b, e, ), then [b, e]#TA:
This follows directly from (n, (w, )) ∈ V,gcuntrusted(Ww) by definition of V,gcuntrusted.
• If w = sealed(σ, sc) and σ 6∈ (σglob ret ∪ σglob clos) then sc is reasonable for n− 1 steps:
By (n, (w, )) ∈ V,gcuntrusted(Ww), we get some region r ∈ dom(W.heap) and a set of return seals, a set
of closure seals and a code memory: σret, σclos,mscode such that W.heap(r) = (pure, , Hσ) and Hσ
n
=
Hcode,σ σret σclos mscode gc) and (n
′, (sealed(σ, sc), )) ∈ Hσ σ ξ−1(W ) for all n′ < n, so in particular for
n′ = n− 1. It follows easily from the above that also (n− 1, (sc, )) ∈ Hcode,σ σret σclos mscode gc σ ξ−1(W ).
This gives us three cases for sc. The two first cases sc = ret-ptr-data( , ) and sc = ret-ptr-code( , , ) are
easily discharged as the reasonability definition puts no requirements on return pointers. For the final case,
σ ∈ σclos and either
– dom(mscode) # TA and (n− 1, (sc, )) ∈ V,gcuntrusted(W ); or
– dom(mscode) ⊆ TA, σclos ⊆ σglob clos, and (n, (sc, )) ∈ V,gctst (W ) for tst = untrusted iff nonExecutable(sc).
25
In the first case, the result follows from the induction hypothesis. In the second case, we have a contradiction
with σ 6∈ (σglob ret ∪ σglob clos).
• If w = ((perm, ), b, e, ) and perm ∈ readAllowed and n > 0, then msS(a) is reasonable up to n− 1 steps for
all a ∈ ([b, e] \ TA):
From (n, (w, )) ∈ V,gcuntrusted(Ww), we get (n, [b, e]) ∈ readCondition,gc(perm, l).
From (n, [b, e]) ∈ readCondition,gc(perm, l) we get S ⊆ addressable(l ,W.heap) and R : S → P(N) such that
–
⊎
r∈S R(r) ⊇ [b, e]
– (l = linear⇒ ∀r. |R(r)| = 1)
– ∀r ∈ S.W.heap(r).H n⊆ ιstd,p,R(r),gc .H
given a ∈ [b, e] we know by the above that there exists r such that a ∈ R(r).
By msS , stk ,msstk , :
gc
n WM , we get Rms : dom(active(W.heap)) → MemorySegment × MemorySegment
such that msS =
⊎
r∈dom(active(W.heap)) pi1(Rms(r)).
Further, we get RW : dom(active(W.heap)) → World such that W ′ = ⊕r∈dom(active(W.heap))RW (r) and
∀r ∈ dom(active(W.heap)). (n,Rms(r)) ∈W.heap(r).H ξ−1(RW (r)). For WM = W ′ ⊕W ′′ for some W ′′.
In particular, we have (n,Rms(r)) ∈W.heap(r).H ξ−1(RW (r)).
We know W.heap(r).H
n⊆ ιstd,p,R(r),gc .H, so (n′, Rms(r)) ∈ ιstd,p,R(r),gc .H(ξ−1(RW (r))) for n′ < n. This gives us
(n′, (pi1(Rms(r))(a), )) ∈ V,gcuntrusted(R′W (a)) where R′W : [b, e]→World such that
⊎
a∈dom(pi1(Rms(r)))R
′
W (a) =
RW (r).
At this point we apply the induction hypothesis which is possible as we have the following:
– (n− 1, (pi1(Rms(r))(a), )) ∈ V,gcuntrusted(R′W (a))
We get this by the above.
– msS , stk ,msstk , :
gc
n−1 WM
This follows by assumption and Lemma 44
– purePart(R′W (a))⊕ purePart(WM )
Which follows by definition of purePart and the fact that R′W (a) is WM with part of its ownership, but
purePart strips away the ownership making the two compatible.
which gives us that, with respect to TA, σglob ret, σglob clos, pi1(Rms(r))(a) is reasonable up to n− 1 steps in
memory msS and free stack msstk . Which is what we wanted as pi1(Rms(r))(a) = msS(a).
• If w = stack-ptr(perm, b, e, ) and perm ∈ readAllowed and n > 0, then msstk (a) is reasonable up to n − 1
steps for all a ∈ [b, e]:
This case is proven in the same way the previous case was. The main difference is that the free part of the
world is used instead of the heap part:
From (n, (w, )) ∈ V,gcuntrusted(Ww) and perm ∈ readAllowed , we get (n, [b, e]) ∈ stackReadCondition,gc(perm).
From (n, [b, e]) ∈ stackReadCondition,gc(perm) we get S ⊆ addressable(linear,W.free) and R : S → P(N)
such that
–
⊎
r∈S R(r) ⊇ [b, e]
– ∀r. |R(r)| = 1
– ∀r ∈ S.W.heap(r).H n⊆ ιstd,p,R(r),gc .H
given a ∈ [b, e] we know by the above that there exists r such that a ∈ R(r).
By msS , stk ,msstk , :
gc
n WM , we get Rms : dom(active(W.free))→ MemorySegment×MemorySegment such
that msstk =
⊎
r∈dom(active(W.free)) pi1(Rms(r)).
Further, we get RW : dom(active(W.free)) → World such that W ′ = ⊕r∈dom(active(W.free))RW (r) and ∀r ∈
dom(active(W.free)). (n,Rms(r)) ∈W.free(r).H ξ−1(RW (r)). For WM = W ′ ⊕W ′′ for some W ′′.
In particular, we have (n,Rms(r)) ∈W.free(r).H ξ−1(RW (r)).
We know W.free(r).H
n⊆ ιstd,p,R(r),gc .H, so (n′, Rms(r)) ∈ ιstd,p,R(r),gc .H(ξ−1(RW (r))) for n′ < n. This gives us
(n′, (pi1(Rms(r))(a), )) ∈ V,gcuntrusted(R′W (a)) where R′W : [b, e]→World such that
⊎
a∈dom(pi1(Rms(r)))R
′
W (a) =
RW (r).
At this point we apply the induction hypothesis which is possible as we have the following:
26
– (n− 1, (pi1(Rms(r))(a), )) ∈ V,gcuntrusted(R′W (a))
We get this by the above.
– msS , stk ,msstk , :
gc
n−1 WM
This follows by assumption and Lemma 44
– purePart(R′W (a))⊕ purePart(WM )
Which follows by definition of purePart and the fact that R′W (a) is WM with part of its ownership, but
purePart strips away the ownership making the two compatible.
which gives us that, with respect to TA, σglob ret, σglob clos, pi1(Rms(r))(a) is reasonable up to n− 1 steps in
memory msS and free stack msstk . Which is what we wanted as pi1(Rms(r))(a) = msstk (a).
Lemma 19 (Untrusted register files are reasonable). If
• gc = (TA, stk base, σglob ret, σglob clos)
• (n, (regS , )) ∈ R,gcuntrusted(Ww)
• msS , stk ,msstk , :gcn WM
• purePart(Ww)⊕ purePart(WM ) is defined
then, with respect to TA, σglob ret, σglob clos,
• regS(r) is reasonable up to n steps in memory msS and free stack msstk for all r 6∈ {pc}
• msS, msstk and stk are all disjoint

Proof. We prove the two results separately:
• regS(r) is reasonable up to n steps in memory msS and free stack msstk for all r 6∈ {pc}:
We have that Ww =
⊕
r∈RegisterName\{pc} S(r) and (n, (regS(r), regT (r))) ∈ V,gcuntrusted(S(r)) for all r 6∈ {pc}.
For all r 6= pc, we have that purePart(S(r))⊕ purePart(WM ) is defined by Lemmas 8 and 2.
The result then follows directly from Lemma 18.
• msS , msstk and stk are all disjoint:
This follows from msS , stk ,msstk , :
gc
n WM .
Lemma 20 (Reasonable things don’t need to be trusted). If
• (n, (w,w′)) ∈ V,gctrusted(Ww)
• w is reasonable up to n steps in memory msS and free stack msstk , with respect to code, TA, σglob ret, σglob clos.
• n > 0
• Theorem 2 holds up to n steps.
Then
• (n, (w,w′)) ∈ V,gcuntrusted(Ww)

Proof. Assume that (n, (w,wT )) ∈ V,gctrusted(Ww)
By definition of V,gctrusted, it is clear that also (n, (w,wT )) ∈ V,gcuntrusted(Ww), except in the following two cases:
• – w = seal(σ, σb , σe)
– wT = seal(σ, σb , σe)
– r ∈ dom(W.heap)
– W.heap(r)
n
= ιcode,σret,σclos,code,(TA,stk base,σglob ret,σglob clos)
– dom(code) ⊆ TA
27
– [σb , σe ] ⊆ (σret ∪ σclos)
– σret ⊆ σglob ret
– σclos ⊆ σglob clos
By definition of reasonability, we get immediately that [σb, σe] # (σglob ret ∪ σglob clos), contradicting the last
three facts above.
• – w = ((perm,normal), b, e, a),
– wT = ((perm,normal), b, e, a)
– perm v rx
– gc = (TA, stk base, σglob ret, σglob clos)
– (n, [b, e]) ∈ readXCondition,gc(W )
If perm = 0, then (n, (w,wT )) ∈ V,gcuntrusted(Ww) follows directly.
If perm 6= 0, then by definition of reasonability, we get immediately that [b, e] # TA.
By definition of V,gcuntrusted, it suffices to show that (n, [b, e]) ∈ readCondition,gc(normal,W ) and (n, [b, e]) ∈
executeCondition,gc(normal,W ). The former follows directly from Lemma 27. The latter follows by Theo-
rem 2, Lemmas 30 and 47 and definition of executeCondition,gc .
3.8 Fundamental Theorem of Logical Relations
Theorem 2 (FTLR). For all n,W, l , b, e, a, If
• (n, [b, e]) ∈ readXCondition,gc(W )
and one of the following sets of requirements holds:
• – [b, e] ⊆ TA
– (((rx,normal), b, e, a) behaves reasonably up to n steps.
• – [b, e] # TA
Then (
n,
(
((rx,normal), b, e, a),
((rx,normal), b, e, a)
))
∈ E,gc(W )

Note: we don’t require the readcondition in the trusted case because trusted code pointers point to trusted
code blocks which may require seals for trusted seals which are not in the untrusted value relation.
Lemma 21 (Untrusted environments produce safe closures). If
• (n, (w1, w′1)) ∈ E,gc(W1) or (nonExecutable(w1) and nonExecutable(w′1))
• w1 6= ret-ptr-code( )
• (n, (w2, w′2)) ∈ V,gcuntrusted(W2) or (executable(w2) and executable(w′2))
Then
• (n, ((w1, w2), (w′1, w′2))) ∈ E,gcxjmp(W1 ⊕W2)

Proof. Take n′ ≤ n, regS , regT ,msS ,msT ,msstk , stk , WR,WM and assume
• (n′, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR)
• (msS , stk ,msstk ,msT ) :gcn′ WM
• ΦS = (msS , regS , stk ,msstk )
• ΦT = (msT , regT )
• W1 ⊕W2 ⊕WR ⊕WM is defined
28
Then we need to prove that for Φ′S ,Φ
′
T
• Φ′S = xjumpResult(w1, w2,ΦS)
• Φ′T = xjumpResult(w′1, w′2,ΦT )
• (n′, (Φ′S ,Φ′T )) ∈ O,gc
Using the fact that w1 6= ret-ptr-code( ), we know by definition of xjumpResult(w1, w2,ΦS) that we must be in
one of the following two cases:
• w1 6= ret-ptr-code( ), w2 6= ret-ptr-data( ), nonExecutable(w2) and Φ′S = ΦS [reg .pc 7→ w1][reg .rdata 7→ w2].
From nonExecutable(w2) and (n, (w2, w
′
2)) ∈ V,gcuntrusted(W2) or executable(w2), it follows that also nonExecutable(w′2)
and Φ′T = ΦT [reg .pc 7→ w′1][reg .rdata 7→ w′2]
We can now combine (n′, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR) and (n, (w2, w′2)) ∈ V,gcuntrusted(W2) into
(n′, (regS [rdata 7→ w2], regT [rdata 7→ w′2])) ∈ R,gcuntrusted(WR ⊕W2), using Lemmas 47, 10, 2, and 44.
With our other assumptions above, (n, (w1, w
′
1)) ∈ E,gc(W1) then gives us that (n′, (Φ′S ,Φ′T )) ∈ O,gc , as
required. On the other hand, if nonExecutable(w1) and nonExecutable(w
′
1), then Φ
′
S →gc failed and Φ′T →
failed and the result follows by definition of O,(TA,stk base,σglob ret,σglob clos) and O,(TA,stk base,σglob ret,σglob clos).
• Otherwise: Φ′S = failed.
From w1 6= ret-ptr-code( ) and ((n, (w2, w′2)) ∈ V,gcuntrusted(W2) or (executable(w2) and executable(w′2))), the
only way we can get to this case is that executable(w2) and executable(w
′
2).
It follows that Φ′T = failed.
The result follows by definition of O,(TA,stk base,σglob ret,σglob clos) and O,(TA,stk base,σglob ret,σglob clos).
Lemma 22 (Safe values are safe to execute). If
• (n, (w1, w′1)) ∈ V,gcuntrusted(W1)
• (n′, (w2, w′2)) ∈ V,gcuntrusted(W2) or (executable(w2) and executable(w′2))
• n′ < n
Then
• (n′, ((w1, w2), (w′1, w′2))) ∈ E,gcxjmp(W1 ⊕W2)

Proof. By Lemma 21, it suffices to prove the following:
• (n′, (w1, w′1)) ∈ E,gc(W1) or (nonExecutable(w1) and nonExecutable(w′1))
• w1 6= ret-ptr-code( ).
The latter follows immediately from (n, (w1, w
′
1)) ∈ V,gcuntrusted(W1) by definition. It also follows that either
(nonExecutable(w1) and nonExecutable(w
′
1)) or w1 = w
′
1 = ((perm,normal), b, e, a) and (n, [b, e]) ∈ executeCondition,gc(W1).
In the latter case, it follows by definition of executeCondition,gc that (n′, (w1, w′1)) ∈ E,gc(W1) as required.
3.9 Related components
C,gc(W ) =

(n, comp, comp) |
comp = (mscode,msdata, aimport ← [ simport, sexport 7→ wexport, σret, σclos) and
For all W ′ wW.
If (n′, (wimport, wimport)) ∈ V,gcuntrusted(purePart(W ′)) for all n′ < n
and ms ′data = msdata[aimport 7→ wimport]
then (n, (σret unionmulti σclos,mscode unionmultims ′data,mscode unionmultims ′data)) ∈ H(W.heap)(W ′) and
(n, (wexport, wexport)) ∈ V,gcuntrusted(purePart(W ′))

∪

(n, (comp0, cmain,c, cmain,d), (comp0, cmain,c, cmain,d)) |
(n, (comp0, comp0)) ∈ C,gc(W ) and
{( 7→ cmain,c), ( 7→ cmain,d)} ⊆ wexport

29
Lemma 23 (Compatibility lemma for linking). If
• (n, (comp1, comp1)) ∈ C,gc(W1)
• (n, (comp2, comp2)) ∈ C,gc(W2)
then
• (n, (comp1 ./ comp2, comp1 ./ comp2)) ∈ C,gc(W1 unionmultiW2).

Proof. First consider the case where one of the two pairs of components have a pair of “main” capabilities. By the
definition of C,gc , these capabilities have to be part of that components’ export list. It is then easy to see that
the other component cannot have “main” capabilities (otherwise linking is not defined) and it is sufficient to prove
the result for the underlying components (without the “main” capabilities). Therefore, we can restrict ourselves
to the case where both pairs of components are of the form comp0, i.e. no “main” capabilities.
By definition of ./, we have that the following hold:
• comp1 = (mscode,1,msdata,1, import1, export1, σret,1, σclos,1, Alinear,1)
• comp2 = (mscode,2,msdata,2, import2, export2, σret,2, σclos,2, Alinear,2)
• comp3 = (mscode,3,msdata,3, import3, export3, σret,3, σclos,3, Alinear,3)
• mscode,3 = mscode,1 unionmultimscode,2
• msdata,3 = (msdata,1 unionmultimsdata,2)[a 7→ w | (a← [ s) ∈ (import1 ∪ import2), (s 7→ w) ∈ export3]
• export3 = export1 ∪ export2
• import3 = {a← [ s ∈ (import1 ∪ import2) | s 7→ 6∈ export3}
• σret,3 = σret,1 unionmulti σret,2
• σclos,3 = σclos,1 unionmulti σclos,2
• Alinear,3 = Alinear,1 unionmultiAlinear,2
• dom(mscode,3) # dom(msdata,3)
• σret,3 # σclos,3
Now take W ′ w (W1unionmultiW2) and assume that (n′, (wimport,3, wimport,3)) ∈ V,gcuntrusted(purePart(W ′)) for all n′ < n.
Take import3 = aimport,3 ←[ simport,3. Take ms ′data,3 = msdata,3[aimport,3 7→ wimport] Then it remains to show that(
n, (σret,3 unionmulti σclos,3,mscode,3 unionmultims ′data,3,mscode,3 unionmultims ′data,3)
) ∈ H((W1 unionmultiW2).heap)(W ′)
and
(n, (cexport,3, cexport,3)) ∈ V,gcuntrusted(purePart(W ′))
We do this by complete induction on n, so that we can assume that (n′, (cexport,3, cexport,3)) ∈ V,gcuntrusted(purePart(W ′))
for all n′ < n.
First, note that
ms ′data,3 = msdata,3[aimport,3 7→ wimport]
= (msdata,1 unionmultimsdata,2)[a 7→ w | (a← [ s) ∈ (import1 ∪ import2), (s 7→ w) ∈ export3]
[aimport,3 7→ wimport]
= msdata,1[a 7→ w | (a← [ s) ∈ import1, (s 7→ w) ∈ export2][aimport,3 7→ wimport,3 | aimport,3 ←[ ∈ import1]
unionmultimsdata,2[a 7→ w | (a← [ s) ∈ import2, (s 7→ w) ∈ export1][aimport,3 7→ wimport,3 | aimport,3 ←[ ∈ import2]
= ms ′data,1 unionmultims ′data,2
First, we prove that for all substituted values w in the equations above, we have that
(n′, (w,w)) ∈ V,gcuntrusted(purePart(W ′))
for all n′ < n. We know by assumption that this is true for the wimport such that aimport,3 ← [ ∈ import1
or aimport,3 ←[ ∈ import2. On the other hand, we know by induction that this is true for the w such that
(s 7→ w) ∈ export1 or (s 7→ w) ∈ export2.
30
Then, it follows from our assumptions ((n, (comp1, comp1)) ∈ C,gc(W1) and (n, (comp2, comp2)) ∈ C,gc(W2)),
and using Lemma 11 that(
n, (σret,1 unionmulti σclos,1,mscode,1 unionmultims ′data,1,mscode,1 unionmultims ′data,1)
) ∈ H(W1.heap)(W ′)(
n, (σret,2 unionmulti σclos,2,mscode,2 unionmultims ′data,2,mscode,2 unionmultims ′data,2)
) ∈ H(W2.heap)(W ′)
It follows by Lemma 14 that(
n, (σret,3 unionmulti σclos,3,mscode,3 unionmultims ′data,3,mscode,3 unionmultims ′data,3)
) ∈ H((W1 unionmultiW2).heap)(W ′)
Finally, for each
(n, (cexport, cexport)) ∈ (n, (cexport,3, cexport,3))
we have that (n, (cexport, cexport)) is either in (n, (cexport,1, cexport,1)) or (n, (cexport,2, cexport,2)). By unfolding
(n, (comp1, comp1)) ∈ C,gc(W1) and (n, (comp2, comp2)) ∈ C,gc(W2) and using Lemma 11, this follows from
the results above.
3.10 FTLR for components
Lemma 24 (Untrusted code regions’ seals specify value safety). If
• dom(code) # TA
• σ ∈ σclos
Then
Hcode,σ σret σclos code (TA, stk base) σ
n
= V,gcuntrusted

Proof. Follows easily by definition.
Lemma 25 (Code region for untrusted components stronger than standard safe memory region). If
• dom(mscode) # TA
then ιcode,σret,σclos,mscode,gc .H
n⊆ ιstd,p,dom(mscode),gc .H 
Proof. Take Wˆ , then we need to prove that
Hcode σret σclos mscode gc Wˆ
n⊆ Hstd,dom(mscode) Wˆ
So take (n,msS ,msT ) ∈ Hcode σret σclos mscode gc Wˆ , then we know that
• msS = msT = mscode unionmultimspad
• dom(mscode) = [b, e]
• [b − 1, e + 1] ⊆ TA ∨ ([b − 1, e + 1] # TA ∧ σret = ∅), but we know that dom(mscode) # TA, so we get that
σret = ∅.
• For all a ∈ dom(code), (n, (code(a), code(a))) ∈ V,gcuntrusted(purePart(ξ(Wˆ )))
By definition of Hstd,dom(mscode) Wˆ , we need to prove that
• dom(mscode) = dom(mscode) = dom(mscode)
• there exists a S : dom(mscode) → World with ξ(Wˆ ) = ⊕a∈dom(mscode)S(a) and for all a ∈ dom(mscode), we
have that (n, (msS(a),msT (a))) ∈ V,gcuntrusted(S(a))
We take S to map every address to purePart(Wˆ ), except for a single one that we map to Wˆ . The result
then follows by Lemmas 6, 10 and 47 and the above fact that for all a ∈ dom(code), (n, (code(a), code(a))) ∈
V,gcuntrusted(purePart(ξ(Wˆ ))).
Lemma 26 (Code memory for untrusted components safely readable). If
• dom(mscode) # TA
• W.heap(rcode) = ιcode,σret,σclos,mscode,gc
31
• A ⊆ dom(mscode),
we have that (n,A) ∈ readCondition,gc(normal,W ). 
Proof. Follows by defintion of readCondition,gc from Lemma 25.
Lemma 27 (Code memory for untrusted components safely readable). If
• A # TA
• (n,A) ∈ readXCondition,gc(W )
we have that (n,A) ∈ readCondition,gc(normal,W ). 
Proof. Follows by defintion of readCondition,gc and readXCondition,gc from Lemma 25.
Lemma 28 (Code region sealing invariant for untrusted components implies untrusted safety). If
• ∅ 6= dom(mscode) # TA
• σ ∈ σclos
then ιcode,σret,σclos,mscode,gc .Hσσ
n
= V,gcuntrusted for all n 
Proof. The result follows easily by definition of ιcode, and Hcode,σ .
Lemma 29 (non-linear words are pure).
• If (n,A) ∈ readCondition,gc(normal,W ), then (n,A) ∈ readCondition,gc(normal, purePart(W )).
• If (n,A) ∈ writeCondition,gc(normal,W ), then (n,A) ∈ writeCondition,gc(normal, purePart(W ))
• If (n,A) ∈ executeCondition,gc(W ), then (n,A) ∈ executeCondition,gc(purePart(W ))
• If (n,A) ∈ readXCondition,gc(W ), then (n,A) ∈ readXCondition,gc(purePart(W )).
• If (n, (w1, w2)) ∈ V,gcuntrusted(W ) and (nonLinear(w1) or nonLinear(w2)), then (n, (w1, w2)) ∈ V,gcuntrusted(purePart(W )).

Proof. Follows easily by inspecting the definitions of V,gcuntrusted, readCondition , addressable, writeCondition , executeCondition
and readXCondition and using Lemma 7.
Lemma 30 (permission-based conditions shrinkable).
• If (n,A) ∈ readCondition,gc(l ,W ) and ∅ 6= A′ ⊆ A, then (n,A′) ∈ readCondition,gc(l ,W ).
• If (n,A) ∈ writeCondition,gc(l ,W ) and ∅ 6= A′ ⊆ A, then (n,A′) ∈ writeCondition,gc(l ,W ).
• If (n,A) ∈ readXCondition,gc(W ) and A′ ⊆ A, then (n,A′) ∈ readXCondition,gc(W ).
• If (n,A) ∈ executeCondition,gc(W ) and ∅ 6= A′ ⊆ A, then (n,A′) ∈ executeCondition,gc(W ).

Proof. Follows easily from the definitions. In the case for executeCondition,gc where l = linear, we have a
partition of the world into W = ⊕a∈AWa(a) that we need to convert into a partition W = ⊕a∈A′W ′a(a). It suffices
construct new W ′a by taking Wa but adding ⊕a∈(A\A′) to an Wa(a) for an arbitrary a ∈ A′ to make this work.
Lemma 31 (permission-based conditions splittable). If A = [b1, e1] unionmulti [b2, e2], then
• If (n,A) ∈ readCondition,gc(l ,W ), then there exists W1,W2 such that W = W1⊕W2 such that (n, [b1, e1]) ∈
readCondition,gc(l ,W1) and (n, [b2, e2]) ∈ readCondition,gc(l ,W2).
• If (n,A) ∈ writeCondition,gc(l ,W ), then there exists W1,W2 such that W = W1⊕W2 such that (n, [b1, e1]) ∈
writeCondition,gc(l ,W1) and (n, [b2, e2]) ∈ writeCondition,gc(l ,W2).
• If (n,A) ∈ executeCondition,gc(W ), then there exists W1,W2 such that W = W1⊕W2 such that (n, [b1, e1]) ∈
executeCondition,gc(W1) and (n, [b2, e2]) ∈ executeCondition,gc(W2).

32
Proof. If l = normal, then Lemma 29 tells us that it suffices to consider pure worlds W = purePart(W ) and
Lemma 6 tells us that then W = W ⊕W . The results then follow from the previous Lemma 30.
As such, we can limit ourselves to the case where l = linear.
The read- and write-conditions then require separate islands for each individual address in A and we can
distribute ownership of those islands according to whether those addresses are in [b1, e1] or [b2, e2], i.e. make the
island W.heap(r) with R(r) = {a} spatial owned in W1 and spatial in W2 if a ∈ [b1, e1] and vice versa. It is then
easy to check that our results hold.
For the execute condition, we get a partition of the world into W = ⊕a∈AWa(a) and we can define W1 =
⊕a∈[b1,e1]Wa(a) and likewise for W2. The results then follow easily from the definitions.
Lemma 32 (permission-based conditions splicable). If
• [b, e] = [b1, e1] unionmulti [b2, e2]
• [b, e] # TA
• W1 ⊕W2 is defined.
then
• If (n, [b1, e1]) ∈ readCondition,gc(l ,W1) and (n, [b2, e2]) ∈ readCondition,gc(l ,W2), then (n, [b, e]) ∈
readCondition,gc(l ,W1 ⊕W2)
• If (n, [b1, e1]) ∈ writeCondition,gc(l ,W1) and (n, [b2, e2]) ∈ writeCondition,gc(l ,W2), then (n, [b, e]) ∈
writeCondition,gc(l ,W1 ⊕W2).
• If (n, [b1, e1]) ∈ executeCondition,gc(W1) and (n, [b2, e2]) ∈ executeCondition,gc(W2), then (n, [b, e]) ∈
executeCondition,gc(W1 ⊕W2).
If
• [b, e] = [b1, e1] unionmulti [b2, e2]
• W1 ⊕W2 ⊕WM is defined.
• msS , stk ,msstk ,msT :gcn WM
then
• If (n, [b1, e1]) ∈ readXCondition,gc(l ,W1) and (n, [b2, e2]) ∈ readXCondition,gc(l ,W2), then (n, [b, e]) ∈
readXCondition,gc(l ,W1 ⊕W2)
If [b, e] = [b1, e1] unionmulti [b2, e2], then
• If (n, [b1, e1]) ∈ stackReadCondition,gc(W1) and (n, [b2, e2]) ∈ stackReadCondition,gc(W2), then (n, [b, e]) ∈
stackReadCondition,gc(W1 ⊕W2)
• If (n, [b1, e1]) ∈ stackWriteCondition,gc(W1) and (n, [b2, e2]) ∈ stackWriteCondition,gc(W2), then (n, [b, e]) ∈
stackWriteCondition,gc(W1 ⊕W2).

Proof. The results for readCondition,gc , writeCondition,gc , stackReadCondition,gc and stackWriteCondition,gc
follow by taking the union of the two sets S, and the union of R for every r.
The result for executeCondition,gc follows easily by definition and using Lemmas 8 and 10.
For readXCondition,gc , we get ri ∈ addressable(normal,Wi) such that Wi.heap(ri) n= ιcode,, ,codei,gc such that
dom(codei) ⊇ [bi, ei]. From msS , stk ,msstk ,msT :gcn WM , it follows that codei = [b′i, e ′i] and if r1 6= r2, then
[b′1− 1, e1 + 1] # [b′2− 1, e ′2 + 1]. Because [b, e] = [b1, e1]unionmulti [b2, e2] and [b′i, e ′i] = dom(codei) ⊇ [bi, ei], we can derive
that r1 = r2. The result then follows by definition of readXCondition
,gc .
Lemma 33 (FTLR for component code capabilities). If
• (n, dom(mscode)) ∈ readXCondition,gc(W )
• (tst = untrusted and dom(mscode # TA)) or (tst = trusted and dom(mscode) ⊆ TA)
• w = ((rx,normal), b, e, a)
• [b, e] ⊆ dom(mscode)
then (n, (w,w)) ∈ V,gctst (W ). 
33
Proof. We distinguish two cases:
• tst = untrusted and dom(mscode) # TA: By definition of V,gcuntrusted(W ), it suffices to show that:
– [b, e] # TA: follows directly from [b, e] ⊆ dom(mscode) and dom(mscode) # TA.
– (n, [b, e]) ∈ readCondition,gc(normal,W ): this follows from Lemma 26.
– (n, [b, e]) ∈ readXCondition,gc(W ): by assumption and Lemma 30.
– (n, [b, e]) ∈ executeCondition,gc(W ): take n′ < n, W ′ w purePart(W ), a ′ ∈ [b′, e ′] ⊆ [b, e] and
w′ = ((rx,normal), b′, e ′, a ′). Then we need to show that (n′, (w′, w′)) ∈ E,gc(W ′). This now fol-
lows immediately from the (regular) FTLR (Theorem 2), using the two above points, Lemma 44 and
Lemma 30.
• tst = trusted and dom(mscode) ⊆ TA: By definition of V,gctrusted(W ) and Lemma 30 with the assumption that
(n,dom(mscode)) ∈ readXCondition,gc(W ).
Lemma 34 (FTLR for component code-values). If
σret, σret,owned, σclos, TA `comp−code w
and
• σret ⊆ σglob ret and σclos ⊆ σglob clos
• W.heap(rcode) = ιcode,σret,σclos,mscode,gc
• (dom(mscode) # TA and tst = untrusted) or (dom(mscode) ⊆ TA and tst = trusted)
then (n, (w,w)) ∈ V,gctst (W ) 
Proof. By induction on
σret, σret,owned, σclos, TA `comp−code w
There are two cases to consider:
• mscode(a) = seal(σb , σe , σb) and [σb , σe ] ⊆ (σret ∪ σclos):
We distinguish two cases:
– tst = trusted:
By definition of V,gctrusted, it suffices to prove that W.heap(rcode) = ιcode,σret,σclos,mscode,gc , dom(code) ⊆ TA
and [σb , σe ] ⊆ (σret ∪ σclos), all of which follow by assumption.
– tst = untrusted:
In this case, we know that σret = ∅.
By definition of V,gcuntrusted, it suffices to prove that
∀σ′ ∈ [σb , σe ].∃r ∈ dom(W.heap).W.heap(r) = (pure, , Hσ) and Hσ σ′ n= V,gcuntrusted
We take r = rcode and the result then follows from Lemma 28.
• mscode(a) ∈ Z and
([a · · · a+ call len− 1] ⊆ TA ∧mscode([a · · · a+ call len− 1]) = calloff pc,off σ0..call len−1 r1 r2)⇒
(mscode(a+ off pc) = seal(σb , σe , σb) ∧ σb + off σ ∈ σret,owned)
:
Using mscode(a) ∈ Z, the result follows easily by definition.
Lemma 35 (FTLR for component data-values). If
dom(mscode), Aown, Anon−linear, σret, σclos `comp−value w
and
• (n,Anon−linear) ∈ readCondition,gc(normal,W )
34
• (n,Anon−linear) ∈ writeCondition,gc(normal,W )
• (n,Aown) ∈ readCondition,gc(linear,W )
• (n,Aown) ∈ writeCondition,gc(linear,W )
• W.heap(rcode) = ιcode,σret,σclos,mscode,gc
• dom(mscode) # TA or dom(mscode) ⊆ TA
• (Aown ∪Anon−linear) # TA
then (n, (w,w)) ∈ V,gcuntrusted(W ) 
Proof. By induction on the judgement
dom(mscode), Aown, Anon−linear, σret, σclos `comp−value w
We have the following cases:
• w = z: result follows trivially
• w = ((perm, l), b, e, a), perm v rw, l = linear⇒ ∅ ⊂ [b, e] ⊆ Aown and l = normal⇒ [b, e] ⊆ Anon−linear:
By definition of V,gcuntrusted, it suffices to prove that [b, e] # TA, (n, [b, e]) ∈ readCondition,gc(l ,W ) and
(n, [b, e]) ∈ writeCondition,gc(l ,W ). The result then follows easily from the assumptions, with Lemma 30.
• w = sealed(σ, sc) and
dom(mscode), Aown, Anon−linear, σret, σclos `comp−value sc
and σ ∈ σclos:
First, we have by induction that (n, (sc, sc)) ∈ V,gcuntrusted(W ).
By definition of V,gcuntrusted and by choosing island r = rcode, it suffices to prove that
– (n′, (sc, sc)) ∈ Hσ σ ξ−1(W ) for all n′ < n:
By definition of ιcode,σret,σclos,mscode,gc and H
code,
σ and because we know that σ ∈ σclos, it suffices to prove
that one of the following holds:
∗ (dom(code) # TA and (n′, (sc, sc)) ∈ V,gcuntrusted ξ(ξ−1(W ))
∗ (dom(code) ⊆ TA and (n′, (sc, sc)) ∈ V,gctrusted ξ(ξ−1(W ))
Both follow since ξ(ξ−1(W )) = W and V,gcuntrusted W ⊆ V,gctrusted W , dom(mscode # TA) or dom(mscode) ⊆
TA, and the above fact that (n, (sc, sc)) ∈ V,gcuntrusted(W ) and Lemma 44.
– (isLinear(sc) iff isLinear(sc)): trivially fine
– If isLinear(sc), then for all W ′ wW , Wo, n′ < n and (n′, (sc′S , sc′T )) ∈ Hσ σ ξ−1(Wo), we have that
(n′, (sc, sc′S , sc, sc
′
T )) ∈ E,gcxjmp(W ′ ⊕Wo))
By definition of ιcode,σret,σclos,mscode,gc and H
code,
σ and because we know that σ ∈ σclos, we know that one
of the following holds:
∗ (dom(code) # TA and (n′, (sc′S , sc′T )) ∈ V,gcuntrusted ξ(ξ−1(Wo))
∗ (dom(code) ⊆ TA and σclos ⊆ σglob clos and σret ⊆ σglob ret and (n′, (sc′S , sc′T )) ∈ V,gctst ξ(ξ−1(Wo))
with tst = trusted iff executable(sc′S).
Lemma 22 now allows us to conclude (using Lemma 47) that:
(n′, (sc, sc′S , sc, sc
′
T )) ∈ E,gcxjmp(W ′ ⊕Wo))
– If nonLinear(scS) then for all W
′ w purePart(W ), Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ Hσ σ ξ−1(Wo), we
have that
(n′, (sc, sc′S , sc, sc
′
T )) ∈ E,gcxjmp(W ′ ⊕Wo))
By definition of ιcode,σret,σclos,mscode,gc and H
code,
σ and because we know that σ ∈ σclos, we know that one
of the following holds:
∗ (dom(code) # TA and (n′, (sc′S , sc′T )) ∈ V,gcuntrusted ξ(ξ−1(Wo))
35
∗ (dom(code) ⊆ TA and σclos ⊆ σglob clos and σret ⊆ σglob ret and (n′, (sc′S , sc′T )) ∈ V,gctst ξ(ξ−1(Wo))
with tst = trusted iff executable(sc′S).
First, Lemma 29 allows us to conclude that also (n, (sc, sc)) ∈ V,gcuntrusted(purePart(W )).
Next, Lemma 22 now allows us to conclude (using Lemma 47) that:
(n′, (sc, sc′S , sc, sc
′
T )) ∈ E,gcxjmp(W ′ ⊕Wo))
Lemma 36 (FTLR for component exports). If
dom(mscode), Anon−linear, σret, σclos `comp−export w
and
• (n,Anon−linear) ∈ readCondition,gc(normal,W )
• (n,Anon−linear) ∈ writeCondition,gc(normal,W )
• W.heap(rcode) = ιcode,σret,σclos,mscode,gc
• dom(mscode) # TA or dom(mscode) ⊆ TA
• If w = sealed(σ, sc) with dom(mscode) ⊆ TA, σ ∈ σclos and executable(sc), then sc behaves reasonably up to
n steps.
• Anon−linear # TA
then (n, (w,w)) ∈ V,gcuntrusted(W ) 
Proof. By induction on the judgement
dom(mscode), Anon−linear, σret, σclos `comp−export w
We have the following cases:
• w = sealed(σ, sc), sc = ((rx,normal), b, e, a), [b, e] ⊆ dom(mscode), σ ∈ σclos:
By definition of V,gcuntrusted and by choosing island r = rcode, it suffices to prove that
– (n′, (sc, sc)) ∈ Hcode,σ σret σclos code gc σ ξ−1(W ) for all n′ < n:
By definition of ιcode,σret,σclos,mscode,gc and H
code,
σ and because we know that σ ∈ σclos, it suffices to prove
that one of the following holds:
∗ (dom(code) # TA and (n′, (sc, sc)) ∈ V,gcuntrusted ξ(ξ−1(W ))
∗ (dom(code) ⊆ TA and (n′, (sc, sc)) ∈ V,gctrusted ξ(ξ−1(W )) and executable(sc)
Take tst = untrusted iff dom(mscode # TA) and tst = trusted iff dom(mscode) ⊆ TA. Since ξ(ξ−1(W )) =
W and because we know by assumption that dom(mscode # TA) or dom(mscode) ⊆ TA, it suffices to
prove that (n′, (sc, sc)) ∈ V,gctst (W ).
This last fact follows from Lemma 33, using Lemma 44 and the definition of readXCondition,gc with
the assumption that W.heap(rcode) = ι
code,
σret,σclos,mscode,gc
.
– (isLinear(sc) iff isLinear(sc)): trivially fine
– For all W ′ w purePart(W ), Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ Hcode,σ σret σclos code gc σ ξ−1(Wo), we have
that
(n′, (sc, sc′S , sc, sc
′
T )) ∈ E,gcxjmp(W ′ ⊕Wo))
From one of our assumptions, we know that sc behaves reasonably up to n steps if dom(mscode) ⊆ TA.
Theorem 2 now tells us that (n, (sc, sc)) ∈ E,gc(purePart(W )), using the definition of readXCondition,gc
and the assumption that W.heap(rcode) = ι
code,
σret,σclos,mscode,gc
.
Since σ ∈ σclos, it follows from (n′, (sc′S , sc′T )) ∈ Hcode,σ σret σclos code gc σ ξ−1(Wo) that
(n′, (sc′S , sc
′
T )) ∈ V,gctst (Wo)
with tst = untrusted iff (dom(code # TA) or nonExecutable(sc
′
S)) and tst = trusted iff (dom(code) ⊆ TA
and executable(sc′S)).
The result now follows from Lemma 21.
36
•
dom(mscode), ∅, Anon−linear, σret, σclos `comp−value w
In this case, the result follows from Lemma 35, using the fact that readCondition,gc() and writeCondition,gc()
follow trivially for the empty Aown and a similar observation about the empty imports.
Lemma 37 (FTLR for components). If
• gc = (TA, stk base, σglob ret, σglob clos)
• comp is a well-formed component, i.e. TA ` comp
• One of the following holds:
– dom(comp.mscode) ⊆ TA and comp is a reasonable component (see Section 3.7)
– dom(comp.mscode) # TA
• σret ⊆ σglob ret and σclos ⊆ σglob clos
Then there exists a W such that
• (n, (comp, comp)) ∈ C,gc(W )
• dom(W.heap) can be chosen to not include any finite set of region names
• dom(W.free) = dom(W.priv) = ∅

Proof. If comp is of the form (comp0, cmain,c, cmain,d), then we have (by definition of component well-formedness)
that cmain,c, cmain,d ⊆ comp0.cexport, as required by C,gc(W ). Hence, we can restrict our attention to components
of the form comp0.
Take
comp = (mscode unionmultimspad,msdata, import , export , σret, σclos, Alinear)
Note that confusingly, comp.mscode = mscode unionmulti mspad, so the assumption about dom(comp.mscode) should be
interpreted properly. We then know from TA ` comp that
• dom(mscode) = [b, e]
• [b − 1, e + 1] # dom(msdata)
• mspad = [b − 1 7→ 0] unionmulti [e + 1 7→ 0]
• σret, σclos, TA `comp−code mscode
• ∃Aown : dom(msdata)→ P(dom(msdata))
• dom(msdata) = Anon−linear unionmultiAlinear
• Alinear =
⊎
a∈dom(msdata)Aown(a)
•
∀a ∈ dom(msdata).dom(mscode), Aown(a), Anon−linear, σret, σclos `comp−value msdata(a)
•
dom(mscode), Anon−linear, σret, σclos `comp−export cexport
• (dom(mscode) ⊆ TA) ∨ (dom(mscode) # TA ∧ σret = ∅)
• dom(msdata) # TA
Take import = aimport ← [ simport.
Now take W such that
• dom(W.free) = dom(W.priv) = ∅
• W.heap(rcode) = ιcode,σret,σclos,mscode,gc
• there exist raddr : dom(msdata) 7→ dom(W.heap) such that
37
– For all a ∈ dom(msdata), W.heap(raddr(a)) = ιstd,l,{a},gc with (l = pure if a 6∈ Alinear) and (l = spatial owned
if a ∈ Alinear)
with rcode and ra chosen according to the given restriction.
It now remains to prove that (n, (comp, comp)) ∈ C,gcW . Take W ′ wW and assume that
(n′, (wimport, wimport)) ∈ V,gcuntrusted(purePart(W ′)) for all n′ < n
and
ms ′data = msdata[aimport 7→ wimport]
We need to show that
•
(n, (σret unionmulti σclos,mspad unionmultimscode unionmultims ′data,mspad unionmultimscode unionmultims ′data)) ∈ H(W.heap)(W ′)
Take Rms : dom(active(W.heap))→ MemorySegment×MemorySegment such that
– Rms(ra) = (msdata|{a},msdata|{a}).
– Rms(rcode) = (mspad unionmultimscode,mspad unionmultimscode)
Take R′W : dom(active(W.heap))→World such that
– R′W (ra) = purePart(W )[heap.ra′ 7→ ιstd,spatial owned,{a},gc ]a′∈Aown(a)
– R′W (rcode) = purePart(W )
Since then W = ⊕r∈dom(active(W.heap))R′W (r), we can use Lemma 3 to construct an RW with
W ′ = ⊕r∈dom(active(W.heap))RW (r)
and RW (r) w R′W (r) for all r. Finally, take Rseal : dom(active(W.heap))→ P(Seal) to satisfy
– Rseal(ra) = ∅
– Rseal(rcode) = σret unionmulti σclos.
We then need to prove that
–
(
n′, (ms ′data|{a},ms ′data|{a})
) ∈ ιstd,l,{a},gc .H ξ−1(RW (ra)) for all n′ < n: Take n′ < n. By definition, it
suffices to prove that, (n′, (ms ′data(a),ms
′
data(a))) ∈ V,gcuntrusted(RW (ra)).
If (a← [ ) ∈ import , then we know that ms ′data(a) is the corresponding wimport and the result is fine by
the assumption that
(n′, (wimport, wimport)) ∈ V,gcuntrusted(purePart(W ′))
together with 47 and the fact that RW (a) w purePart(W ′) (by Lemma 13).
Otherwise, ms ′data(a) = msdata(a) and we know from our assumptions that
dom(mscode), Aown(a), Anon−linear, σret, σclos `comp−value msdata(a)
By Lemma 35, it then suffices to prove that
∗ (n′, Anon−linear) ∈ readCondition,gc(normal, RW (a)): follows by Lemma 47 using the fact that
RW (a) w R′W (a) and by definition, using the choice of W , R′W (a)
∗ (n′, Anon−linear) ∈ writeCondition,gc(normal, RW (a)): follows by Lemma 47 using the fact that
RW (a) w R′W (a) and by definition, using the choice of W , R′W (a)
∗ (n′, Aown(a)) ∈ readCondition,gc(linear, RW (a)): follows by Lemma 47 using the fact thatRW (a) w
R′W (a) and by definition, using the choice of W , R
′
W (a)
∗ (n′, Aown(a)) ∈ writeCondition,gc(linear, RW (a)): follows by Lemma 47 using the fact thatRW (a) w
R′W (a) and by definition, using the choice of W , R
′
W (a)
∗ RW (a).heap(rcode) = ιcode,σret,σclos,mscode,gc : follows from the choice of W and R′W (a) and the fact that
RW (a) w R′W (a)
∗ dom(mscode) # TA or dom(mscode) ⊆ TA: by assumption.
– (n′, (mspad unionmultimscode,mspad unionmultimscode)) ∈ ιcode,σret,σclos,mscode,gc .H ξ−1(purePart(W ′)) for all n′ < n: Take
n′ < n. We take tst = trusted if [b − 1, e + 1] ⊆ TA and tst = untrusted otherwise. By definition, we
need to prove that:
38
∗ dom(code) = [b, e]: by assumption.
∗ ([b−1, e +1] ⊆ TA∧ tst = trusted)∨([b−1, e +1] # TA∧σret = ∅∧ tst = untrusted): by assumption
and choice of tst .
∗ σret, σclos, TA `comp−code code: by assumption.
∗ mspad = [b − 1 7→ 0] unionmulti [e + 1 7→ 0]: by assumption
∗ ∀a ∈ dom(code). (n′, (code(a), code(a))) ∈ V,gctst (purePart(ξ(ξ−1(purePart(W ′))))): Note first that
purePart(ξ(ξ−1(purePart(W ′)))) = purePart(W ′).
By Lemma 34, it suffices to prove that:
· W ′.heap(rcode) = ιcode,σret,σclos,mscode,gc : follows by choice of W and the fact that W ′ wW .
· (dom(mscode) # TA and tst = untrusted) or (dom(mscode) ⊆ TA and tst = trusted): by
assumption and choice of tst
–
dom(ιcode,σret,σclos,mscode,gc .Hσ) = σret unionmulti σclos
This follows easily from the definition.
• (n, (wexport, wexport)) ∈ V,gcuntrusted(purePart(W ′)):
We know from our assumptions that
dom(mscode), Anon−linear, σret, σclos `comp−export wexport
By Lemma 36, it then suffices to prove that
– (n,Anon−linear) ∈ readCondition,gc(normal, purePart(W ′)): follows by Lemma 47 using the fact that
RW (a) w R′W (a) and by definition, using the choice of W , R′W (a)
– (n,Anon−linear) ∈ writeCondition,gc(normal, purePart(W ′)): follows by Lemma 47 using the fact that
RW (a) w R′W (a) and by definition, using the choice of W , R′W (a)
– purePart(W ′).heap(rcode) = ι
code,
σret,σclos,mscode,gc
: follows from the choice of W and the fact that W ′ wW
– dom(mscode) # TA or dom(mscode) ⊆ TA: by assumption.
– If wexport = sealed(σ, sc) with dom(mscode) ⊆ TA, σ ∈ σclos and executable(sc), then sc behaves
reasonably up to n steps:
This follows directly from the fact that comp is a reasonable component.
– Anon−linear # TA: This follows from the facts that Anon−linear ⊆ dom(msdata) # TA.
Note: the trusted case of the above lemma can be considered as a compiler correctness result. The untrusted
case can be considered as a back-translation correctness result.
3.11 Related execution configurations
EC,gc(W ) =

(
n,
(
(msS , regS , stk ,msstk ),
(msT , regT )
))
∣∣∣∣∣∣∣∣∣∣∣∣∣∣
gc = (TA, stk base) and
∃WM ,WR,Wpc.W = WM ⊕WR ⊕Wpc and
(n, ((regS(pc), regS(rdata)), (regT (pc), regT (rdata)))) ∈ E,gcxjmp(Wpc) and
regS(pc) 6= ret-ptr-code( ) ∧ regS(rdata) 6= ret-ptr-data( )∧
nonExecutable(regS(rdata)) ∧ nonExecutable(regT (rdata))
msS ,msstk , stk ,msT :
gc
n WM and
(n, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR)

Lemma 38 (Compatibility lemma for initial execution configuration construction). If
• (n, (comp, comp)) ∈ C,gc(W )
• dom(W.free) = dom(W.priv) = ∅
• comp  Φ,
then ∃W ′ wW such that for all n′ < n
• (n′, (Φ,Φ)) ∈ EC,gc(W ′)

39
Proof. Take comp = ((mscode,msdata, import , export , σret, σclos, Alinear), cmain,c, cmain,d). Then we know from comp  
Φ that
• cmain,c = sealed(σ1, c′main,c)
• cmain,d = sealed(σ2, c′main,d)
• σ1 = σ2
• reg(pc) = c′main,c
• reg(rdata) = c′main,d
• nonExecutable(c′main,d)
• reg(rstk) = stack-ptr(rw, bstk , estk , estk )
• reg(rstk) = ((rw, linear), bstk , estk , estk )
• reg(RegisterName \ {pc, rdata, rstk}) = 0
• range(msstk ) = {0}
• mem = mscode unionmultimsdata unionmulti msstk
• [bstk , estk ] = dom(msstk )
• [bstk − 1, estk + 1] # (dom(mscode) ∪ dom(msdata))
• import = ∅
• Φ = (mem, reg , ∅,msstk )
From (n, (comp, comp)) ∈ C,gc(W ), we know that
• {( 7→ cmain,c), ( 7→ cmain,d)} ⊆ export and
• (n, (comp0, comp0)) ∈ C,gc(W ) with
• comp0 = (mscode,msdata, aimport ← [ simport, sexport 7→ wexport, σret, σclos, Alinear)
From this, it follows that for all W ′ wW , if
(n′, (wimport, wimport)) ∈ V,gcuntrusted(purePart(W ′)) for all n′ < n
and ms ′data = msdata[aimport 7→ wimport] then
(n, (σret unionmulti σclos,mscode unionmultims ′data,mscode unionmultims ′data)) ∈ H(W.heap)(W ′)
and
(n, (wexport, wexport)) ∈ V,gcuntrusted(purePart(W ′))
Since wimport = ∅, the former holds vacuously, ms ′data = msdata and the latter two results follow for every W ′ wW .
Now take ra for a ∈ [bstk , estk ] arbitrary and
Wstk .heap = ∅
Wstk .priv = ∅
dom(Wstk .free) = {ra | a ∈ [bstk , estk ]}
Wstk .free(ra) = ι
std,spatial owned,
{a},gc
W ′ = W unionmultiWstk
Wpc = purePart(W
′)
WR = purePart(W ) unionmultiWstk
WM = W unionmulti purePart(Wstk )
Then W ′ = WM ⊕WR ⊕Wpc (by Lemmas 6, 5, 2 and 4), WM wW (by Lemma 11) and Wpc w purePart(W ) (by
Lemma 11 and 8).
By definition of EC,gc , it suffices to prove that
40
• (n′, ((reg(pc), reg(rdata)), (reg(pc), reg(rdata)))) ∈ E,gcxjmp(Wpc): Since W ′ wW , we know from above that:
(n, (wexport, wexport)) ∈ V,gcuntrusted(purePart(W ′))
and we have defined Wpc = purePart(W
′) and we know that {cmain,c, cmain,d} ⊆ cexport. It follows that
(n, (cmain,c, cmain,c)) ∈ V,gcuntrusted(Wpc)
(n, (cmain,d, cmain,d)) ∈ V,gcuntrusted(Wpc)
Since Wpc = purePart(W
′), Lemma 22 tells us that for n′ < n,
(n′, ((cmain,c, cmain,d), (cmain,c, cmain,d))) ∈ E,gcxjmp(Wpc)
Since reg(pc) = c′main,c and reg(rdata) = c
′
main,d, this is what we set out to prove.
• – regS(pc) 6= ret-ptr-code( ),
– regS(rdata) 6= ret-ptr-data( ),
– nonExecutable(regS(rdata)) and
– nonExecutable(regT (rdata))
This follows from the facts that reg(pc) = c′main,c, reg(rdata) = c
′
main,d, nonExecutable(c
′
main,d), {cmain,c, cmain,d} ⊆
cexport and the fact that cexport are also valid
• msS ,msstk , stk ,msT :gcn′ WM : Since WM wW , we have seen above that
(n, (σret unionmulti σclos,mscode unionmultimsdata,mscode unionmultimsdata)) ∈ H(WM .heap)(WM )
and by Lemma 44 also
(n′, (σret unionmulti σclos,mscode unionmultimsdata,mscode unionmultimsdata)) ∈ H(WM .heap)(WM )
It suffices to prove that also
– (n′, (∅, ∅)) ∈ Sgc(purePart(WM ))
– (n′, (msstk ,msstk )) ∈ Fgc(purePart(WM ))
The former follows vacuously. The latter follows by taking Rms(ra) = (msstk |{a},msstk |{a}), RW (ra) =
purePart(WM ) for a ∈ [bstk , estk ] by Lemma 6 and 7 if we can show that:(
n′′, (msstk |{a},msstk |{a})
) ∈ ιstd,spatial owned,{a},gc .H ξ−1(purePart(WM ))
for all n′′ < n′. By definition, it suffices to show that for all n′′ < n′, we have that:(
n′′, (msstk (a),msstk (a)) ∈ V,gcuntrusted(purePart(WM ))
)
But msstk (a) = 0, so this follows easily by definition.
• (n′, (reg , reg)) ∈ R,gcuntrusted({rdata})(WR):
We have that reg(RegisterName \ {pc, rdata, rstk}) = 0, so by definition, it suffices to prove that
(n′, (reg(rstk ), reg(rstk ))) ∈ V,gcuntrusted(WR)
Since reg(rstk) = stack-ptr(rw, bstk , estk , estk ) and reg(rstk) = ((rw, linear), bstk , estk , estk ), it suffices to prove
(by definition) that
(n′, [bstk , estk ]) ∈ stackReadCondition,gc(WR)
(n′, [bstk , estk ]) ∈ stackWriteCondition,gc(WR)
For both, we can take S = dom(Wstk .free) = {ra | a ∈ [bstk , estk ]}, R(ra) = {a}, and then it suffices to prove
that for all ra, WR.free(ra).H
n⊆ ιstd,spatial owned,{a},gc resp. WR.free(ra).H
n⊇ ιstd,spatial owned,{a},gc . Both follow
easily since WR.free(ra) = Wstk .free(ra) = ι
std,spatial owned,
{a},gc .
41
Lemma 39 (Adequacy of execution configuration LR). If
• (n, (ΦS ,ΦT )) ∈ EC,gc(W )
• i ≤ n
• ΦS⇓gci
then ΦT⇓−.
Also, if
• (n, (ΦS ,ΦT )) ∈ EC,gc(W )
• i ≤ n
• ΦT⇓i,
then ΦS⇓gc− . 
Proof. First, assume that
• (n, (ΦS ,ΦT )) ∈ EC(W )
• i ≤ n
• ΦS⇓gci
Assume w.l.o.g. that ΦS = (msS , regS , stk ,msstk ), ΦT = (msT , regT ) and gc = (TA, stk base). Then it follows
from (n, (ΦS ,ΦT )) ∈ EC(W ) that there exist WM ,WR,Wpc such that
• W = WM ⊕WR ⊕Wpc
• (n, ((regS(pc), regS(rdata)), (regT (pc), regT (rdata)))) ∈ E,gcxjmp(Wpc)
• – regS(pc) 6= ret-ptr-code( ),
– regS(rdata) 6= ret-ptr-data( ),
– nonExecutable(regS(rdata)) and
– nonExecutable(regT (rdata))
• msS ,msstk , stk ,msT :gcn WM
• (n, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR)
We can then instantiate the conditions from E,gcxjmp with the other conditions from this list to obtain Φ′S ,Φ′T
such that
• Φ′S = xjumpResult(regS(pc), regS(rdata),ΦS)
• Φ′T = xjumpResult(regT (pc), regT (rdata),ΦT )
• (n, (Φ′S ,Φ′T )) ∈ O,(TA,stk base,σglob ret,σglob clos)
Using the facts that regS(pc) 6= ret-ptr-code( ), regS(rdata) 6= ret-ptr-data( ) and nonExecutable(regS(rdata)),
we know (by definition of xjumpResult( , , )) that
• Φ′S = xjumpResult(regS(pc), regS(rdata),ΦS) = ΦS [reg .pc 7→ regS(pc)][reg .rdata 7→ regS(rdata)] = ΦS
• Φ′T = xjumpResult(regT (pc), regT (rdata),ΦT ) = ΦT [reg .pc 7→ regT (pc)][reg .rdata 7→ regT (rdata)] = ΦT
From (n, (ΦS ,ΦT )) ∈ O,(TA,stk base,σglob ret,σglob clos), it follows immediately that if ΦS⇓TA,stk basei with i ≤ n,
then ΦT⇓− as required.
The proof in the other direction is directly analogous.
Lemma 40 (Compatibility lemma for context plugging). If (n, (CS , CT )) ∈ C,gc(W1) and (n, (PS , PT )) ∈
C,gc(W2), then (n′, (CS [PS ], CT [PT ])) ∈ EC,gc(W1 unionmultiW2), for all n′ < n. 
Proof. By definition, we have that CS ./ PS  CS [PS ] and CT ./ PT  CT [PT ].
The result follows directly from Lemmas 23 and 38.
42
4 Full Abstraction
Definition 12 (Source language contextual equivalence). In the source language, we define that comp1 ≈ctx comp2
iff
∀C . ∅ ` C ⇒ C [comp1]⇓TA,1,stk base1− ⇔ C [comp2]⇓TA,2,stk base2−
with TA,i = dom(compi.mscode) 
Note that we define source language contextual equivalence with respect to contexts that are not in TA. This
means that they are unable to perform calls. We believe this fits with the goal of this work: allow programmers
(or better: authors of previous compiler passes) to reason about their target language programs under a special
perspective, where all calls can be interpreted as calls that actually behave in a well-bracketed way by the opera-
tional semantics. This special perspective is defined by overlaying a different operational semantics on the existing
code: the source language semantics. The fact that source contexts cannot make calls themselves is no problem:
authors of previous compiler passes should only be able to take the perspective that their own calls are guaranteed
to be well-bracketed. It does not matter for them whether calls in the rest of the system are guaranteed to be
well-bracketed. Note also that if the trusted code hands out closures, the context can still invoke them with an
xjmp, rather than a call. That xjmp can even be the one in the implementation of call if the context uses that
implementation. This works perfectly fine, except that the context does not get any well-bracketedness guarantees,
but that doesn’t matter.
Definition 13 (Target language contextual equivalence). In the target language, we define that comp1 ≈ctx comp2
iff
∀C . ∅ ` C ⇒ C [comp1]⇓− ⇔ C [comp2]⇓−

Theorem 3. For reasonable, well-formed components comp1 and comp2 (with respect to TA,i = dom(compi.mscode),
respectively), we have
comp1 ≈ctx comp2
m
comp1 ≈ctx comp2

Proof. • Consider first the upward arrow. Assume comp1 ≈ctx comp2.
Take a C such that ∅ ` C , take TA,i = dom(compi.mscode), σglob reti = compi.σret and σglob closi =
compi.σclos, gci = (TA,i, stk basei, σglob reti, σglob closi) and we will prove that C [comp1]⇓gc1− ⇔ C [comp2]⇓gc2− .
By symmetry, we can assume w.l.o.g. that C [comp1]⇓gc1− and prove that C [comp2]⇓gc2− . Note that this
implies that C is a valid context for both comp1 and comp2.
First, we show that also C [comp1]⇓−. Take n the amount of steps in the termination of C [comp1]⇓gc1− .
It follows from Lemma 37 that (n+ 1, (comp1, comp1)) ∈ C,gc1(W1) for some W1 with dom(W.free) =
dom(W.priv) = ∅. It also follows from the same Lemma 37 and Lemma 1 that (n+ 1, (C ,C )) ∈ C,gc1(W ′1) for
someW ′1 that we can choose such thatW1unionmultiW ′1 is defined. Lemma 40 then tells us that (n, (C [comp1],C [comp1])) ∈
EC,gc1(W1 unionmultiW ′1) Together with C [comp1]⇓gc1n , Lemma 39 then tells us that C [comp1]⇓−.
It follows from comp1 ≈ctx comp2 that also C [comp2]⇓−.
It now remains to show that also C [comp2]⇓gc2− . Take n′ the amount of steps in the termination of
C [comp2]⇓−. It follows from Lemma 37 that (n′ + 1, (comp2, comp2)) ∈ C,gc2(W2) for some W2 with
dom(W.free) = dom(W.priv) = ∅. It also follows from the same Lemma 37 and Lemma 1 that (n′ + 1, (C ,C )) ∈
C,gc2(W ′2) for some W ′2 that we can choose such that W2 unionmultiW ′2 is defined. Lemma 40 then tells us that
(n′, (C [comp2],C [comp2])) ∈ EC,gc2(W2 unionmultiW ′2) Together with C [comp2]⇓n′ , Lemma 39 then tells us that
C [comp2]⇓gc2− , concluding this direction of the proof.
• The downward arrow is similar.
Assume comp1 ≈ctx comp2. Take TA,i = dom(compi.mscode), σglob reti = compi.σret and σglob closi =
compi.σclos, gci = (TA,i, stk basei, σglob reti, σglob closi).
Take a C such that ∅ ` C and we will prove that C [comp1]⇓− ⇔ C [comp2]⇓−.
By symmetry, we can assume w.l.o.g. that C [comp1]⇓− and prove that C [comp2]⇓−. Note that this implies
that C is a valid context for both comp1 and comp2.
First, we show that also C [comp1]⇓gc1− . Take n the amount of steps in the termination of C [comp1]⇓−.
It follows from Lemma 37 that (n+ 1, (comp1, comp1)) ∈ C,gc1(W1) for some W1 with dom(W.free) =
43
dom(W.priv) = ∅. It also follows from the same Lemma 37 and Lemma 1 that (n+ 1, (C ,C )) ∈ C,gc1(W ′1) for
someW ′1 that we can choose such thatW1unionmultiW ′1 is defined. Lemma 40 then tells us that (n, (C [comp1],C [comp1])) ∈
EC,gc1(W1 unionmultiW ′1) Together with C [comp1]⇓n, Lemma 39 then tells us that C [comp1]⇓gc1− .
It follows from comp1 ≈ctx comp2 that also C [comp2]⇓gc2− .
It now remains to show that also C [comp2]⇓−. Take n′ the amount of steps in the termination of C [comp2]⇓gc2− .
It follows from Lemma 37 that (n′ + 1, (comp2, comp2)) ∈ C,gc2(W2) for some W2 with dom(W.free) =
dom(W.priv) = ∅. It also follows from the same Lemma 37 and Lemma 1 that (n′ + 1, (C ,C )) ∈ C,gc2(W ′2)
for some W ′2 that we can choose such that W2 unionmultiW ′2 is defined. Lemma 40 then tells us that
(n′, (C [comp2],C [comp2])) ∈ EC,gc2(W2 unionmultiW ′2)
Together with C [comp2]⇓n′ , Lemma 39 then tells us that C [comp2]⇓−, concluding the second direction of
the proof.
5 Lemmas
Lemma 41. If r, r′ ∈ dom(W.heap) and W.heap(r) = (pure, , Hσ) and W.heap(r′) = (pure, , H ′σ) and σ ∈
dom(Hσ) and σ ∈ dom(H ′σ) and msS , stk ,msstk ,msT :gcn W , then
Hσ = H
′
σ and r = r
′

Proof. This follows easily by definition of msS , stk ,msstk ,msT :
gc
n W and H.
Lemma 42. if (n, [b, e]) ∈ stackReadCondition,gc(W ), and (n, [b, e]) ∈ stackWriteCondition,gc(W ), and
msS , stk ,msstk ,msT :
gc
n W , then
∃S ⊆ addressable(linear,W.free).
∃R : S → P(N).⊎
R(r) = [b, e]∧
∀r ∈ S.W.free(r).H n= ιstd,p,R(r),gc .H∧
|R(r)| = 1∧
W.free(r) is address-stratified

Proof. By assumption we get
1. SR ⊆ addressable(linear,W.free)
2. RR : SR → P(N)
3. SW ⊆ addressable(linear,W.free)
4. RW : SW → P(N)
such that
5.
⊎
RR(r) = [b, e]
6. ∀r ∈ SR.W.free(r).H
n⊆ ιstd,p,RR(r),gc .H and |RR(r)| = 1
7.
⊎
RW (r) = [b, e]
8. ∀r ∈ SW .W.free(r).H
n⊇ ιstd,p,RW (r),gc .H and |RR(r)| = 1 and W.free(r) is address-stratified
Now pick S = SR ∪ SW and show
∀r ∈ S.RR(r) = RW (r)
Assuming for contradiction ∃r ∈ S.RR(r) 6= RW (r), we have W.free(r).H
n⊆ ιstd,p,∗,gc .H and W.free(r).H
n⊇
ιstd,p,−,gc .H for two distinct singleton sets ∗ and −. Due to the memory satisfaction assumption W.free(r) is non-
empty and it is trivial to show that so is the standard regions. From the above, we can conclude that W.free(r)
should contain some ms with dom(ms) = ∗ and dom(ms) = − which contradicts the address stratification as-
sumption.
44
Now pick
R = RR(r) for r ∈ S
We first show
⊎
R(r) ⊇ [b, e]. For a ∈ [b, e] we know that there exists r1 and r2 such that RW (r1) = RR(r2) = {a}.
It suffices to show r1 = r2. To this end assume the contrary. This, the address-stratification assumption on all
write regions, the n-subset of a standard region for read regions, and memory satisfaction lead to a contradiction
as any part of memory only can be governed by one region. Address-stratification and the singleton requirement
follows trivially from the assumptions from the write region. Finally the n-equality follows from Lemma 43.
Lemma 43. If ι.H
n⊆ ιstd,v,A,gc .H and ι.H
n⊇ ιstd,v,A,gc .H, then ι.H n= ιstd,v,A,gc .H 
Proof. By definition.
6 Proofs
6.1 Lemmas
In this section, I have listed lemmas that seem to be necessary for the FTLR proof.
Lemma 44 (Downwards closure of relations). If n′ ≤ n, then
• If (n,A) ∈ readCondition,gc(l ,W ), then (n′, A) ∈ readCondition,gc(l ,W ).
• If (n,A) ∈ stackReadCondition,gc(l ,W ), then (n′, A) ∈ stackReadCondition,gc(l ,W ).
• If (n,A) ∈ writeCondition,gc(l ,W ), then (n′, A) ∈ writeCondition,gc(l ,W ).
• If (n,A) ∈ stackWriteCondition,gc(l ,W ), then (n′, A) ∈ stackWriteCondition,gc(l ,W ).
• If (n,A) ∈ executeCondition,gc(l ,W ), then (n′, A) ∈ executeCondition,gc(l ,W ).
• If (n,A) ∈ readXCondition,gc(W ), then (n′, A) ∈ readXCondition,gc(W ).
• If (n, (w,w′)) ∈ V,gctst (W ), then (n′, (w,w′)) ∈ V,gctst (W ).
• If (n, (w,w′)) ∈ R,gctst (W ), then (n′, (w,w′)) ∈ R,gctst (W ).
• If (n, (msstk ,msT )) ∈ Fgc(W ), then (n′, (msstk ,msT )) ∈ Fgc(W ).
• If (n, (msstk ,msT )) ∈ Sgc(W ), then (n′, (msstk ,msT )) ∈ Sgc(W ).
• If (n, (σ,msS ,msT )) ∈ HW.heap(W ), then (n′, (σ,msS ,msT )) ∈ HW.heap(W ).
• (msS , stk ,msstk ,msT ) :gcn W , then also (msS , stk ,msstk ,msT ) :gcn′ W .

Proof. The properties for readCondition,gc , stackReadCondition,gc , writeCondition,gc , stackWriteCondition,gc ,
executeCondition,gc , readXCondition,gc follow easily by definition. The property for V,gcuntrusted follows from the
others and by definition. The property for R,gcuntrusted follows directly from the one for V,gcuntrusted.
The property for H, (n, ( , )) ∈ Fgc( ), (n, ( , )) ∈ Sgc( ) follows by their definition from the quantifications
over n′ < n, and the property for ( , , , ) :n W follows from those.
Lemma 45 (Properties of n-equality of worlds). If W1
n
= W2 then
• purePart(W1) n= purePart(W2)
• If W ′1 wW1 then there exists a W ′2 such that W ′2 n= W ′1 and W ′2 wW2.
• If W ′1 ⊕W1 is defined, then there exists a W ′2 n= W ′1 and W ′2 ⊕W2 is defined.
• If W1 = W ′1 ⊕W ′′1 then there exist W ′2 n= W ′1 and W ′′2 n= W ′′1 such that W2 = W ′2 ⊕W ′′2 .
• If W ′1 n= W ′2 then W1 ⊕W ′1 n= W2 ⊕W ′2.
• ξ−1(W1) n−1= ξ−1(W2)

45
Proof. Easy to prove by unfolding definitions and making unsurprising choices for existentially quantified worlds.
Lemma 46 (Non-expansiveness of relations). If W
n
= W ′, then
• readCondition,gc(W ) n= readCondition,gc(W ′).
• If stackReadCondition,gc(l ,W ) n= stackReadCondition,gc(l ,W ′).
• If writeCondition,gc(l ,W ) n= writeCondition,gc(l ,W ′).
• If stackWriteCondition,gc(l ,W ) n= stackWriteCondition,gc(l ,W ′)
• If readXCondition,gc(W ) n= readXCondition,gc(W ′).
• E,gc(W ) n= E,gc(W ′).
• E,gcxjmp(W ) n= E,gcxjmp(W ′).
• If executeCondition,gc(l ,W ) n= executeCondition,gc(l ,W ′).
• If V,gctst (W ) n= V,gctst (W ′).
• If R,gctst (W ) n= R,gctst (W ′).
• If (n, (msstk ,msT )) ∈ Fgc(W ), then (n, (msstk ,msT )) ∈ Fgc(W ′).
• If (n, (msstk ,msT )) ∈ Sgc(W ), then (n, (msstk ,msT )) ∈ Sgc(W ′).
• If (n, (σ,msS ,msT )) ∈ HW.heap(W ), then (n, (σ,msS ,msT )) ∈ HW ′.heap(W ′).
• (msS , stk ,msstk ,msT ) :gcn W iff (msS , stk ,msstk ,msT ) :gcn W ′.

Proof. The properties for readCondition,gc , stackReadCondition,gc , writeCondition,gc , stackWriteCondition,gc ,
readXCondition,gc follow from the fact that these are defined to use the world only for comparing regions using
n
=,
n⊆ and n⊇.
The property for E,gc and E,gcxjmp follow from Lemma 45.
The property for executeCondition,gc follows from Lemma 45 and the property for E,gc .
The property for V,gcuntrusted follows from the other properties, by definition, from Lemma 45, and non-expansiveness
of regions.
The property of R,gcuntrusted follows from the one for V,gcuntrusted.
The property forH, (n, ( , )) ∈ Fgc( ), (n, ( , )) ∈ Sgc( ) and ( , , , ) :n W follows from the non-expansiveness
of regions in the world and Lemma 45.
Lemma 47 (World monotonicity of relations). For all n, W ′ wW , we have that
• If (w1, w2) ∈ Hσ σ W , then (w1, w2) ∈ Hσ σ W ′.
• If (n, (w1, w2)) ∈ V,gcuntrusted(W ), then (n, (w1, w2)) ∈ V,gcuntrusted(W ′).
• If (n, (σ,msS ,msT )) ∈ H(W1.heap)(W ), then (n, (σ,msS ,msT )) ∈ H(W1.heap)(W ′).

Proof. Follows from the definitions. Note: the proof for H relies on Lemma 3.
Lemma 48 (O,(TA,stk base,σglob ret,σglob clos) closed under target language antireduction). For all ΦS, ΦT , Φ′T , j,
n, if
ΦT →j Φ′T and (n− j, (ΦS ,Φ′T )) ∈ O,(TA,stk base,σglob ret,σglob clos),
then
(n, (ΦS ,ΦT )) ∈ O,(TA,stk base,σglob ret,σglob clos)

Proof. Special case of Lemma 50.
46
Lemma 49 (O,(TA,stk base,σglob ret,σglob clos) closed under source language antireduction). For all ΦS, ΦT , Φ′T , j,
n, if
ΦS →gcj Φ′S and (n− j, (Φ′S ,ΦT )) ∈ O,(TA,stk base,σglob ret,σglob clos),
then
(n, (ΦS ,ΦT )) ∈ O,(TA,stk base,σglob ret,σglob clos)

Proof. Special case of Lemma 50.
Lemma 50 (O,gc closed under antireduction (generalised previous lemma)). For all ΦS, Φ′S, ΦT , Φ′T , jS , jT , n,
if
• ΦS →gcjS Φ′S
• ΦT →jT Φ′T
• (n, (Φ′S ,Φ′T )) ∈ O,gc
then
(n+ min(jS , jT ), (ΦS ,ΦT )) ∈ O,gc

Proof. Our two languages are deterministic, so we have that ΦS⇓TA,stk base− iff ΦS⇓TA,stk base− and ΦT⇓− iff Φ′T⇓−.
It is also easy to show that if ΦS⇓TA,stk basei+min(jS ,jT ), then Φ′S⇓
TA,stk base
i and if ΦT⇓i+min(jS ,jT ), then Φ′T⇓i. The result
then follows easily by definition of O,gc and O,gc .
Lemma 51 (Capability safety doesn’t depend on address). If
(n, ((perm, l), b, e, a), ((perm, l), b, e, a)) ∈ V,gctst (W )
then
(n, ((perm, l), b, e, a ′), ((perm, l), b, e, a ′)) ∈ V,gctst (W )

Proof. Direct form the definition of V,gctst .
Lemma 52 (Stack capability safety doesn’t depend on address). If
(n, ((stack-ptr(perm, b, e, a), (perm, l), b, e, a))) ∈ V,gctst (W )
then
(n, (stack-ptr(perm, b, e, a ′), ((perm, l), b, e, a ′))) ∈ V,gctst (W )

Proof. Direct from the definition of V,gctst .
Lemma 53 (Seal safety doesn’t depend on current seal). If
(n, (seal(σb , σe , σ), seal(σb , σe , σ))) ∈ V,gctst (W )
then
(n, (seal(σb , σe , σ
′), seal(σb , σe , σ′))) ∈ V,gctst (W )

Proof. Direct from the definition of V,gctst .
Lemma 54 (Capability safety monotone w.r.t. permission). If
(n, ((perm, l), b, e, a), ((perm, l), b, e, a)) ∈ V,gctst (W )
and
perm ′ v perm
then
(n, ((perm ′, l), b, e, a), ((perm ′, l), b, e, a)) ∈ V,gctst (W )

47
Proof. Direct from the definition of v and V,gctst .
Lemma 55 (Capability splitting retains safety for normal capabilities). If
• (n, (c, c)) ∈ V,gctst (W )
• c = ((perm, l), b, e, a)
• b ≤ s < e
• c1 = ((perm, l), b, s, a)
• c2 = ((perm, l), s+ 1, e, a)
• c3 = linearityConstraint(c)
• msS , stk ,msstk ,msT :gcn W ⊕ purePart(W1 ⊕W2 ⊕W3)
then there exist W1,W2,W3 such that
• W = W1 ⊕W2 ⊕W3
• (n, (c1, c1)) ∈ V,gctst (W1)
• (n, (c2, c2)) ∈ V,gctst (W2)
• (n, (c3, c3)) ∈ V,gctst (W3)

Proof. If l = normal, then we pick W3 = W and W1 = W2 = purePart(W3) which easily satisfies W = W1⊕W2⊕
W3.
Assuming gc = (TA, gc, σglob ret, σglob clos), we know by assumption (n, (c, c)) ∈ V,gctst (W ) that either
• TA ⊆ [b, e]; or
• TA#[a, e]
In the former case, the result follows from Lemma 29 and Lemma 30.
In the latter case, we know that [b, s], [s + 1, e] 6= ∅ because b ≤ s < e, so the result follows from Lemma 29
and Lemma 30.
If l = linear, then we know from (n, (c, c)) ∈ V,gctst (W ) and w.l.o.g we can assume
• (n, [b, e]) ∈ readCondition,gc(linear,W )
• (n, [b, e]) ∈ writeCondition,gc(linear,W )
from this, we get Sread ⊆ addressable(linear,W.heapW ) and Rread : Sread →Worldprivate stack such that
• ⊎r∈Sread Rread(r) ⊇ A
• ∀r. |Rread(r)| = 1
• ∀r ∈ Sread .W.heap(r).H
n⊆ ιstd,p,Rread (r),gc .H
and Swrite ⊆ addressable(linear,W.heapW ) and Rwrite : Swrite →Worldprivate stack such that
• ⊎r∈Swrite Rwrite(r) ⊇ A
• ∀r. |Rwrite(r)| = 1
• ∀r ∈ Swrite .W.heap(r).H
n⊇ ιstd,p,Rwrite(r),gc .H ∧W.heap(r) is address-stratified
Now we would like to show R−1read([b, e]) = R
−1
write([b, e]). We know that the two sets are the same size as both
R’s map to singleton sets. This means that there exists r 6= r′ s.t. Rread(r) = Rwrite(r′) = {a ′} for a ′ ∈ [b, e].
By definition of the standard region, we know that for any Wˆ and any ms and ms ′ where (n− 1, (ms,ms ′)) ∈
W.heap(r) we have dom(ms) = dom(ms ′) = {a′}.
By assumption W.heap(r) is address-stratified which means that for any Wˆ and any ms and ms ′ where
(n− 1, (ms,ms ′)) ∈W.heap(r) we have dom(ms)e = dom(ms ′) = {a′}.
48
By the memory satisfaction, the memory must be split into disjointed parts that each satisfy a region. With
two regions that require a memory segment pair with the same domain, we cannot satisfy all the regions, so we
must have
Now pick W1 as the world that owns R
−1
read([b, s]), W2 the world that owns R
−1
read([s + 1, e]), and W3 as the
world that owns the remaining regions of W .
It is clearly the case that W = W1 ⊕W2 ⊕W3.
In this case, we need to show
(n, (0, 0)) ∈ V,gctst (W3)
which is trivially the case.
For the remaining, it suffices to show
• (n, [b, s]) ∈ readCondition,gc(linear,W1)
• (n, [b, s]) ∈ writeCondition,gc(linear,W1)
• (n, [s+ 1, e]) ∈ readCondition,gc(linear,W2)
• (n, [s+ 1, e]) ∈ writeCondition,gc(linear,W2)
which follows by assumption.
Lemma 56 (Capability splitting retains safety for stack capabilities). If
• (n, (cS , cT )) ∈ V,gctst (W )
• cS = stack-ptr(perm, b, e, a)
• cT = ((perm, linear), b, e, a)
• b ≤ n ≤ e
• c1,S = stack-ptr(perm, b, n, a)
• c1,T = ((perm, linear), b, n, a)
• c2,S = stack-ptr(perm, n, e, a)
• c2,T = ((perm, linear), n, e, a)
• c3 = 0
then there exist W1,W2,W3 such that
• W = W1 ⊕W2 ⊕W3
• (n, (c1,S , c1,T )) ∈ V,gctst (W1)
• (n, (c2,S , c2,T )) ∈ V,gctst (W2)
• (n, (c3, c3)) ∈ V,gctst (W3)

Proof. Similar to the proof of Lemma 55.
Lemma 57 (Capability splicing retains safety for normal capabilities). If
• (n, (c1, c1)) ∈ V,gctst (W1)
• (n, (c2, c2)) ∈ V,gctst (W2)
• c1 = ((perm, l), b,m, a)
• c2 = ((perm, l),m+ 1, e, a)
• c = ((perm, l), b, e, a)
• b ≤ m ≤ e
• c′1 = linearityConstraint(c1)
• c′2 = linearityConstraint(c2)
49
• W1 ⊕W2 ⊕WM is defined
• msS , stk ,msstk ,msT :gcn WM
then there exist W ′1,W
′
2,W
′
3 such that
• W1 ⊕W2 = W ′1 ⊕W ′2 ⊕W ′3
• (n, (c, c)) ∈ V,gctst (W ′3)
• (n, (c′1, c′1)) ∈ V,gctst (W ′1)
• (n, (c′2, c′2)) ∈ V,gctst (W ′2)

Proof. From (n, (c1, c1)) ∈ V,gctst (W1) and (n, (c2, c2)) ∈ V,gctst (W2), it follows that either ([b,m] # TA or [b,m] ⊆
TA) and also either ([m+ 1, e] # TA or [m+ 1, e] ⊆ TA).
Consider first the case where either [b,m] ⊆ TA or [m+ 1, e] ⊆ TA. Then by definition of V,gctst , we have that
l = normal, tst = trusted and (n, [b,m]) ∈ readXCondition,gc(W1) or (n, [m+ 1, e]) ∈ readXCondition,gc(W2),
respectively. It follows by definition of readXCondition,gc and ιcode, that [b − 1,m + 1] or [m, e + 1] ⊆ TA,
respectively, so that it is impossible that [m + 1, e] # TA or [b,m] # TA respectively. In other words, we must
have that both [b,m] ⊆ TA and [m+ 1, e] ⊆ TA.
From Lemma 32, it follows that also (n, [b, e]) ∈ readXCondition,gc(W1⊕W2) and from Lemma 29, it follows
that (n, [b, e]) ∈ readXCondition,gc(purePart(W1⊕W2)). Finally, we have that (n, (c, c)) ∈ V,gctst (purePart(W1⊕
W2)). We can take W
′
3 = purePart(W1⊕W2), W ′1 = W1 and W ′2 = W2 and the remaining proof obligations follow
by assumption and by Lemma 6 and 2.
Now consider the case that both [b,m] # TA and [m + 1, e] # TA. The results now follow by definition of
V,gcuntrusted, using Lemma 32 and 29, taking W ′3 = W1 ⊕W2 and W ′1 = purePart(W1) and W ′2 = purePart(W2).
Lemma 58 (Capability splicing retains safety for stack capabilities). If
• (n, (c1,S , c1,T )) ∈ V,gctst (W1)
• (n, (c2,S , c2,T )) ∈ V,gctst (W2)
• b ≤ m ≤ e
• c1,S = stack-ptr(perm, b,m, a)
• c1,T = ((perm, linear), b,m, a)
• c2,S = stack-ptr(perm,m+ 1, e, a)
• c2,T = ((perm, linear),m+ 1, e, a)
• cS = stack-ptr(perm, b, e, a)
• cT = ((perm, linear), b, e, a)
then we have that
• (n, (cS , cT )) ∈ V,gctst (W1 ⊕W2)

Proof. This follows easily by definition of V,gcuntrusted and using Lemma 32.
Lemma 59 (Stack capability safety monotone w.r.t. permission). If
(n, (stack-ptr(perm, b, e, a), ((perm, l), b, e, a))) ∈ V,gctst (W )
and
perm ′ v perm
then
(n, (stack-ptr(perm ′, b, e, a), ((perm ′, l), b, e, a))) ∈ V,gctst (W )

Proof. Follows directly from the definition.
50
Lemma 60 (readCondition works). If
• (msS , stk ,msstk ,msT ) :gcn WM
• (n, (b, e)) ∈ readCondition,gc(l,W )
• a ∈ [b, e]
• W ⊕WM is defined
• n′ < n
Then (n′, (msS(a),msT (a))) ∈ V,gcuntrusted(W ′) for some W ′ such that WM = W ′ ⊕W ′M . Additionally, if
• (n, (b, e)) ∈ writeCondition,gc(l,W )
Then (msS [a 7→ 0], stk ,msstk ,msT [a 7→ 0]) :gcn W ′M . 
Proof. From (n, (b, e)) ∈ readCondition,gc(l,W ), we get an S ⊆ addressable(l ,W.heap), an R : S → P(N) with⊎
r∈S R(r) ⊇ [b, e] and W.heap(r).H
n⊆ ιstd,p,R(r),gc .H for all r ∈ S.
Since a ∈ [b, e], there is a unique r ∈ S such that a ∈ R(r).
Since W ⊕WM is defined, we have that r ∈ dom(W.heap) = dom(WM .heap) and W.heap(r)⊕WM .heap(r) is
defined.
From (msS , stk ,msstk ,msT ) :
gc
n WM , we get that stk = (opc0,ms0) :: · · · :: (opcm,msm), msS unionmultimsstk unionmultims0 unionmulti
· · · unionmultimsm is defined, WM = Wstack ⊕Wfree stack ⊕Wheap and ∃msT ,stack ,msT ,free stack ,msT ,heap , msT,f , msS,f ,
ms ′S such that
• msS = msS,f unionmultims ′S
• msT = msT ,stack unionmultimsT ,free stack unionmultimsT ,heap unionmultimsT,f
• (n, (stk ,msT ,stack )) ∈ Sgc(Wstack )
• (n, (msstk ,msT ,free stack )) ∈ Fgc(Wfree stack )
• (n, (σ,ms ′S ,msT ,heap)) ∈ H(WM )(Wheap).
From (n, (σ,ms ′S ,msT ,heap)) ∈ H(WM )(Wheap), we get anRms : dom(active(Wheap .heap))→ MemorySegment×
MemorySegment, msT ,heap =
⊎
r∈dom(active(Wheap .heap)) pi2(Rms(r)), msS =
⊎
r∈dom(active(Wheap .heap)) pi1(Rms(r)),
∃RW : dom(active(Wheap .heap)) → World. Wheap = ⊕r∈dom(active(Wheap .heap))RW (r), ∀r ∈ active(WM .heap), we
have that (n′, Rms(r)) ∈Wheap .heap(r).H ξ−1(RW (r)) for all n′ < n. We also get anRseal : dom(active(W.heap))→
P(Seal) such that ⊎r∈dom(active(W.heap))Rseal(r)) ⊆ σ and dom(W.heap(r).Hσ) = Rseal(r).
We have that r ∈ addressable(l ,W.heap) ⊆ active(Wheap .heap), so (n′, Rms(r)) ∈WM .heap(r).H ξ−1(RW (r)).
Because W.heap(r).H
n⊆ ιstd,p,R(r),gc .H and W ⊕WM is defined, it follows that also WM .heap(r).H
n⊆ ιstd,p,R(r),gc .H. This
means that also (n′, Rms(r)) ∈ HstdR(r) ξ−1(RW (r)).
From this, it follows that dom(Rms(r).1) = dom(Rms(r).2) = R(r) and we get a S : R(r) → World with
ξ(ξ−1(RW (r))) = ⊕a∈R(r)S(a) and ∀a ∈ R(r). (n′, (msS(a),msT (a))) ∈ V,gcuntrusted(S(a)).
Since a ∈ R(r), we have that (n′, (msS(a),msT (a))) ∈ V,gcuntrusted(S(a)) and we can take W ′M = W ′r ⊕W ′heap ⊕
(Wstack ⊕Wfree stack ) with W ′r = ⊕a∈(R(r)\{a})S(a) and W ′heap = ⊕r′∈(dom(active(Wheap .heap))\{r})RW (r′), and get
S(a)⊕W ′M = S(a)⊕ (W ′r ⊕W ′heap ⊕ (Wstack ⊕Wfree stack ))
= ⊕a∈R(r)S(a)⊕W ′heap ⊕ (Wstack ⊕Wfree stack )
= ξ(ξ−1(RW (r)))⊕W ′heap ⊕ (Wstack ⊕Wfree stack )
= RW (r)⊕W ′heap ⊕ (Wstack ⊕Wfree stack )
= ⊕r∈dom(active(Wheap .heap))RW (r)⊕ (Wstack ⊕Wfree stack )
= Wheap ⊕ (Wstack ⊕Wfree stack )
= WM
Additionally, if (n, (b, e)) ∈ writeCondition,gc(l,W ), then we get an S′ ⊆ addressable(l ,W.heap) ⊆ active(WM .heap),
an R′ : S′ → P(N) such that ⊎r∈S′ R′(r) ⊇ [b, e] and for all r ∈ S′, W.heap(r).H n⊇ ιstd,p,R′(r),gc .H and W.heap(r) is
address-stratified.
Since a ∈ [b, e], there is an r′ ∈ S′ such that a ∈ R′(r′) .
51
Because W ⊕WM is defined, it follows that also WM .heap(r′).H
n⊇ ιstd,p,R′(r′),gc .H and WM .heap(r′) is address-
stratified.
It follows that r = r′ because dom(Rms(r).1) = dom(Rms(r).2) = R(r) 3 a and dom(Rms(r′).2) = dom(Rms(r′).1) =
R′(r′) 3 a and all the Rms(r).1 and Rms(r).2 are disjoint.
We have that (n′, (Rms(r).1[a 7→ 0], Rms(r).2[a 7→ 0])) ∈ Wheap .heap(r).H ξ−1(W ′r) for all n′ < n because
WM .heap(r) is address-stratified and WM .heap(r).H
n⊇ ιstd,p,R′(r),gc .H.
From this, it follows that (n, (σ,msS [a 7→ 0],msT ,heap [a 7→ 0])) ∈ H(WM )(W ′r ⊕W ′heap) and finally
(n, (σ,msS [a 7→ 0], stk ,msstk ,msT [a 7→ 0])) ∈ H(W ′M )(W ′r ⊕W ′heap)
Lemma 61 (stackReadCondition works). If
• (msS , stk ,msstk ,msT ) :gcn WM
• (n, (b, e)) ∈ stackReadCondition,gc(W )
• a ∈ [b, e]
• W ⊕WM is defined
• n′ < n
Then (n′, (msstk (a),msT (a))) ∈ V,gcuntrusted(W ′) for some W ′ such that WM = W ′ ⊕W ′M . Additionally, if
• (n, (b, e)) ∈ stackWriteCondition,gc(W )
Then (msS , stk ,msstk [a 7→ 0],msT [a 7→ 0]) :gcn W ′M . 
Proof. From (n, (b, e)) ∈ stackReadCondition,gc(W ), we get an S ⊆ addressable(l ,W.free), an R : S → P(N) with⊎
r∈S R(r) ⊇ [b, e] and W.free(r).H
n⊆ ιstd,p,R(r),gc .H for all r ∈ S.
Since a ∈ [b, e], there is a unique r ∈ S such that a ∈ R(r).
Since W ⊕ WM is defined, we have that r ∈ dom(W.free) = dom(WM .free) and W.free(r) ⊕ WM .free(r) is
defined.
From (msS , stk ,msstk ,msT ) :
gc
n WM , we get that stk = (opc0,ms0) :: · · · :: (opcm,msm), msS unionmultimsstk unionmultims0 unionmulti
· · · unionmultimsm is defined, WM = Wstack ⊕Wfree stack ⊕Wheap and ∃msT ,stack ,msT ,free stack ,msT ,heap , msT,f , msS,f ,
ms ′S such that
• msS = msS,f unionmultims ′S
• msT = msT ,stack unionmultimsT ,free stack unionmultimsT ,heap unionmultimsT,f
• (n, (stk ,msT ,stack )) ∈ Sgc(Wstack )
• (n, (msstk ,msT ,free stack )) ∈ Fgc(Wfree stack )
• (n, (σ,ms ′S ,msT ,heap)) ∈ H(WM .heap)(Wheap).
From (n, (msstk ,msT ,free stack )) ∈ Fgc(Wfree stack ), we get an
• Rms : dom(active(Wfree stack .free))→ MemorySegment×MemorySegment,
• msT ,free stack =
⊎
r∈dom(active(Wfree stack .free)) pi2(Rms(r)),
• msstk =
⊎
r∈dom(active(Wfree stack .free)) pi1(Rms(r)),
• stk base ∈ dom(msT ,free stack ) ∧ stk base ∈ dom(msstk ),
• ∃RW : dom(active(Wfree stack .free))→World.
• Wfree stack = ⊕r∈dom(active(Wfree stack .free))RW (r)
52
and for all r ∈ active(Wfree stack .free), we have that (n′, Rms(r)) ∈Wfree stack .free(r).H ξ−1(RW (r)) for all n′ < n.
We have that r ∈ addressable(l ,W.free) ⊆ active(Wfree stack .free), so (n′, Rms(r)) ∈Wfree stack .free(r).H ξ−1(RW (r)).
Because W.free(r).H
n⊆ ιstd,p,R(r),gc .H and W ⊕WM = W ⊕ (Wfree stack ⊕Wfree stack ⊕Wstack ) is defined, it follows
that also Wfree stack .free(r).H
n⊆ ιstd,p,R(r),gc .H. This means that also (n′, Rms(r)) ∈ HstdR(r) ξ−1(RW (r)).
From this, it follows that dom(Rms(r).1) = dom(Rms(r).2) = R(r) and we get a S : R(r) → World with
ξ(ξ−1(RW (r))) = ⊕a∈R(r)S(a) and ∀a ∈ R(r). (n′, (msstk (a),msT (a))) ∈ V,gcuntrusted(S(a)).
Since a ∈ R(r), we have that (n′, (msstk (a),msT (a))) ∈ V,gcuntrusted(S(a)) and we can take W ′M = W ′r⊕Wheap ⊕
(Wstack ⊕W ′free stack ) with W ′r = ⊕a∈(R(r)\{a})S(a) and W ′free stack = ⊕r′∈(dom(active(Wheap .heap))\{r})RW (r′), and
get
S(a)⊕W ′M = S(a)⊕ (W ′r ⊕W ′free stack ⊕ (Wstack ⊕Wheap))
= ⊕a∈R(r)S(a)⊕W ′free stack ⊕ (Wstack ⊕Wheap)
= ξ(ξ−1(RW (r)))⊕W ′free stack ⊕ (Wstack ⊕Wheap)
= RW (r)⊕W ′free stack ⊕ (Wstack ⊕Wheap)
= ⊕r∈dom(active(Wfree stack .heap))RW (r)⊕ (Wstack ⊕Wheap)
= Wfree stack ⊕ (Wstack ⊕Wheap)
= WM
Additionally, if (n, (b, e)) ∈ stackWriteCondition,gc(W ), then we get an
S′ ⊆ addressable(l ,W.free) ⊆ active(Wfree stack .heap),
and an R′ : S′ → P(N) such that ⊎r∈S′ R′(r) ⊇ [b, e] and for all r ∈ S′, W.free(r).H n⊇ ιstd,p,R′(r),gc .H and W.free(r)
is address-stratified.
Since a ∈ [b, e], there is an r′ ∈ S′ such that a ∈ R′(r′) .
Because W ⊕WM is defined, it follows that also Wfree stack .free(r′).H
n⊇ ιstd,p,R′(r′),gc .H and Wfree stack .free(r′) is
address-stratified.
It follows that r = r′ because dom(Rms(r).1) = dom(Rms(r).2) = R(r) 3 a and dom(Rms(r′).2) = dom(Rms(r′).1) =
R′(r′) 3 a and all the Rms(r).1 and Rms(r).2 are disjoint.
We have that (n′, (Rms(r).1[a 7→ 0], Rms(r).2[a 7→ 0])) ∈ Wfree stack .free(r).H ξ−1(W ′r) for all n′ < n because
Wfree stack .free(r) is address-stratified and Wfree stack .free(r).H
n⊇ ιstd,p,R′(r),gc .H.
From this, it follows that (n, (msstk [a 7→ 0],msT ,heap [a 7→ 0])) ∈ Fgc(W ′r⊕W ′free stack ) and finally (msS , stk ,msstk [a 7→
0],msT [a 7→ 0]) :gcn W ′M .
Lemma 62 (load from regular capability works). If
• (msS , stk ,msstk ,msT ) :gcn WM
• c = ((perm, l), b, e, a)
• c′ = ((perm ′, l ′), b′, e ′, a ′)
• perm ∈ readAllowed, perm ′ ∈ readAllowed
• (n, (c, c′)) ∈ V,gctst (Hσ,W )
• W ⊕WM is defined
• n′ < n
• wS = linearityConstraint(msS(a)), wT = linearityConstraint(msT (a ′))
• linearityConstraintPerm(perm,msS(a)), linearityConstraintPerm(perm ′,msT (a ′))
• a ∈ [b, e]
• a ′ ∈ [b′, e ′]
Then ∃W ′,W ′M .
• WM = W ′ ⊕W ′M
• (msS [a 7→ wS ], stk ,msstk ,msT [a ′ 7→ wT ]) :gcn′ W ′M
53
• (n′, (msS(a),msT (a ′))) ∈ V,gctst (W ′)

Proof. Consider first the case that (n, (c, c′)) ∈ V,gcuntrusted(W ).
From (n, (c, c′)) ∈ V,gcuntrusted(Hσ,W ) with c = ((perm, l), b, e, a), c′ = ((perm ′, l ′), b′, e ′, a ′), perm ∈ readAllowed
and perm ′ ∈ readAllowed , we get that b = b′, e = e ′ and a = a ′ and (n, (b, e)) ∈ readCondition,gc(l ,W ).
Lemma 60 then gives us a W ′ and W ′M such that WM = W
′⊕W ′M and (n′, (msS(a),msT (a ′))) ∈ V,gcuntrusted(W ′).
it remains to prove that (msS [a 7→ wS ], stk ,msstk ,msT [a ′ 7→ wT ]) :gcn′ W ′M . We have to distinguish the case
that isLinear(msS(a)) and the opposite case.
• case isLinear(msS(a)): then linearityConstraint(msS(a)) = 0 and it follows from (n′, (msS(a),msT (a ′))) ∈
V,gcuntrusted(W ) that also isLinear(msT (a ′)) and linearityConstraint(msT (a ′)) = 0.
From linearityConstraintPerm(perm,msS(a)) and linearityConstraintPerm(perm
′,msT (a ′)), we then also
get that perm, perm ′ ∈ writeAllowed and from (n, (c, c′)) ∈ V,gcuntrusted(W ), it then follows that (n, (b, eaddr)) ∈
writeCondition,gc(l ,W ). From the “Additionally, if..” case in Lemma 60 with Lemma 44, we then get that
(msS [a 7→ wS ], stk ,msstk ,msT [a ′ 7→ wT ]) :gcn′ W ′M .
• case ¬isLinear(msS(a)): then linearityConstraint(msS(a)) = msS(a) and it follows from (n′, (msS(a),msT (a ′))) ∈
V,gcuntrusted(W ) that also ¬isLinear(msT (a ′)) and linearityConstraint(msT (a ′)) = msT (a ′). The fact that
(msS [a 7→ wS ], stk ,msstk ,msT [a ′ 7→ wT ]) :gcn′ W ′M then follows simply by downwards closure of memory
satisfaction, i.e. Lemma 44.
Now consider the case that (n, (c, c′)) ∈ (V,gctrusted(W ) \ V,gcuntrusted(W )). then we have that [b, e] ⊆ TA and
(n, [b, e]) ∈ readXCondition,gc(W ). By definition of readXCondition,gc , there is an ra such that W.heap(r) n=
ιcode,, ,code,gc , a ∈ dom(code). By definition of ιcode, and using the fact that dom(code) 3 a ∈ [b, e] ⊆ TA, we
know that dom(code) ⊆ TA and , `comp−code code. From the fact that (msS , stk ,msstk ,msT ) :gcn WM , to-
gether with the definition of ιcode,, we know that (n′, (Φ.mem(a),Φ.mem(a))) ∈ V,gctrusted(purePart(WM )) and
we have that purePart(WM ) = purePart(W ) by Lemma 8. From the fact that , `comp−code code, we get that
¬isLinear(code(a)).
We can then take W ′M = WM , W
′ = W and get the required results from what we have proven above and
using Lemma 44.
Lemma 63 (load from stack capability works). If
• (msS , stk ,msstk ,msT ) :gcn WM
• c = stack-ptr(perm, b, e, a)
• c′ = ((perm ′, l ′), b′, e ′, a ′)
• perm ∈ readAllowed or perm ′ ∈ readAllowed
• (n, (c, c′)) ∈ V,gctst (Hσ,W )
• W ⊕WM is defined
• n′ < n
• (a ∈ [b, e] or a ′ ∈ [b′, e ′])
• wS = linearityConstraint(msS(a)), wT = linearityConstraint(msT (a ′))
• linearityConstraintPerm(perm,msS(a)), linearityConstraintPerm(perm ′,msT (a ′))
Then ∃W ′,W ′M .
• WM = W ′ ⊕W ′M
• (msS , stk ,msstk [a 7→ wS ],msT [a ′ 7→ wT ]) :gcn′ W ′M
• (n′, (msstk (a),msT (a))) ∈ V,gcuntrusted(W ′)

54
Proof. From (n, (c, c′)) ∈ V,gcuntrusted(Hσ,W ) with c = stack-ptr(perm, b, e, a), c′ = ((perm ′, l ′), b′, e ′, a ′), (perm ∈
readAllowed or perm ′ ∈ readAllowed), we get that perm = perm ′, l ′ = linear, b = b′, e = e ′ and a = a ′ and
(n, (b, e)) ∈ stackReadCondition,gc(W ).
From Lemma 61, we then get that (n′, (msstk (a),msT (a))) ∈ V,gcuntrusted(W ′) for some W ′ such that WM =
W ′ ⊕W ′M .
It remains to prove that (msS , stk ,msstk [a 7→ wS ],msT [a ′ 7→ wT ]) :gcn W ′M . We have to distinguish the case
that isLinear(msstk (a)) and the opposite case.
• case isLinear(msstk (a)): then linearityConstraint(msstk (a)) = 0 and it follows from
(n′, (msstk (a),msT (a))) ∈ V,gcuntrusted(Hσ,W )
that also isLinear(msT (a
′)) and linearityConstraint(msT (a ′)) = 0. From linearityConstraintPerm(perm,msS(a))
and linearityConstraintPerm(perm ′,msT (a ′)), we then also get that perm = perm ′ ∈ writeAllowed and from
(n, (c, c′)) ∈ V,gctst (Hσ,W ), it then follows that (n, (b, eaddr)) ∈ stackWriteCondition,gc(W ). From the
“Additionally, if..” case in Lemma 60 with Lemma 44, we then get that (msS , stk ,msstk [a 7→ 0],msT [a ′ 7→
0]) :gcn′ W
′
M .
• case ¬isLinear(msstk (a)): then linearityConstraint(msstk (a)) = msstk (a) and it follows from
(n′, (msstk (a),msT (a))) ∈ V,gcuntrusted(Hσ,W )
that also ¬isLinear(msT (a ′)) and linearityConstraint(msT (a ′)) = msT (a ′). The fact that (msS [a 7→
wS ], stk ,msstk ,msT [a
′ 7→ wT ]) :gcn′ W ′M then follows simply by downwards closure of memory satisfaction, i.e.
Lemma 44.
Lemma 64 (Store to regular capability works). If
• (msS , stk ,msstk ,msT ) :gcn WM
• c1 = ((perm, l), b, e, a)
• c′1 = ((perm ′, l ′), b′, e ′, a ′)
• perm ∈ writeAllowed, perm ′ ∈ writeAllowed
• a ∈ [b, e]
• a ′ ∈ [b′, e ′]
• (n, (c1, c′1)) ∈ V,gctrusted(Hσ,W1)
• (n, (c2, c′2)) ∈ V,gcuntrusted(Hσ,W2)
• W1 ⊕W2 ⊕WM is defined
• n′ < n
• c3 = linearityConstraint(c2), c′3 = linearityConstraint(c′2)
Then ∃W ′2,W ′M .
• W2 ⊕WM = W ′2 ⊕W ′M
• (msS [a 7→ c2], stk ,msstk ,msT [a ′ 7→ c′2]) :gcn′ W ′M
• (n′, (c3, c′3)) ∈ V,gcuntrusted(W ′2)

Proof. From (n, (c1, c
′
1)) ∈ V,gctrusted(W1) and perm ∈ writeAllowed , it follows that c1 = c′1 and (n, [b, e]) ∈
writeCondition,gc(l ,W1).
We then get a r and A, such that a ∈ A, W1.heap(r).H
n⊇ ιstd,v,A,gc .H and W1.heap(r) is address-stratified.
If we decompose the judgement that (msS , stk ,msstk ,msT ) :
gc
n WM , then we get some (n− 1,msS |A,msT |A) ∈
ιstd,v,A,gc .H WM,A for some WM = WM,A ⊕WM,R. If we define W ′M as WM ⊕W2 and W ′2 = purePart(W2), then
we can use the properties about W1.heap(r) above to show that (msS [a 7→ c2], stk ,msstk ,msT [a ′ 7→ c′2]) :gcn′ W ′M .
The fact that (n′, (c3, c′3)) ∈ V,gcuntrusted(W ′2) follows from Lemma 29.
55
Lemma 65 (Store to stack capability works). If
• (msS , stk ,msstk ,msT ) :gcn WM
• c1 = stack-ptr(perm, b, e, a)
• c′1 = ((perm ′, linear), b′, e ′, a ′)
• perm ∈ writeAllowed, perm ′ ∈ writeAllowed
• a ∈ [b, e]
• a ′ ∈ [b′, e ′]
• (n, (c1, c′1)) ∈ V,gctrusted(Hσ,W1)
• (n, (c2, c′2)) ∈ V,gcuntrusted(Hσ,W2)
• W1 ⊕W2 ⊕WM is defined
• n′ < n
• c3 = linearityConstraint(c2), c′3 = linearityConstraint(c′2)
Then ∃W ′2,W ′M .
• W2 ⊕WM = W ′2 ⊕W ′M
• (msS , stk ,msstk [a 7→ c2],msT [a ′ 7→ c′2]) :gcn′ W ′M
• (n′, (c3, c′3)) ∈ V,gcuntrusted(W ′2)

Proof. From (n, (c1, c
′
1)) ∈ V,gctrusted(W1) and perm ∈ writeAllowed , it follows that perm = perm ′, b = b′, e = e ′,
a = a ′ and (n, [b, e]) ∈ stackWriteCondition,gc(W1).
We then get a r and A, such that a ∈ A, W1.free(r).H
n⊇ ιstd,v,A,gc .H and W1.free(r) is address-stratified.
If we decompose the judgement that (msS , stk ,msstk ,msT ) :
gc
n WM , then we get some (n− 1,msstk |A,msT |A) ∈
ιstd,v,A,gc .H WM,A for some WM = WM,A⊕WM,R. If we define W ′M as WM ⊕W2 and W ′2 = purePart(W2), then we
can use the properties about W1.free(r) above to show that (msS , stk ,msstk [a 7→ c2],msT [a ′ 7→ c′2]) :gcn′ W ′M . The
fact that (n′, (c3, c′3)) ∈ V,gcuntrusted(W ′2) follows from Lemma 29.
Lemma 66. If
• (n, (sealed(σ, sc1), sealed(σ, sc′1))) ∈ V,gctst (WR,1)
• (n, (sealed(σ, sc2), sealed(σ, sc′2))) ∈ V,gctst (WR,2)
• nonExecutable(sc′1) and nonExecutable(sc′2)
• WR,1 ⊕WR,2 ⊕WM is defined
• msS , stk ,msstk ,msT :gcn WM
Then
• (n− 1, (sc1, sc2, sc′1, sc′2)) ∈ E,gcxjmp(WR,1 ⊕WR,2)

Proof. From (n, (sealed(σ, sc1), sealed(σ, sc
′
1))) ∈ V,gctst (WR,1), we know that
• (isLinear(sc1) iff isLinear(sc′1))
• ∃r ∈ dom(W.heap), σret, σclos,mscode.
• WR,1.heap(r) = (pure, , Hσ)
• Hσ n= Hcode,σ σret σclos mscode gc
• (n′, (sc1, sc′1)) ∈ Hσ σ ξ−1(WR,1) for all n′ < n
56
• If (isLinear(sc1) then for all W ′ wWR,1, Wo, n′ < n, (n′, (sc2, sc′2)) ∈ Hσ σ ξ−1(Wo), we have that
(n′, sc1, sc2, sc′1, sc
′
2) ∈ E,gcxjmp(W ′ ⊕Wo))
• If (nonLinear(sc1) then for all W ′ w purePart(WR,1), Wo, n′ < n, (n′, (sc2, sc′2)) ∈ Hσ σ ξ−1(Wo), we have
that
(n′, sc1, sc2, sc′1, sc
′
2) ∈ E,gcxjmp(W ′ ⊕Wo))
From (n, (sealed(σ, sc2), sealed(σ, sc
′
2))) ∈ V,gctst (WR,2), we know that
• (isLinear(sc2) iff isLinear(sc′2))
• ∃r′ ∈ dom(W.heap), σret, σclos,mscode.
• WR,2.heap(r′) = (pure, , Hσ)
• Hσ n= Hcode,σ σret σclos mscode gc
• (n′, (sc2, sc′2)) ∈ Hσ σ ξ−1(WR,2) for all n′ < n
From msS , stk ,msstk ,msT :
gc
n WM , we know that two different regions cannot have Hσ defined for the same
σ, so that r = r′. Both when isLinear(sc1) and when nonLinear(sc1) (using Lemma 12), we know that for all
W ′ wWR,1, Wo, n′ < n, sc2, sc′2, (n′, (sc2, sc′2)) ∈ Hσ σ ξ−1(Wo), we have that
(n′, sc1, sc2, sc′1, sc
′
2) ∈ E,gcxjmp(W ′ ⊕Wo))
We can now instantiate this fact with W ′ = WR,1, Wo = WR,2, n′ = n− 1, and the fact that (n− 1, (sc2, sc′2)) ∈
Hσ σ ξ
−1(WR,2) (see above) to conclude
(n− 1, sc1, sc2, sc′1, sc′2) ∈ E,gcxjmp(WR,1 ⊕WR,2).
6.2 FTLR proof
Lemma 67. If
• One of the following sets of requirements holds:
– tst = trusted, ΦS is reasonable up to n steps and [b, e] ⊆ TA
– tst = untrusted and [b, e] # TA and (n, [b, e]) ∈ readCondition,gc(normal,Wpc)
• ΦS(pc) = ΦT (pc) = ((rx,normal), b, e, a)
• (n, [b, e]) ∈ readXCondition,gc(Wpc)
• (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)
• ΦS .mem,ΦS .stk ,ΦS .msstk ,ΦT .mem :gcn WM
• Wpc ⊕WR ⊕WM is defined.
• Theorem 2 holds for all n′ < n.
Then
(n, (ΦS ,ΦT )) ∈ O,gc

Proof. In the following we will use the following: regS = ΦS .reg , regT = ΦT .reg , msS = ΦS .mem, msstk =
ΦS .msstk , and stk = ΦS .stk .
By complete induction on n, i.e. we can assume that the lemma already holds for n′ < n.
In order to prove this, we first, we prove that one of the following holds:
1. ΦS →gcj failed and ΦT →i failed for some i,j.
2. ΦS →gc halted and ΦT → halted
57
3. All of the following hold: (includes simple cases: gettype, geta, getb, gete, getp, getl, lt, plus, minus, one
case of move that can be handled uniformly)
• ΦS →gc Φ′S
• ΦT → Φ′T
• ΦS does not point to calloff pc,off σ r1 r2 or xjmp r1 r2
• Φ′S = updatePc(ΦS [reg .r 7→ z]) 6= failed
• Φ′T = updatePc(ΦT [reg .r 7→ z]) 6= failed
• r 6= pc
• z ∈ Z
4. All of the following hold:
• callCondition(ΦS , r1, r2, off pc, off σ, a)
• r1 6= rt1 and r2 6= rt1
• b ≤ a and a + call len− 1 ≤ e
• executable(ΦS(pc))
• for all i = 0..call len− 1, msT (a + i) = msS(a + i) ∈ Z.
• [b, e] ⊆ TA
• ΦS →gc Φ′S 6= failed
• ΦT → Φ′T 6= failed
• ΦS(r1) = sealed(σ, c1)
• ΦS(r2) = sealed(σ, c2)
• nonExecutable(c2)
• ΦS(rstk) = stack-ptr(rw, bstk , estk , astk )
• bstk < astk ≤ estk
• ΦS(pc) = ((perm,normal), b, e, a)
• w1 = linearityConstraint(c1) and w2 = linearityConstraint(c2)
•
Φ′′S .reg = ΦS .reg[rstk 7→ stack-ptr(rw, bstk , astk − 1, astk − 1)]
[rretcode 7→ sealed(σ′, ret-ptr-code(b, e, a + call len))]
[rretdata 7→ sealed(σ′, ret-ptr-data(astk , estk ))]
[r1, r2 7→ w1, w2]
[rt1 7→ 0]
• Φ′′S .mem = ΦS .mem
• msstk priv ,S = ΦS .msstk |[astk ,estk ][astk 7→ 42]
• Φ′′S .stk = ((a + call len),msstk priv ,S) :: ΦS .stk
• Φ′′S .msstk = ΦS .msstk − ΦS .msstk |[astk ,estk ]
• b ≤ a + off pc ≤ e
• mem(a + off pc) = seal(σb , σe , σa)
• σ′ = σa + off σ
• σa ≤ σ′ ≤ σe
• Φ′S = xjumpResult (c1, c2,Φ′′S)
5. All of the following hold: (includes cap-manipulation cases: move, cca, restrict, seta2b, cseal, split, splice,
that can be handled mostly uniformly)
• ΦS →gc Φ′S
• ΦT → Φ′T
• ΦS does not point to calloff pc,off σ r1 r2 or xjmp r1 r2
• Φ′S = updatePc(ΦS [reg .r1 · · · rk 7→ w1 · · ·wk]) 6= failed
58
• Φ′T = updatePc(ΦT [reg .r1 · · · rk 7→ w′1 · · ·w′k]) 6= failed
• ri 6= pc for all i
• One of the following holds:
5.1. (restrict,cca,seta2b) w1 = ((perm
′, l), b, e, a ′), w′1 = ((perm
′, l), b, e, a ′), ΦS(r1) = ((perm, l), b, e, a)
and ΦT (r1) = ((perm, l), b, e, a) and perm
′ v perm, k = 1
5.2. (restrict,cca,seta2b)
– w1 = stack-ptr(perm
′, b, e, a ′),
– w′1 = ((perm
′, linear), b, e, a ′),
– ΦS(r1) = stack-ptr(perm, b, e, a) and
– ΦT (r1) = ((perm, linear), b, e, a) and
– perm ′ v perm,
– k = 1
5.3. (cca,seta2b) w1 = seal(σb , σe , σ
′), w′1 = seal(σb , σe , σ
′), ΦS(r1) = seal(σb , σe , σ) and ΦT (r1) =
seal(σb , σe , σ), k = 1
5.4. (move) w1 = ΦS(r2), w
′
1 = ΦT (r2), and w2 = linearityConstraint(w1), w
′
2 = linearityConstraint(w
′
1)
and r1 6= r2 and k = 2.
5.5. (cseal) w1 = sealed(σ,ΦS(r1)), w
′
1 = sealed(σ,ΦT (r1)), ΦS(r2) = ΦT (r2) = seal(σb , σe , σ), σb ≤
σ ≤ σe , and k = 1, and ΦS points to cseal r1 r2.
5.6. (split) ΦT (r3) = ΦS(r3) = ((perm, l), b, e, a), b ≤ s, s < e, w1 = w′1 = ((perm, l), b, n, a), w2 =
w′2 = ((perm, l), n+ 1, e, a), w3 = w
′
3 = linearityConstraint(ΦS(r3)), k = 3.
5.7. (split) ΦT (r3) = ΦS(r3) = seal(σb , σe , σ), σb ≤ s, s < σe , w1 = w′1 = seal(σb , s, σ), w2 = w′2 =
seal(s+ 1, σe , σ), k = 2.
5.8. (split) ΦS(r3) = stack-ptr(perm, b, e, a), ΦT (r3) = ((perm, linear), b, e, a), b ≤ n, n < e, w1 =
stack-ptr(perm, b, n, a), w′1 = ((perm, linear), b, n, a), w2 = stack-ptr(perm, n+ 1, e, a),
w′2 = ((perm, linear), n+ 1, e, a), k = 2.
5.9. (splice) ΦT (r2) = ((perm, linear), b2, e2, ), ΦS(r2) = stack-ptr(perm, b2, e2, ), and
ΦT (r3) = ((perm, linear), e2 + 1, e3, a3), ΦS(r3) = stack-ptr(perm, e2 + 1, e3, a3), and b2 ≤ e2, and
e2 + 1 ≤ e3, and w1 = ((perm, linear), b2, e3, a3), w′1 = stack-ptr(perm, b2, e3, a3), and w2 = w′2 =
w3 = w
′
3 = 0, and k = 3
5.10. (splice)
– ΦT (r2) = ΦS(r2) = ((perm, l), b2, e2, ), and
– ΦT (r3) = ΦS(r3) = ((perm, l), e2 + 1, e3, a3), and
– b2 ≤ e2, and
– e2 + 1 ≤ e3, and
– w1 = w
′
1 = ((perm, l), b2, e3, a3), and
– w2 = w
′
2 = linearityConstraint(ΦS(r2)) and
– w3 = w
′
3 = linearityConstraint(ΦS(r3)), and
– k = 3
5.11. (splice) ΦT (r2) = ΦS(r2) = seal(σb,2, σe,2, ), and ΦT (r3) = ΦS(r3) = seal(σe,2 + 1, σe,3, σa,3), and
σb,2 ≤ σe,2, and σe,2 + 1 ≤ σe,3and w1 = w′1 = seal(σb,2, σe,3, σ)
5.12. (jnz zero case, noop move) k = 0
6. All of the following hold: (includes memory-manipulation cases: store, load, that can be handled mostly
uniformly)
• ΦS →gc Φ′S
• ΦT → Φ′T
• ΦS does not point to calloff pc,off σ r1 r2 or xjmp r1 r2
• Φ′S = updatePc(ΦS [reg .r1, r2 7→ w1, w2][mem.a 7→ w])
• Φ′T = updatePc(ΦT [reg .r′1, r′2 7→ w′1, w′2][mem.a 7→ w′])
• ri 6= pc for all i
• One of the following hold:
6.1. (store) w1 = w
′
1 = ΦS(r1) = ΦT (r1) = ((perm, l), b, e, a), and perm ∈ writeAllowed , and withinBounds(w1),
and
w = ΦS(r2), and w
′ = ΦT (r2), and w2 = linearityConstraint(ΦS(r2)), w′2 = linearityConstraint(ΦT (r2)).
59
6.2. (load) w2 = w
′
2 = ΦT (r2) = ΦS(r2) = ((perm, l), b, e, a), and perm ∈ readAllowed , withinBounds(((perm, l), b, e, a)),
and
w1 = ΦS .mem(a), and w
′
1 = ΦT .mem(a), and
w = linearityConstraint(w1), w
′ = linearityConstraint(w′1), linearityConstraintPerm(perm, w1),
linearityConstraintPerm(perm, w′1)
7. All of the following hold: (includes memory-manipulation cases: store, load, that can be handled mostly
uniformly (stack))
• ΦS →gc Φ′S
• ΦT → Φ′T
• ΦS does not point to calloff pc,off σ r1 r2 or xjmp r1 r2
• Φ′S = updatePc(ΦS [reg .r1, r2 7→ w1, w2][msstk .a 7→ w])
• Φ′T = updatePc(ΦT [reg .r′1, r′2 7→ w′1, w′2][msstk .a 7→ w′])
• ri 6= pc for all i
• One of the following hold:
7.1. (store) w1 = ΦT (r1) = ((perm, linear), b, e, a), w
′
1 = ΦS(r1) = stack-ptr(perm, b, e, a), and perm ∈
writeAllowed , and withinBounds(w1), and
w = ΦS(r2), and w
′ = ΦT (r2), and w2 = linearityConstraint(ΦS(r2)), w′2 = linearityConstraint(ΦT (r2)).
7.2. (load) w′2 = ΦT (r2) = ((perm, linear), b, e, a), and w2 = ΦS(r2) = stack-ptr(perm, b, e, a), and
perm ∈ readAllowed , withinBounds(((perm, l), b, e, a)), and a ∈ dom(Φ.msstk ), and a ∈ dom(Φ.msstk ),
and
w1 = ΦS .msstk (a), and w
′
1 = ΦT .msstk (a), and w = linearityConstraint(w1), w
′ = linearityConstraint(w′1),
linearityConstraintPerm(perm, w1) and linearityConstraintPerm(perm, w
′
1).
8. All of the following hold: (includes control-flow manipulation cases: jmp, jnz, xjmp, that can be handled
mostly uniformly)
• ΦS →gc Φ′S
• ΦT → Φ′T
• ΦS does not point to calloff pc,off σ r1 r2 or xjmp r1 r2
• One of the following holds
8.1. (jmp,jnz)
– Φ′S = ΦS [reg .pc, r1 7→ ΦS(r1), w1] and
– Φ′T = ΦT [reg .pc, r
′
1 7→ ΦT (r1), w′1] and
– ΦS(r1) = ΦT (r1) = ((perm1, l1), b1, e1, a1),
– executable(ΦS(r1)),
– withinBounds(ΦS(r1)),
– w1 = linearityConstraint(ΦS(r1)) and
– w′1 = linearityConstraint(ΦT (r1))
8.2. (xjmp)
– ΦS(r1) = sealed(σ, c1) and
– ΦS(r2) = sealed(σ, c2) and
– ΦT (r1) = sealed(σ, c
′
1) and
– ΦT (r2) = sealed(σ, c
′
2) and
– c′1 6= ret-ptr-code( ) and
– c′2 6= ret-ptr-data( ) and
– nonExecutable(ΦS(r2)) and
– nonExecutable(ΦT (r2)) and
– Φ′′S = ΦS [reg .r1, r2 7→ linearityConstraint(c1), linearityConstraint(c2)] and
– Φ′S = xjumpResult(c1, c2,Φ
′′
S) and
– Φ′′T = ΦT [reg .r1, r2 7→ linearityConstraint(c′1), linearityConstraint(c′2)] and
– Φ′T = xjumpResult(c
′
1, c
′
2,Φ
′′
T )
The above follows from a careful analysis of the cases of the operational semantics, using the following facts:
• [b, e] ⊆ TA or [b, e] # TA (by assumption of this lemma)
60
• ΦS .reg(pc) = ΦT .reg(pc) (by assumption of this lemma)
• ΦS .mem(a) = ΦT .mem(a) if a ∈ [b, e]: follows from (n, [b, e]) ∈ readXCondition,gc(Wpc), the fact that
Wpc ⊕WR ⊕WM is defined and ΦS .mem,ΦS .stk ,ΦS .msstk ,ΦT .mem :gcn WM
• ΦS .mem(a · · · a + call len − 1) = ΦT .mem(a · · · a + call len − 1) if [a · · · a + call len − 1] ⊆ [b, e] (follows
similarly).
• ΦS .reg(r) = ((perm1, l1), b1, e1, a1) implies that ΦS .reg(r) = ΦT .reg(r) and a1 ∈ dom(ΦS .mem) (follows from
(n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
• ΦS .reg(r) = z implies that ΦS .reg(r) = ΦT .reg(r) (follows from (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
• ΦS .reg(r) = seal(σb, σe, σ) implies that ΦS .reg(r) = ΦT .reg(r) (follows from (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
• ΦS .reg(r) = sealed(σ, sc) implies that ΦT .reg(r) = sealed(σ, sc′) (follows from (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
• ΦS .reg(r) 6= ret-ptr-data( , ) (follows from (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
• ΦS .reg(r) 6= ret-ptr-code( , , ) (follows from (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
• ΦS .reg(r) = stack-ptr(perm1, b1, e1, a1) implies that ΦT .reg(r) = ((perm1, linear), b1, e1, a1) and a ∈ dom(ΦS .msstk )
(follows from (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
• Similar facts about the current address, base and end pointer, permissions and linearity of all register
capabilities being equal (follows from (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)).
By the above observation, we know that ΦS →gc Φ′S and ΦT → Φ′T for some Φ′S and Φ′T . According to
Lemma 50, it suffices to show:
(n− 1, (Φ′S ,Φ′T )) ∈ O,gc
Consider each of the possible cases:
In case 1., both executions go to failed. In this case, the result follows vacuously by definition ofO,gc andO,gc .
In case 2., both source and target configuration halts in 0 steps, so both directions of O,gc are trivially sat-
isfied.
In case 3., we use the induction hypothesis to conclude
(n− 1, (Φ′S ,Φ′T )) ∈ O,gc
from the following facts:
• One of the following sets of requirements holds:
– tst = trusted, ΦS is reasonable up to n− 1 steps and [b, e] ⊆ TA
– tst = untrusted and [b, e] # TA and (n− 1, [b, e]) ∈ readCondition,gc(normal,Wpc)
This follows from the corresponding assumption of this lemma, the fact that ΦS →gc Φ′S and ΦS does not
point to calloff pc,off σ r1 r2 or xjmp r1 r2 and 44.
• Φ′S(pc) = Φ′T (pc) = ((rx,normal), b, e, ): Follows from the definition of updatePc and the assumptions of
this case.
• (n− 1, [b, e]) ∈ readXCondition,gc(Wpc): Follows from the corresponding assumption of this lemma using
Lemma 44.
• (n− 1, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR): Follows from the corresponding assumption of this lemma using
Lemma 44, the definition of R,gcuntrusted and the fact that integers are always in V,gctst by definition.
• ΦS .mem,ΦS .msstk ,ΦS .stk ,ΦT .mem :gcn−1 WM : Follows from the corresponding assumption of this lemma
using Lemma 44.
• Theorem 2 holds for all n′′ < n−1: follows from the corresponding assumption of this lemma, since n−1 < n.
61
In case 4., we may assume r1 6= r23 and ri 6= pc for i ∈ {1, 2}4 as this will cause the execution to fail. We need
to let the target execution catch up. That is Φ′T →15 Φ′′T for
Φ′′T = ΦT [mem.astk 7→ 42]
[reg .rstk 7→ ((rw, linear), bstk , astk − 1, astk − 1)]
[reg .rretdata 7→ sealed(σ′, ((rw, linear), astk , estk , astk − 1))]
[reg .rretcode 7→ sealed(σ′, ((perm,normal), b, e, a + ret pt offset))]
[reg .rt1 7→ 0]
[reg .r1, r2 7→ linearityConstraint(ΦT (r1)), linearityConstraint(ΦT (r2))]
[reg .pc 7→ c′1]
[reg .rdata 7→ c′2]
where ΦT (ri) = sealed(σ, c
′
i) for i ∈ {1, 2} and ret pt offset = 15 which is the offset to the return code. Now using
Lemma 50 again, it suffices to show
(n− 1, (Φ′S ,Φ′′T )) ∈ O,gc
By assumption, we have (n, (regS(ri), regT (ri))) ∈ V,gctst (WR,i) for some WR,i with i ∈ {1, 2}. We know the capa-
bilities in r1 and r2 are sealed capabilities, and by Lemma 41 and the definition of V,gctst we get (n− 1, (c2, c′2)) ∈
Hσ σ ξ
−1(WR,2) and w.l.o.g.
∀W ′ wWR,1,Wo, n′ < n, (n′, (c2, c′2)) ∈ Hσ σ ξ−1(Wo). (n′, c1, c2, c′1, c′2) ∈ E,gcxjmp(W ′ ⊕Wo) (1)
Now take Wo = WR,2, take n
′ = n− 1 and construct W ′R,1 as follows:
By Lemma 43 and the safety assumption on the register-file, there exists S ⊇ [bstk , estk ] such that for some
R : S → P(N) we have ⊎r∈S R(r) ⊇ [bstk , estk ] and for all r ∈ S, WR,1.free(r).H n= ιstd,p,R(r),gc .H and |R(r)| = 1 and
WR,1.free(r) is address-stratified. Now take rpriv stk fresh and define
W ′R,1 = WR,1[free.R
−1([astk , estk ]) 7→ revoked][priv .rpriv stk 7→ (ιsta,s,(msstk priv,S ,Φ′′T .mem|[astk ,estk ]),gc , a + call len)]
We know W ′R,1 w WR,1 as the revoked regions must have been spatial in WR,q (as they are owned by the part of
the world assigned to the stack-register in the register-file relation). The static region for the private stack is an
extension of the old world.
Pick this world as W ′ in Eq 1. Let W ′R,2 be the same world but with the ownership of WR,2 and pick it for
Wo. Now observe that also W
′
R,2 wWR,2 and use monotonicity of Hσ with the above facts to get
(n− 1, c1, c2, c′1, c′2) ∈ E,gcxjmp(W ′R,1 ⊕W ′R,2)
Now pick register files and memories such that they form Φ′′S (defined in the assumptions) and Φ
′′
T and for W
′
R
and W ′M (we define them below) show
i. W ′R,1 ⊕W ′R,2 ⊕W ′R ⊕W ′M is defined.
ii. (n− 1, (Φ′′S .reg ,Φ′′T .reg)) ∈ R,gcuntrusted({rdata})(W ′R)
iii. Φ′′S .mem,Φ
′′
S .stk ,Φ
′′
S .msstk ,Φ
′′
T .mem :
gc
n−1 W
′
M
to get
(n− 1, (Φ′S ,Φ′′T )) ∈ O,gc
as desired.
It remains to show i.-iii., but first we note that we can deduce the following: From the assumption (n, [b, e]) ∈
readXCondition,gc(W ) we get r ∈ addressable(normal,W.heap) and mscode such that dom(mscode) ⊇ [b, e] and
W.heap(r)
n
= ιcode,σret′, ,mscode,gc . Further by msS , stk ,msstk ,msT :
gc
n W , we know that
(n, (mscode unionmultimspad,mscode unionmultimspad)) ∈ Hcode σret′ σclos′ mscode (TA, , σglob ret, σglob clos) Wr (2)
where σ′ ∈ σret′ and dom(mscode) ⊇ [b, e] and a + off pc ∈ dom(mscode) and W = Wr⊕ . That is: mscode contains
the call we are considering. This also entails
σret
′, σclos′ `code comp mscode (3)
from 2 we also get
3If the register contains a data capability, then the execution fails in the step after the jump. If it is an executable capability, then
the xjump fails as it does not permit executable capabilities for the data part.
4The pc is executable which causes the xjump to fail.
62
• dom(mscode unionmultimspad) ⊆ TA
Otherwise we would have dom(mscodeunionmultimspad)#TA which would contradict TA ⊇ [b, e] ⊆ dom(mscodeunionmultimspad)
• σret′ ⊆ σglob ret
Follows from the above.
Case i.: Pick W ′R and W
′
M to have the regions of W
′
R,1, but where W
′
R owns rpriv stk and otherwise has the
ownership of WR and W with the exception of the regions owned by W
′
R,1 and W
′
R,2. W
′
M has the ownership of
WM . Case i. follows from assumption W ⊕WR ⊕WM . The only changes to the worlds is that some ownership
has been shifted from WR to WR,1 and WR,2 and the ownership for W now belongs to W
′
R. In other words, no
ownership has been duplicated.
Case ii.:
First, from reasonability of ΦS , we get that Φ.reg(r) is reasonable in memory Φ.mem and free stack Φ.msstk
up to n− 1 steps for all r 6= pc. Lemma 20 then tells us that (n− 1, (ΦS .reg ,ΦT .reg)) ∈ R,gcuntrusted(WR).
We then need to split the ownership of W ′R. From assumption (n, (ΦS .reg,ΦT .reg)) ∈ R,gcuntrusted(WR), we get
a way to split the ownership of WR. We take this as the starting point, but with the following changes: regions
r1 and r2 maps to worlds with no ownership (i.e. purePart(W
′
R,1)). region rstk maps to a world with the same
ownership, but of course without the now revoked regions. Region rretdata maps to a world that owns private
rpriv stk region. Finally, rretcode maps to a world with the ownership of W .
we split the world in the same way for the registers that remain unchanged, and we get from Lemma 44 and
47 that (n− 1, (Φ′′S .reg ,Φ′′T .reg)) ∈ R,gctst ({rdata, rstk, rt1, r1, r2, rretdata, rretcode})(W ′′R) for the appropriate W ′′R.
To obtain (n− 1, (Φ′′S .reg ,Φ′′T .reg)) ∈ R,gcuntrusted({rdata})(W ′R), it remains to prove the following cases:
Case rstk: Show:
(n− 1, (stack-ptr(rw, bstk , astk − 1, astk − 1), ((rw, linear), bstk , astk − 1, astk − 1))) ∈ V,gcuntrusted(W ′R,rstk)
We know by Assumption (n, (ΦS .reg,ΦT .reg)) ∈ R,gctst (WR), we know
(n, (stack-ptr(rw, bstk , estk , astk ), ((rw, linear), bstk , estk , astk )) ∈ V,gctst (WR,stk )
which by the stackReadCondition gives S ⊆ addressable(linear,W.free) and R : S → P(N). We need to pick
an S′ to argue
(n− 1, [bstk , astk − 1]) ∈ stackReadCondition,gc(W ′R,rstk)
To this end pick S′ = R−1(
(⋃
r∈S R(r)
) \ [astk , estk ]) and R′ to be R limited to S′. As we exclude all the
revoked regions and the ownership otherwise remains the same in W ′R,rstk as in WR,rstk , the regions in S
′ are
exactly the same in the new world as they were in WR,rstk . So what we need to show follows immediately
from
(n, [bstk , estk ]) ∈ stackReadCondition,gc(WR,rstk)
and by Lemma 44.
We show
(n− 1, [bstk , astk − 1]) ∈ stackWriteCondition,gc(W ′R,rstk)
in the same way.
Case rt1: Show:
(n− 1, (0, 0)) ∈ V,gcuntrusted(W ′R,rt1)
Follows immediately from the definition.
Case r1,r2: The two cases are symmetric, so we just show the r1 case:
(n− 1, (linearityConstraint(c1), linearityConstraint(ΦT (r1)))) ∈ V,gcuntrusted(W ′R,r1)
Follows from the related register files assumption and Lemma 73 and the fact that for sealed capabilities if
they are in V,gctrusted, then they are in the V,gcuntrusted part.
Case rretdata: We have to show
(n− 1, (sealed(σ′, ret-ptr-data(astk , estk )), sealed(σ′, ((rw, linear), astk , estk , astk − 1)))) ∈ V,gcuntrusted(W ′R,rretdata)
where W ′R,rretdata is the part of W
′
R with ownership over rpriv stk .
Use the r = rmscode as the witness. The readXCondition
,gc gives us W.heap(r) n= ιcode,, ,mscode,gc . As it is a
pure region, it is also present in the future world we consider. We now have to show:
63
a) for n′′ < n− 1 we have(
n′′,
(
ret-ptr-data(astk , estk ),
((rw, linear), astk , estk , astk − 1)
))
∈ Hcode,σ σret′ σclos′ ms ′code (TA, stk base) σ′ ξ−1(W ′R,rretdata)
First, we already know dom(mscode) ⊆ TA and σret′ ⊆ σglob ret. Now pick rpriv stk as the witness. We im-
mediately get dom(msstk priv ,S) = dom(Φ
′′
T .mem|[astk ,estk ]) = [astk , estk ]. Next, decodeInstruction(ms ′code(a, a+
call len−1)) = calloff pc,off σ r1 r2 follows from callCondition(ΦS , r1, r2, off pc, off σ, a). Finally, mscode(a+
off pc) = seal(σb , σe) with σ
′ = σb + off pc ∈ σret′ which follows from σret′, σclos′ `comp−code mscode and
the fact that the call is there.
b) isLinear(sealed(σ′, ret-ptr-data(astk , estk ))) iff isLinear(sealed(σ′, ((rw, linear), astk , estk , astk )))
Trivial, both are linear.
c)
∀W ′′ w purePart(W ′R,rretdata),Wo, n′′ < n− 1,
(n′′, (sc′S , sc
′
T )) ∈ Hcode,σ σret′ σclos′ ms ′code (TA, stk base) σ′ ξ−1(Wo).
(n′′, ret-ptr-data(astk , estk ), sc′S , ((rw, linear), astk , estk , astk − 1), sc′T ) ∈ E,gcxjmp(W ′ ⊕Wo))
Trivial as both configurations fails.
Case rretcode: We have to show(
n− 1,
(
sealed(σ′, ret-ptr-code(b, e, a + call len)),
sealed(σ′, ((rx,normal), b, e, a + ret pt offset))
))
∈ V,gcuntrusted(W ′R,rretcode)
where W ′R,rretcode has the ownership of W . Just as in the previous case, we know that for some region r
there exists an mscode such that: W.heap(r)
n
= ιcode,σret′, ,mscode,gc where σ
′ ∈ σret′ and dom(mscode) ⊇ [b, e] and
a + off pc ∈ dom(mscode) and σret′ ⊆ σglob ret. It follows easily from the definition of Hcodeσ that(
n′′,
(
ret-ptr-code(b, e, a + call len),
((rx,normal), b, e, a + ret pt offset)
))
∈ Hcode,σ σret′ σclos′ mscode (TA, stk base) σ′ ξ−1(W ′R,rretcode)
(4)
for n′′ < n− 1. Both capabilities are non-linear, so
isLinear(ret-ptr-code(b, e, a + call len)) iff isLinear(((rx,normal), b, e, a + ret pt offset))
is indeed the case.
Finally we need to show:
∀W ′′ w purePart(W ′R,rretcode),Wo, n′′ < n− 1,
(n′′, (sc′S , sc
′
T )) ∈ Hcode,σ σret′ σclos′ mscode (TA, stk base) σ′ ξ−1(Wo).
(n′′, ret-ptr-code(b, e, a + call len), sc′S , ((rx,normal), b, e, a + ret pt offset), sc
′
T ) ∈ E,gcxjmp(W ′′ ⊕Wo))
To this end let W ′′ w purePart(W ′R,rretcode) and Wo be given s.t. W ′′ ⊕ Wo is defined. Further, let
(n′′, (sc′S , sc
′
T )) ∈ Hcode,σ σret′ σclos′ mscode (TA, stk base) σ′ ξ−1(Wo) be given and show
(n′′, ret-ptr-code(b, e, a + call len), sc′S , ((rx,normal), b, e, a + ret pt offset), sc
′
T ) ∈ E,gcxjmp(W ′′ ⊕Wo))
Now let n′′′ ≤ n′′ be given along with reg(3)S , reg(3)T , ms(3)S , ms(3)T ,ms(3)stk , stk (3), W ′′R, and W ′′M such that
• W ′′ ⊕Wo ⊕W ′′R ⊕W ′′M is defined
• ms(3)S ,ms(3)stk , stk (3),ms(3)T :gcn′′′ W ′′M
•
(
n′′′, (reg(3)S , reg
(3)
T )
)
∈ R,gcuntrusted(W ′′R)
Based on Hcodeσ , there are three possible values for sc
′
S and sc
′
T . In the first case, sc
′
S is a ret-ptr-code and
sc′T is a capability with permission rx. In this case, xjumpResult will produce failed configurations which
are trivially in the observation relation. In the next case, it is required that σ′ ∈ σclos′, but this cannot be
the case as σ′ ∈ σret′ and we have σret′, σclos′ `comp−code mscode, which implies that σclos′ # σret′.
64
This leaves us with one final case, namely sc′S = ret-ptr-data(b
′
stk , e
′
stk ) and sc
′
T = ((rw, linear), b
′
stk , e
′
stk , b
′
stk−
1). Further we know
∃r ∈ addressable(linear,Wo.priv).Wo.priv(r).H n= (ιsta,so,
(ms
(3)
priv,S ,ms
(3)
priv,T ),gc
, a ′ + call len) and
dom(ms
(3)
priv ,S) = dom(ms
(3)
priv ,T ) = [b
′
stk , e
′
stk ] and
decodeInstruction(code([a ′, a ′ + call len− 1])) = calloff pc,off σ r1 r2 and
code(a ′ + off pc) = seal(σb, σe, σb) and σ = σb + off σ ∈ σret
Call this region r′. By the above, the fact that the code capability pair is in Hcodeσ (4) and Lemma 71, we
get a ′ = a. This means that W ′′M and W
′′
R have this region.
We know that the two register-files are related which in particular means that the values in register rstk are
related. Now consider the following cases:
• reg(3)S (rstk) 6= stack-ptr( , , , )
In this case due to reg
(3)
S being related to reg
(3)
T , there are three cases we need to consider. In all cases,
the source configuration will fail because the value in the stack register is not a stack capability. If we can
argue that the target configuration will also fail, then the two are in the observation relation. First, if
reg
(3)
T = sealed(σret stk , sc
′′
T ), then the return code will fail when the base address (a sealed capability has
no base address, so the instruction returns −1) is compared to stk base. Second, if reg(3)T = seal( , , ),
then the target execution fails when it attempts to splice this seal with sc′T (which we know is not a
seal() capability). Finally, reg
(3)
T = ((permret stk , lret stk ), bret stk , eret stk , ) and (n
′′′, [bret stk , eret stk ]) ∈
readCondition,gc(lret stk ,W ′′R,rstk) is satisfied. This means that it is satisfied by some heap region, but
by the memory satisfaction assumption stk base must be in the free stack part of the world. This means
that the execution will fail that stk base check.
• reg(3)S (rstk) = stack-ptr(permret stk , bret stk , , ) and bret stk 6= stk base
Here the source side will fail the xjmp as the base address is not stk base. Similarly on the target side,
the return code will fail the stk base check.
• reg(3)S (rstk) = stack-ptr( , bret stk , eret stk , ) and bret stk = stk base and either eret stk + 1 6= b′stk or
permret stk 6= rw or bret stk > eret stk .
In this case, the source configuration will fail as one of the conditions in xjumpResult will not be met.
On the target side, the splice will fail as either the two capabilities being spliced don’t line up, the
permissions don’t match, or the range of authority is empty, respectively.
• reg(3)S (rstk) = stack-ptr(permret stk , bret stk , eret stk , ) and bret stk = stk base and eret stk + 1 = b′stk and
permret stk = rw and bret stk ≤ eret stk .
We would like to show that ms
(3)
priv ,S is the top most stack frame and that r
′ governs it. By the memory
satisfaction assumption and the presence of r′ in W ′′M we know that stk
(3) is non-empty. By the memory
satisfaction on the private stack, the following must be the case:
stk (3) = (opc0,ms0), . . . (opcm,msm)∧
∀i ∈ {0, . . . ,m}. (dom(msi) 6= ∅∧
∀i < j. ∀a ∈ dom(msi).∀a′ ∈ dom(msj). stk base < a < a′)
Assume for contradiction ms
(3)
priv ,S is not the top frame. In that case dom(ms0) 6= ∅ and ∀a ∈
dom(ms0). . stk base < a < bstk at the same time, we know
(n′′, (stack-ptr(rw, stk base, eret stk , ), ((rw, linear), stk base, eret stk , ))) ∈ V,gcuntrusted(W ′′R,rstk)
which means that the free stack part of the world contains a region that at least governs [stk base, eret stk ].
Combine this with eret stk + 1 = b
′
stk , we can conclude that no such address can exist in ms0, so it must
be empty, but this cannot be the case either. Therefore, the top stack frame must contain ms
(3)
priv ,S .
Further, due to the disjointedness required by memory satisfaction, it must be r′ that governs this stack
frame. This also means that we have opc0 = a + call len. With this, we have all the requirements for
xjumpResult satisfied on both sides which allows us to pick the necessary configurations:
Φ
(4)
S = xjumpResult(r1, r2, (ms
(3)
S , reg
(3)
S , (ms
(3)
priv ,S , a + call len) :: stk
(3)
rest ,ms
(3)
stk )) =
(ms
(3)
S , reg
(3)
S [reg .pc 7→ ((rx,normal), b, e, a + call len)]
[reg .rdata 7→ 0]
[reg .rstk 7→ stack-ptr(rw, stk base, e′stk , eret stk + 1)]
[reg .rt1 7→ 0]
[reg .rt2 7→ 0]
, stk
(3)
rest ,ms
(3)
priv ,S unionmultims(3)stk )
65
and
Φ
(4)
T = xjumpResult(r1, r2, (ms
(3)
T , reg
(3)
T )) =
(ms
(3)
T , reg
(3)
S [reg .pc 7→ ((rx,normal), b, e, a + ret pt offset)]
[reg .rdata 7→ ((rw, linear), stk base, eret stk )]
)
It now remains to show (
n′′′, (Φ(4)S ,Φ
(4)
T )
)
∈ O,gc
Use Lemma 50 by which it suffices to show the following two things:
–
Φ
(4)
T →l Φ(5)T = (ms(3)T , reg(3)S [reg .pc 7→ ((rx,normal), b, e, a + call len)]
[reg .rdata 7→ 0]
[reg .rstk 7→ ((rw, linear), stk base, e′stk , eret stk + 1)]
[reg .rt1 7→ 0]
[reg .rt2 7→ 0]
)
for some number of steps l. This follows immediately from the operational semantics.
– (
n′′′, (Φ(4)S ,Φ
(5)
T )
)
∈ O,gc
For fresh rb′stk . . . re′stk and W
′′′ defined as
W ′′′ = W ′′[priv .r′ 7→ revoked, free.rb′stk . . . re′stk 7→ ι
std,s,
{b′stk},gc . . . ι
std,s,
{e′stk},gc ]
and W ′′′R the same as W
′′′, but with the ownership of W ′′R as well as for the regions rb′stk . . . re′stk , and
W ′′′M the same as W
′′′ but with the ownership of W ′′M , we show the following:
1.
(
n′′′, (Φ(4)S .reg ,Φ
(5)
T .reg)
)
∈ R,gcuntrusted(W ′′′R )
2. Φ
(4)
S .mem,Φ
(4)
S .stk ,Φ
(4)
S .msstk ,Φ
(5)
T .mem :
gc
n′′′ W
′′′
M
3. W ′′′ ⊕W ′′′R ⊕W ′′′M defined
Assuming the above, we use our assumption that Theorem 2 holds for all n′ < n to get
(n′′′, (((rx,normal), b, e, a + call len), ((rx,normal), b, e, a + call len))) ∈ E,gc(W ′′′)
Note that from assumption “ΦS reasonable up to n steps” and Lemma 16 and n
′′′ ≤ n′′ < n− 1 we
get “ΦS reasonable up to n
′′′+ 1 steps” from which it follows that “ΦS(pc) + call len reasonable up
to n′′′ steps”. Using this along with the register-file safety and memory satisfaction, we get(
n′′′, (Φ(4)S ,Φ
(5)
T )
)
∈ O,gc
as desired. We need to show the three things we skipped:
Show: (
n′′′, (Φ(4)S .reg ,Φ
(5)
T .reg)
)
∈ R,gcuntrusted(W ′′′R )
We will split the world like in
(
n′′′, (reg(3)S , reg
(3)
T )
)
∈ R,gcuntrusted(W ), but where rstk also get the
ownership of rb′stk . . . re′stk . We need to show the following
∗ Case rdata, rt1, rt2:
Trivial.
∗ Case r 6∈ {rdata, rt1, rt2,pc, rstk}:
We have Φ
(4)
S .reg(r) = reg
(3)
S (r) and Φ
(5)
T .reg(r) = reg
(3)
T (r). We already know:(
n′′′, (reg(3)S (r), reg
(3)
T (r))
)
∈ R,gcuntrusted(W ′′R,r),
This is true for some W ′′R,r which does not have the ownership of the regions that are revoked
in W ′′′R , so that we can take the corresponding W
′′′
R,r and have W
′′′
R,r wW ′′R,r. From Lemma 47,
we then get (
n′′′, (reg(3)S (r), reg
(3)
T (r))
)
∈ R,gcuntrusted(W ′′′R,r)
as desired.
66
∗ Case rstk:
For this case, we need to show
(n′′′, [stk base, e′stk ]) ∈ stackReadCondition,gc(W ′′′R,rstk)
and
(n′′′, [stk base, e′stk ]) ∈ stackWriteCondition,gc(W ′′′R,rstk)
For W ′′′R,rstk that owns the same as W
′′
R,rstk
as well as rb′stk , . . . , re′stk .
For the first part, we use
(
n′′′, (reg(3)S (rstk), reg
(3)
T (rstk))
)
∈ V,gcuntrusted(W ′′R,rstk) and the fact that
the stack capability must have rw permission from which it follows that
(n′′′, [stk base, eret stk ]) ∈ stackReadCondition,gc(W ′′R,rstk)
which gives us Sfree ⊆ addressable(linear,W.free) and Rfree : Sfree → P(N) such that
· ∀r ∈ Sfree . |R(r)| = 1
· ⊎r∈Sfree R(r) ⊆ [stk base, eret stk ]
· ∀r ∈ Sfree .W.free(r)
n⊇ ιstd,so,R(r),gc
Now pick Sread = Sfree ∪ {rb′stk , . . . , re′stk } and
Rread(r) =
{
Rread(r) r ∈ Sread
{a} r ∈ {rb′stk , . . . , re′stk } ∧ r = ra
It is clearly the case that ∀r ∈ Sread . |Rread(r)| = 1 and
⊎
r∈Sread R(r) ⊆ [stk base, eret stk ]. For
∀r ∈ Sfree .W.free(r)
n⊇ ιstd,so,R(r),gc it follows from ∀r ∈ Sfree .W.free(r)
n⊇ ιstd,so,R(r),gc and W.free(r) =
ιstd,so,R(r),gc for r ∈ {rb′stk , . . . , re′stk }.
The stackReadCondition is shown in the same way, but we also use Lemma 70 to argue that
the new regions are address-stratified.
Show:
ms
(3)
S ,Φ
(4)
S .stk ,ms
(3)
stk unionmultims(3)priv ,S ,ms(3)T :gcn′′′ W ′′′M (5)
From the assumption ms
(3)
S ,ms
(3)
stk , stk
(3),ms
(3)
T :
gc
n′′′ W
′′
M , we know
∗ stk = (a + call len,ms(3)priv ,S) :: (opc1,ms1) :: · · · :: (opcm,msm)
∗ ms(3)S unionmultims(3)stk unionmultims(3)priv ,S unionmultims1 unionmulti · · · unionmultimsm is defined
∗ W ′′M = W ′′stack ⊕W ′′free stack ⊕W ′′heap
∗ msT ,stack ,msT ,free stack ,msT ,heap ,msT,f ,msS,f ,ms ′S , σ such that
· ms(3)S = msf,S unionmultims ′S
· ms(3)T = msT ,stack unionmultimsT ,free stack unionmultimsT ,heap unionmultimsT,f
· (n′′′, (stk ,msT ,stack )) ∈ Sgc(W ′′stack )
·
(
n′′′, (ms(3)stk ,msT ,free stack )
)
∈ Fgc(W ′′free stack )
· (n′′′, (σ,ms ′S ,msT ,heap)) ∈ H(W.heap)(W ′′heap)
We will pick the same things to show 5 with a few changes. We have to show
∗ Φ(4)S .stk = (opc1,ms1) :: · · · :: (opcm,msm)
By the memory satisfaction assumption and the change to the stack.
∗ ms(3)S unionmultims(3)stk unionmultims(3)priv ,S unionmultims1 unionmulti · · · unionmultimsm is defined
By the memory satisfaction assumption.
∗ W ′′′M = W ′′′stack ⊕W ′′′free stack ⊕W ′′′heap
Define the new worlds to have the ownership of their W ′′M counterparts except W
′′′
stack does not
take ownership of the regions used for the safety of addresses b′stk , . . . , e
′
stk . This ownership goes
to W ′′′free stack instead.
∗ We need to pick partitions of ms(3)T and a frame for ms(3)S . We pick the same as we get from the
memory satisfaction assumption except we pick the free stack partition of the target memory
to be msT ,free stack unionmultims(3)priv ,S and the stack partition to be msT ,stack \msT ,stack |dom(ms(3)priv,S)
∗ ms(3)S = msf,S unionmultims ′S
By assumption.
67
∗ ms(3)T = msT ,stack unionmultimsT ,free stack unionmultimsT ,heap unionmultimsT,f
By assumption and the fact that the only change is that we moved part of the stack to the free
stack.
∗
(
n′′′, ((opc1,ms1) :: · · · :: (opcm,msm),msT ,stack \msT ,stack |dom(ms(3)priv,S))
)
∈ Sgc(W ′′′stack )
Follows easily from the private stack satisfaction assumption. The distribution functions from
the assumption are simply limited to forget about the now revoked region and extend the world
partition to be on W ′′′M , but with the same ownership as in the one we had in the assumption.
All the new partitions are future worlds of the old ones as none of them owned the revoked
region (it was owned by W ′′R).
∗
(
n′′′, (ms(3)stk unionmultims(3)priv ,S ,msT ,free stack unionmultimsT ,stack |dom(ms(3)priv,S))
)
∈ Fgc(W ′′′free stack )
From the
(
n′′′, (ms(3)stk ,msT ,free stack )
)
∈ Fgc(W ′′free stack ) assumption we get
· Rms : dom(active(W ′′free stack ))→ MemorySegment×MemorySegment and
· RW : dom(active(W ′′free stack ).free)→Worldprivate stack
for which
· ms(3)stk =
⊎
r∈dom(active(W ′′free stack .free)) pi1(Rms(r))
· msT ,free stack =
⊎
r∈dom(active(W ′′free stack .free)) pi2(Rms(r))
· stk base ∈ dom(ms(3)stk ) and stk base ∈ dom(msT ,free stack )
· W ′′free stack
⊕
r∈dom(active(W ′′free stack .free))RW (r)
· ∀r ∈ dom(active(W ′′free stack .free)), n′′′′ < n′′′. (n′′′′, Rms(r)) ∈W ′′free stack .free(r).H ξ−1(RW (r))
Now pick
R′ms(r) =
{
(ms
(3)
priv ,S |{a′},msT ,stack |{a′}) ra′ ∈ {rb′stk . . . re′stk }
Rms(r) otherwise
and
R′W (r) =
{
W ′′′a′ ra′ ∈ {rb′stk . . . re′stk }
RW (r)[priv .r
′ 7→ revoked, free.rb′stk . . . re′stk 7→ ι
std,s,
{b′stk},gc . . . ι
std,s,
{e′stk},gc ] otherwise
for W ′′′a′ constructed as follows: W
′′
stack is the part of the world given to the stack judgement in
the assumption. This world is split into a number of parts to satisfy the memory interpretation
of each frame. Say W ′′top,stack is used for the top stack frame in the assumption. The top stack
frame is governed by a static region, so by definition it is split into parts that satisfy each of
the addresses. That is for a′ ∈ {b′stk . . . e′stk}, W ′′a′ is the part that makes the value in memory
satisfy the value relation. Now let W ′′′a′ be W
′′′ but with the ownership of W ′′a′
It is easy to see that the R′ms constructs the two memories, and from the assumption, we also
get that the base stack address is in there.
It remains to show
∀r ∈ dom(active(W ′′′free stack .free)), n′′′′ < n′′′. (n′′′′, Rms(r)) ∈W ′′′free stack .free(r).H ξ−1(RW (r))
for r ∈ dom(active(W ′′′free stack .free)) \ {rb′stk . . . re′stk }, it follows from monotonicity of the H
(memory interpretation) function. For ra′ ∈ {rb′stk . . . re′stk } and n′′′′ < n′′′, we need to show(
n′′′′, (ms(3)priv ,S(a
′),msT ,stack |(a′))
)
∈ ιstd,s,{a},gc .H(ξ−1RW (ra′))
which amounts to showing dom(ms
(3)
priv ,S |{a′}) = dom(msT ,stack |{a′}){a′}, which is the case,
and (
n′′′′, (ms(3)priv ,S(a
′),msT ,stack |(a′))
)
∈ V,gcuntrusted(W ′′′a′ )
Which follows from Lemma 47 and the fact that we have a memory satisfaction assumption in
which ms
(3)
priv ,S is governed by a standard static region.
∗ (n′′′, (σ,ms ′S ,msT ,heap)) ∈ H(W.heap)(W ′′′heap)
Follows by Lemma 47 and the heap satisfaction assumption.
Argue:
W ′′′ ⊕W ′′′R ⊕W ′′′M is defined.
This follows from the assumption W ′′ ⊕W ′′R ⊕W ′′M and the fact that each of the new worlds is
constructed from one of the past worlds and only one of them claims the ownership of the new
regions.
68
This concludes case ii.
Case iii.: we need to show:
Φ′′S .mem,Φ
′′
S .stk ,Φ
′′
S .msstk ,Φ
′′
T .mem :
gc
n−1 W
′
M
which amounts to
ΦS .mem, ((a + call len),msstk priv ,S) :: ΦS ,ΦS .msstk − ΦS .msstk |[astk ,estk ],Φ′′T .mem :gcn−1 W ′M
for msstk priv ,S = ΦS .msstk |[astk ,estk ][astk 7→ 42].
In order to show this, we will first show the following:
• bstk = stk base
We know ΦS is reasonable up to n steps. Further, from callCondition(ΦS , r1, r2, off pc, off σ, a) and b ≤ a
and a+ call len− 1 ≤ e and [b, e] ⊆ TA we can conclude that ΦS points to calloff pc,off σ r1 r2 in TA. By the
Guarantee stack base address before call we then know ΦS(rstk ) = stack-ptr( , stk base, , ).
By assumption we have ΦS .mem,ΦS .stk ,ΦS .msstk ,ΦT .mem :
gc
n WM which gives us msT ,stack ,msT ,free stack ,
msT ,heap ,msT,f ,msS,f ,ms
′
S ,WM,stack ,WM,free stack ,WM,heap such that:
• ΦS .stk = (opc0,ms0) . . . (opcm,msm)
• ms0 unionmulti · · · unionmultimsm unionmulti ΦS .mem unionmulti ΦS .msstk
• WM = WM,stack ⊕WM,free stack ⊕WM,heap
• ΦS .mem = msf,S unionmultims ′S
• ΦT .mem = msT ,stack unionmultimsT ,free stack unionmultimsT ,heap unionmultimsT,f
• (n, (ΦS .stk ,msT ,stack )) ∈ Sgc(WM,stack )
• (n, (ΦS .msstk ,msT ,free stack )) ∈ Fgc(WM,free stack )
• (n, (σ,ms ′S ,msT ,heap)) ∈ H(WM .heap)(WM,heap)
In order to prove the memory satisfaction, we pick the same memories except for the following changes:
• The target free stack partition: msT ,free stack \msT ,free stack |[astk ,estk ]
• The target private stack partition: msT ,stack unionmultimsT ,free stack |[astk ,estk ][astk 7→ 42]
and the worlds
• Free stack world: W ′M,free stack is W ′R,1 with the ownership of WM,free stack except that it gives up any
ownership that we used for the safety of the addresses [astk , estk ].
• Private stack world: W ′M,stack is W ′R,1 with the ownership of WM,stack except that it takes the ownership
that WM,free stack used for the safety of the addresses [astk , estk ].
• Heap world: W ′M,heap is W ′R,1 with the ownership of WM,heap which gives us W ′M,heap wWM,heap .
We now need to show:
• stk = ((a + call len),msstk priv ,S) :: (opc0,ms0) . . . (opcm,msm)
Trivial.
• msstk priv ,S unionmultims0 unionmulti · · · unionmultimsm unionmulti ΦS .mem unionmulti ΦS .msstk − ΦS .msstk |[astk ,estk ]
Follows by assumption and the fact that we have shuffled around some memory5.
• W ′M = W ′M,stack ⊕W ′M,free stack ⊕W ′M,heap
This follows by assumption and the fact that all ownership we have added to a world has been removed from
another.
• ΦS .mem = msf,S unionmultims ′S
By assumption.
5Thanks to the register-file safety assumption we know for sure that the memory we remove from the free stack is actually there.
69
• ΦT .mem = msT ,stack unionmultimsT ,free stack |[astk ,estk ][astk 7→ 42]unionmultimsT ,free stack \msT ,free stack |[astk ,estk ] unionmultimsT ,heap unionmulti
msT,f
Follows by assumption and the fact that we have shuffled around some memory6.
• (n− 1, (((a + call len),msstk priv ,S) :: ΦS ,msT ,stack unionmultimsT ,free stack |[astk ,estk ][astk 7→ 42])) ∈ Sgc(W ′M,stack ):
For most of the conditions, they follow from the previous stack satisfaction assumption. The only challenge
is to argue that the new stack frame satisfies the conditions. First of all, we know msstk priv ,S is non-empty
as it at least contains address astk . Next, we need to argue that
∀i ∈ {0, . . . ,m}.
∀a ∈ dom(msstk priv ,S).∀a′ ∈ dom(msj). stk base < a < a′)∧
The first bit, stk base < a for a ∈ dom(msstk priv ,S) follows from the fact that astk is the smallest address of
a ∈ dom(msstk priv ,S) and by assumption stk base < astk .
Now assume for contradiction that there exists a′ ∈ dom(msj) for some j such that a′ ≤ a for some
a ∈ dom(msstk priv ,S). By assumption we have stk base < a′ so a′ ∈ [stk base + 1, a] ⊆ [stk base + 1, astk ] ⊆
[stk base, estk ] which means that a
′ is an address governed by a stack pointer. By the register-safety assump-
tion this must mean that it is an address of the free part of the stack. At the same time, it must be an
address of the private stack because msj is part of the stack from the original configuration. This contradicts
the initial memory satisfaction assumption as the different parts must be disjointed.
From the stack satisfaction assumption, we get Rms and RW . Pick
R′ms(r) =
{
(msstk priv ,S , (a + call len),msT ,free stack |[astk ,estk ][astk 7→ 42]) for r = rpriv stk
Rms(r) otherwise
and for R′W pick
R′W (r) =

WM,free stack ,[astk ,estk ][free.R
−1([astk , estk ]) 7→ revoked]
[priv .rpriv stk 7→ (ιsta,s,(msstk priv,S ,Φ′′T .mem|[astk ,estk ]),gc , a + call len)]
for r = rpriv stk
RW (r)[free.R
−1([astk , estk ]) 7→ revoked]
[priv .rpriv stk 7→ (ιsta,s,(msstk priv,S ,Φ′′T .mem|[astk ,estk ]),gc , a + call len)]
where WM,free stack ,[astk ,estk ] is the world that the free stack assumption uses to satisfy that range of addresses.
Most of the condition trivially holds. The only one that requires some argumentation is(
n′, (msstk priv ,S ,msT ,free stack |[astk ,estk ][astk 7→ 42])
) ∈ ιsta,s,(msstk priv,S ,Φ′′T .mem|[astk ,estk ]),gc .H ξ−1(R′W (rpriv stk ))
for all n′ < n − 1. Where R′W (rpriv stk ) is the part of W ′M,stack with the ownership used for addresses
[astk , estk ] in the memory satisfaction assumption.
As we have the safe register-file assumption, we know that the stack capability is safe. This means that ad-
dresses [astk , estk ] must be part of the free stack. Further, Φ
′′
T .mem = ΦT .mem[astk 7→ 42] and msT ,free stack ⊆
ΦT .mem and dom(msT ,free stack ) ⊇ [astk , estk ] from which it follows that the memories are equal to the one
of the static region.
It remains to show
∀a ∈ [astk , estk ].
(
n′, (msstk priv ,S(a),msT ,free stack |[astk ,estk ][astk 7→ 42](a))
) ∈ V,gcuntrusted(W ′R,a)
for n′ < n− 1. For a = astk it is trivial as we have to show
(n− 1, (42, 42)) ∈ V,gcuntrusted(W ′R,astk )
for a ∈ [astk + 1, estk ] we need to show(
n′, (msstk priv ,S(a),msT ,free stack |[astk ,estk ][astk 7→ 42](a))
) ∈ V,gcuntrusted(W ′R,a)
for n′ < n− 1. If we can show
(n′, (ΦS .msstk (a),msT ,free stack (a))) ∈ V,gcuntrusted(WR,a)
for n′ < n− 1, then we are done by monotonicity of V,gcuntrusted.
6Thanks to the register-file safety assumption we know for sure that the memory we remove from the free stack is actually there.
70
By assumption we know (n, (ΦS .reg ,ΦT .reg)) ∈ R,gcuntrusted(WR) which entails (n, (ΦS .reg(rstk),ΦT .reg(rstk))) ∈
R,gcuntrusted(WR,rstk). We know ΦS .reg(rstk) = stack-ptr(rw, stk base, estk , astk ), so by the definition of V,gcuntrusted
we get
(n, [stk base, estk ]) ∈ stackReadCondition,gc(WR,rstk)
which in turn gives us Srstk ⊆ addressable(linear,W.free) and Rrstk : Srstk → P(N) for which
– ∀r ∈ Srstk . |Rrstk(r)| = 1
– unionmultir∈SrstkRrstk(r) ⊇ [stk base, estk ]
– ∀r ∈ Srstk .WR,rstk(r).H
n⊆ ιstd,so,Rrstk (r),gc
Further, we know (n, (ΦS .msstk ,msT ,free stack )) ∈ Fgc(WM,free stack .free) which means that we have Rms :
dom(active(WM,free stack ))→MemSeg×MemorySegment andRW : dom(WM,free stack .free)→Worldprivate stack.
RW distributes the ownership of WM,free stack and Rms partitions the memories.
We know that all regions in Srstk govern singleton memory segments, so Rms must map to singleton memory
segment pairs for r ∈ Srstk . Further, by definition of the free stack satisfaction for r ∈ Srstk we have
(n′, Rms(r)) ∈WR,rstk(r).H ξ−1(RW (r))
for n′ < n which entails
(n− 1, Rms(r)) ∈ ιstd,so,Rrstk (r),gc .H ξ
−1(RW (r))
which entails
(n− 1, Rms(r)(a)) ∈ V,gcuntrusted(RW (r))
for a ∈ Rrstk(r).
Now, using Lemma 44, this is exactly what we wanted to show because RW (r) is what we picked as WR,a .
• (n− 1, (ΦS .msstk − ΦS .msstk |[astk ,estk ],msT ,free stack \msT ,free stack |[astk ,estk ])) ∈ Fgc(W ′M,free stack ):
From the safety assumption on the stack capability, we can deduce a number of things:
– [astk , estk ] must have been part of the free stack
– for every address in [astk , estk ] there is a region for that singleton memory segment.
The first part means that we do indeed remove all of the memory we try to subtract. The latter means that
we can reuse the same split of the remaining memory and the world ownership as we get from assumption
(n, (ΦS .msstk ,msT ,free stack )) ∈ Fgc(WM,free stack ). Using this, the result follows from monotonicity of the
H function.
• (n− 1, (σ,ms ′S ,msT ,heap)) ∈ H(W ′M .heap)(W ′M,heap):
Follows from Lemma 69, Lemma 44, the fact that the heap part of the world remains unchanged and
W ′M,heap wWM,heap .
Case 5.:
First show that
(n− 1, (((rx,normal), b, e, a), ((rx,normal), b, e, a))) ∈ V,gctst (purePart(WR))
First observe that by Lemma 8 purePart(WR) = purePart(Wpc). Further, by assumption, Lemma 44, Lemma 8,
and Lemma 29, we have
(n− 1, [b, e]) ∈ readXCondition,gc(purePart(WR))
If tst = trusted, then by assumption we have [b, e] ⊆ TA which means that all the conditions for are met for
the capability pair to be in the trusted part of the value relation.
If tst = untrusted, then we need to show that the capability pair is in the untrusted part of the value relation
which means that we need to show:
• (n− 1, [b, e]) ∈ readCondition,gc(normal, purePart(WR))
This follows by assumption, Lemma 29, Lemma 8, and Lemma 44.
• (n− 1, [b, e]) ∈ readXCondition,gc(purePart(WR))
We already showed this.
71
• (n− 1, [b, e]) ∈ executeCondition,gc(purePart(WR))
To this end let W ′ w purePart(WR) and n′ < n− 1 and a ′ ∈ [b′, e ′] be given, and show
(n′, (((rx,normal), b′, e ′, a ′), ((rx,normal), b′, e ′, a ′))) ∈ E,gc(W ′)
This follows immediately from the FTLR: we know that [b, e] # TA since tst = untrusted and we know that
n′ < n− 1 < n.
Now show
(n− 1, (Φ′S .reg ,Φ′T .reg)) ∈ R,gctst (WR)
Note that we know that ΦS .reg(pc) is not linear (which will sometimes help to eliminate some cases).
By assumption we have
(n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR)
which gives us RR : (RegisterName \ {pc}) →World such that WR =
⊕
r∈RegisterName\{pc}RR(r) and for all r in
RegisterName \ {pc} we have (n, (ΦS .reg(r),ΦT .reg(r))) ∈ R,gctst (RR(r)). To this end, we need to consider each
of cases 5.1.-5.11.:
• Case 5.1.:
Pick RR as the ownership distribution. For r 6= r1 it follows by assumption and Lemma 44. For r = r1 it
also follows by assumption and Lemma 44, 51, and 54.
• Case 5.2.:
Pick RR as the ownership distribution. For r 6= r1 it follows by assumption and Lemma 44. For r = r1 it
also follows by assumption and Lemma 44, 52, and 59.
• Case 5.3.:
Pick RR as the ownership distribution. For r 6= r1 it follows by assumption and Lemma 44. For r = r1 it
also follows by assumption and Lemma 44 and 53.
• Case 5.4.: Pick the ownership distribution based on the linearity of w2: If isLinear(w2), then pick
R′R(r) =

RR(r2)⊕RR(r1) r = r1
purePart(WR) r = r2
RR(r) otherwise
if ¬isLinear(w2), then pick
R′R(r) = RR(r)
In the case where isLinear(w2), we may assume r2 6= pc. We need to show (assuming r1 6= pc)
(n− 1, (Φ′S(r1),Φ′T (r1))) ∈ V,gctst (RR(r2)⊕RR(r1))
which is
(n− 1, (ΦS(r2),ΦT (r2))) ∈ V,gctst (RR(r2)⊕RR(r1))
this follows by assumption and Lemma 47 and 10.
We also need to show
(n− 1, (Φ′S(r2),Φ′T (r2))) ∈ V,gctst (purePart(WR))
which is trivial as Φ′S(r2) = Φ
′
T (r2) = 0.
Finally for r 6= r1, r2,pc
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (RR(r))
Follows by assumption and Lemma 44.
In the case where ¬isLinear(w2)
If r2 6= pc, then for r 6= r1
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (RR(r))
Follows by assumption and Lemma 44.
For r 6= r1, r2
(n− 1, (Φ′S(r1),Φ′T (r1))) ∈ V,gctst (RR(r1))
72
amounts to
(n− 1, (ΦS(r2),ΦT (r2))) ∈ V,gctst (RR(r1))
By assumption and Lemma 8 and 29.
If r2 = pc, show
(n− 1, (ΦS(pc),ΦT (pc))) ∈ V,gctst (RR(r1))
which follows from Lemma 47 and 12 and what we have proven about the pc.
• Case 5.5.:
Pick R′R = RR. For r 6= r1, r2, we have
(n− 1, (ΦS(r),ΦT (r))) ∈ V,gcuntrusted(RR(r))
by assumption and Lemma 44.
For r1 use Lemma 72 and consider the following 2 cases:
– TA#[b, e]: by assumption this entails tst = untrusted.
By assumption we have (n, (ΦS(r2),ΦT (r2))) ∈ V,gcuntrusted(RR(r2)) which gives us the following facts:
∗ [σb , σe ]#(σglob ret unionmulti σglob clos)
∗ ∀σ′ ∈ [σb , σe ].∃r ∈ RR(r2).heap. RR(r2).heap(r) = (pure, , Hσ) ∧Hσ σ′ n= (V,gcuntrusted ◦ ξ)
This means that for σ there is a region r for which RR(r2).heap(r) = (pure, , Hσ) and Hσ σ
′ n=
(V,gcuntrusted ◦ ξ). Pick this as the region in the sealed case and σret′ = ∅, σclos = [σb , σe ], and mscode =
[b, e] 7→ 0. We now need to show the following:
∗ Hσ σ n= Hcode,σ σret σclos mscode gc σ
To this end let Wˆ be given and show
Hσ σ Wˆ
n
= Hcode,σ σret σclos mscode gc σ Wˆ
By transitivity of n-equality it suffices to show Hσ σ
′ Wˆ n= V,gcuntrusted ◦ ξ(Wˆ ), which follows by
assumption and Hcode,σ σret σclos mscode gc σ Wˆ
n
= V,gcuntrusted ◦ ξ(Wˆ ) which follows by definition of
Hcode,σ and the fact that σ ∈ σclos and TA#[b, e].
∗ (n′, (ΦS(r1),ΦT (r1))) ∈ Hσ σ ξ−1(RR(r1)) for all n′ < n
which corresponds to showing (n′, (ΦS(r1),ΦT (r1))) ∈ V,gcuntrusted(RR(r1)) which is true by assump-
tion and Lemma 44.
∗ (isLinear(scS)⇒ ∀W ′ w RR(r1),Wo, n′ < n−1, (n′, (sc′S , sc′T )) ∈ Hσ σ ξ−1(Wo). (n′, scS , sc′S , scT , sc′T ) ∈
E,gcxjmp(W ′ ⊕Wo))
Let W ′ w RR(r1), Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ ιcode,σret,σclos,mscode,gc .Hσ σ ξ−1(Wo). Further let n′′ ≤
n′ be given and assume (n′′, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR), msS , stk ,msstk ,msT :gcn WM .
Now consider the following cases:
· executable(sc′S):
In this case, pick Φ′S = Φ
′
T = failed (as xjump fails). It is trivial to show (n,Φ
′
S ,Φ
′
T ) ∈ O,gc .
· nonExecutable(sc′S):
In this case consider what ΦS(r1) is:
If ΦS(r1) = ((perm, l), b, e, a) and perm ∈ {rwx,rx}:
If perm = rwx, then we have a contradiction with (n, (ΦS(r1),ΦT (r1))) ∈ V,gcuntrusted(RR(r1)).
If perm = rx, then by Lemma 74 we have a contradiction with isLinear(ΦS(r1)).
Otherwise (not ΦS(r1) = ((perm, l), b, e, a) and perm ∈ {rwx,rx}):
In this case, pick Φ′S = (msS , regS [pc 7→ ΦS(r1)][rdata 7→ sc′S ], stk ,msstk ) and Φ′T = (msT , regT [pc 7→
ΦT (r1)][rdata 7→ sc′T ]). In this case, the next step of execution fails which makes it trivial to
show (n,Φ′S ,Φ
′
T ) ∈ O,gc .
∗ If nonLinear(scS) then for allW ′ w purePart(RR(r2)), Wo, n′ < n−1, (n′, (sc′S , sc′T )) ∈ Hσ σ ξ−1(Wo)
we have that (n′, scS , sc′S , scT , sc
′
T ) ∈ E,gcxjmp(W ′ ⊕Wo)
Let W ′ w purePart(RR(r1)), Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ ιcode,σret,σclos,mscode,gc .Hσ σ ξ−1(Wo).
Further let n′′ ≤ n′ be given and assume that
· (n′′, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR)
· msS , stk ,msstk ,msT :gcn WM
73
Now consider the following cases:
· executable(sc′S):
In this case, pick Φ′S = Φ
′
T = failed (as xjump fails). It is trivial to show (n,Φ
′
S ,Φ
′
T ) ∈ O,gc .
· nonExecutable(sc′S):
In this case consider what ΦS(r1) is.
If ΦS(r1) = ((perm
′, l ′), b′, e ′, a ′) and perm ′ ∈ {rwx,rx}:
If perm ′ = rwx, then we have a contradiction with (n, (ΦS(r1),ΦT (r1))) ∈ V,gcuntrusted(RR(r1)).
If perm ′ = rx, then the result follows from 75.
– TA ⊆ [b, e]: by assumption this entails tst = trusted.
Further, we know ΦS points to cseal r1 r2 in TA, so by the reasonability assumption on ΦS , we know
σ ∈ σglob clos and one of the following holds:
∗ executable(Φ(r1)) and Φ(r1) behaves reasonably up to n− 1 steps.
∗ nonExecutable(Φ(r1)) and Φ(r1) is reasonable up to n − 1 steps in memory Φ.ms and free stack
Φ.msstk
By σ ∈ σglob clos we can conclude that (n, (ΦS(r2),ΦT (r2))) 6∈ V,gcuntrusted(W ) which means that the
assumption (n, (ΦS(r2),ΦT (r2))) ∈ V,gctrusted(W ) gives us r ∈ dom(W.heap) such that W.heap(r)
n
=
ιcode,σret,σclos,mscode,gc , [σb , σe ] ⊆ (σret ∪ σclos) and σret ⊆ σglob ret and σclos ⊆ σglob clos, dom(mscode) ⊆ TA.
Now pick r and show
∗ (n′, (ΦS(r1),ΦT (r1))) ∈ ιcode,σret,σclos,mscode,gc .Hσ σ ξ−1(RR(r1)) for all n′ < n− 1
This amounts to showing (1) assuming executable(ΦS(r1)) show (n
′, (ΦS(r1),ΦT (r1))) ∈ V,gctrusted(RR(r1)),
which is true by assumption and Lemma 44.
(2) Assuming nonExecutable(ΦS(r1)) show (n
′, (ΦS(r1),ΦT (r1))) ∈ V,gcuntrusted(RR(r1)), which fol-
lows by assumption, Lemma 20 and Lemma 44.
∗
(isLinear(ΦS(r1))⇒
∀W ′ w RR(r1),Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ ιcode,σret,σclos,mscode,gc .Hσ σ ξ−1(Wo).
(n′,ΦS(r1), sc′S ,ΦT (r1), sc
′
T ) ∈ E,gcxjmp(W ′ ⊕Wo))
Let W ′ w RR(r1), Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ ιcode,σret,σclos,mscode,gc .Hσ σ ξ−1(Wo). Further let n′′ ≤
n′ be given and assume (n′′, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR), msS , stk ,msstk ,msT :gcn WM .
Now consider the following cases:
· executable(sc′S):
In this case, pick Φ′S = Φ
′
T = failed (as xjump fails). It is trivial to show (n,Φ
′
S ,Φ
′
T ) ∈ O,gc .
· nonExecutable(sc′S):
In this case consider what ΦS(r1) is:
If ΦS(r1) = ((perm, l), b, e, a) and perm ∈ {rwx,rx}:
If perm = rwx, then we have a contradiction with (n, (ΦS(r1),ΦT (r1))) ∈ V,gctrusted(RR(r1)).
If perm = rx, then by Lemma 74 we have a contradiction with isLinear(ΦS(r1)).
Otherwise (not ΦS(r1) = ((perm, l), b, e, a) and perm ∈ {rwx,rx}):
In this case, pick Φ′S = (msS , regS [pc 7→ ΦS(r1)][rdata 7→ sc′S ], stk ,msstk ) and Φ′T = (msT , regT [pc 7→
ΦT (r1)][rdata 7→ sc′T ]). In this case, the next step of execution fails which makes it trivial to
show (n,Φ′S ,Φ
′
T ) ∈ O,gc .
∗
(nonLinear(ΦS(r1))⇒
∀W ′ w purePart(RR(r1)),Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ ιcode,σret,σclos,mscode,gc .Hσ σ ξ−1(Wo).
(n′,ΦS(r1), sc′S ,ΦT (r1), sc
′
T ) ∈ E,gcxjmp(W ′ ⊕Wo))
Let W ′ w purePart(RR(r1)), Wo, n′ < n, (n′, (sc′S , sc′T )) ∈ ιcode,σret,σclos,mscode,gc .Hσ σ ξ−1(Wo). Fur-
ther let n′′ ≤ n′ be given and assume (n′′, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR), msS , stk ,msstk ,msT :gcn
WM .
Now consider the following cases:
· executable(sc′S):
In this case, pick Φ′S = Φ
′
T = failed (as xjump fails). It is trivial to show (n,Φ
′
S ,Φ
′
T ) ∈ O,gc .
74
· nonExecutable(sc′S):
In this case consider what ΦS(r1) is.
If ΦS(r1) = ((perm
′, l ′), b′, e ′, a ′) and perm ′ ∈ {rwx,rx}:
If perm ′ = rwx, then we have a contradiction with (n, (ΦS(r1),ΦT (r1))) ∈ V,gctrusted(RR(r1)).
If perm ′ = rx, then in the case where (n, (ΦS(r1),ΦT (r1))) ∈ V,gcuntrusted(RR(r1)), the result
follows from 75.
In the case where (n, (ΦS(r1),ΦT (r1))) 6∈ V,gcuntrusted(RR(r1)), we want to show (msS , regS [pc 7→
ΦS(r1)][rdata 7→ sc′S ], stk ,msstk ) behaves reasonable up to n− 1 steps.
By assumption we have ΦS(r1) behaves reasonably up to n − 1 steps, so it SFTS regS(r) is
reasonable up to n− 1 steps in memory msS and free stack msstk for r 6= pc which follows from
Lemma 18.
By assumption we have (n, [b′, e ′]) ∈ readXCondition,gc(RR(r1)), so using Lemma 46 and
Lemma 47 as well as [b′, e ′] ⊆ TA. Using this with the other assumptions and the IH, we get:(
n− 1, ((msS , regS [pc 7→ ΦS(r1)][rdata 7→ sc
′
S ], stk ,msstk ),
(msT , regT [pc 7→ ΦT (r1)][rdata 7→ sc′T ]))
)
∈ O,gc
Otherwise (not ΦS(r1) = ((perm
′, l ′), b′, e ′, a ′) and perm ′ ∈ {rwx,rx}):
In this case, pick Φ′S = (msS , regS [pc 7→ ΦS(r1)][rdata 7→ sc′S ], stk ,msstk ) and Φ′T = (msT , regT [pc 7→
ΦT (r1)][rdata 7→ sc′T ]). In this case, the next step of execution fails which makes it trivial to
show (n,Φ′S ,Φ
′
T ) ∈ O,gc .
• Case 5.6.: From (n, (ΦS(r3),ΦS(r3))) ∈ V,gctst (RR(r3)), Lemma 55 gives us W1, W2 and W3 such that
RR(r3) = W1⊕W2⊕W3 and
(
n, (w1, w1) ∈ V,gctst (W1)
)
,
(
n, (w2, w2) ∈ V,gctst (W2)
)
and
(
n, (w3, w3) ∈ V,gctst (W3)
)
.
We take R′R(r1) = W1, R
′
R(r2) = W2 and R
′
R(r3) = W3 ⊕RR(r1)⊕RR(r2) and R′R = RR(r) elsewhere.
By the above points, by assumption and using Lemma 44, we then have for all r that:
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (R′R(r))
• Case 5.7.: In this case, we can take R′R = RR and use Lemma 8 to give us that all purePart(RR(r)) are
equal. For r = r1, r2, r3, we then get easily by definition that
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (R′R(r))
and for other registers, it follows by Lemma 44.
• Case 5.8.: First we only consider registers r1, r2, r3.
From (n, (ΦS(r3),ΦT (r3))) ∈ V,gctst (RR(r3)), Lemma 56 gives us W1, W2 and W3 such that RR(r3) =
W1 ⊕W2 ⊕W3 and
(
n, (w1, w1) ∈ V,gctst (W1)
)
,
(
n, (w2, w2) ∈ V,gctst (W2)
)
and
(
n, (w3, w3) ∈ V,gctst (W3)
)
.
We take R′R(r1) = W1, R
′
R(r2) = W2 and R
′
R(r3) = W3 ⊕RR(r1)⊕RR(r2) and R′R = RR(r) elsewhere.
By the above points, by assumption and using Lemma 44, we then have for all r that:
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (R′R(r))
• Case 5.9.:
From (n, (ΦS(r2),ΦT (r2))) ∈ V,gctst (RR(r2)) and (n, (ΦS(r3),ΦT (r3))) ∈ V,gctst (RR(r3)), Lemma 58 tells us
that
(
n, (w1, w1) ∈ V,gctst (RR(r2)⊕RR(r3))
)
. Since w2 = w
′
2 = w3 = w
′
3 = 0, it’s clear that
–
(
n, (w2, w
′
2) ∈ V,gctst (RR(r1))
)
and
–
(
n, (w3, w
′
3) ∈ V,gctst (purePart(RR(r3)))
)
We take R′R(r1) = RR(r2) ⊕ RR(r3), R′R(r2) = RR(r1) and R′R(r3) = purePart(RR(r3)) and R′R = RR(r)
elsewhere.
By the above points, by assumption and using Lemma 44, we then have for all r that:
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (R′R(r))
75
• Case 5.10.:
We start by arguing the safety of r1:
From (n, (ΦS(r2),ΦT (r2))) ∈ V,gctst (RR(r2)) and (n, (ΦS(r3),ΦT (r3))) ∈ V,gctst (RR(r3)), Lemma 57 gives us
W ′1,W
′
2,W
′
3 such that RR(r2)⊕ RR(r3) = W ′1 ⊕W ′2 ⊕W ′3 and
(
n, (wi, wi) ∈ V,gctst (W ′i )
)
for i = 1, 2, 3. We
take R′R(r1) = W
′
1⊕RR(r1) (which is defined because RR(r1)⊕ (RR(r2)⊕RR(r3)) is defined), R′R(r2) = W ′2
and R′R(r3) = W
′
3 and R
′
R = RR(r) elsewhere.
By the above points, by assumption and using Lemma 44, we then have for all r that:
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (R′R(r))
• Case 5.11.:
In this case, we can take R′R = RR and use Lemma 8 to give us that all purePart(RR(r)) are equal. For
r = r1, r2, r3, we then get easily by definition that
(n− 1, (Φ′S(r),Φ′T (r))) ∈ V,gctst (R′R(r))
and for other registers, it follows by Lemma 44.
• Case 5.12.:
In this case, we can take R′R = RR and for all registers, the result follows by Lemma 44.
By Lemma 50 it suffices to show
(n− 1,Φ′S ,Φ′T ) ∈ O,gc
which follows from the induction hypothesis. In this case, the IH is applicable because we have the following:
• One of the following sets of requirements holds:
– tst = trusted, Φ′S is reasonable up to n− 1 steps and [b, e] ⊆ dom(mscode) = TA
– tst = untrusted, [b, e] # TA and (n− 1, [b, e]) ∈ readCondition,gc(normal,Wpc)
We know one of the following holds:
– tst = trusted, ΦS is reasonable up to n steps and [b, e] ⊆ dom(mscode) = TA
– tst = untrusted, [b, e] # TA and (n, [b, e]) ∈ readCondition,gc(normal,Wpc)
If the latter is the case, then the result follows by Lemma 44.
If the former holds, then it follows by definition of execution configuration reasonability, using the fact that
ΦS does not point to call
off pc,off σ r1 r2 or xjmp r1 r2.
• Φ′S(pc) = Φ′T (pc) = ((rx,normal), b, e, ): Follows by definition of updatePc and using the fact that ri 6= pc
for all i and the corresponding assumption of thi slemma.
• (n− 1, [b, e]) ∈ readXCondition,gc(Wpc): Follows by Lemma 44 from the corresponding assumption of this
lemma.
• (n− 1, (Φ′S .reg ,Φ′T .reg)) ∈ R,gctst (WR): See above.
• Φ′S .mem,Φ′S .stk ,Φ′S .msstk ,Φ′T .mem :gcn−1 WM : These components are all unchanged from ΦS and ΦT , so
the result follows by Lemma 44 from the corresponding assumption of this lemma.
• Wpc ⊕WR ⊕WM is defined: Follows from the corresponding assumption of this lemma.
• Theorem 2 holds for all n′ < n− 1: follows from the corresponding assumption of this lemma.
Case 6.:
By Lemma 50 it suffices to show
(n− 1,Φ′S ,Φ′T ) ∈ O,gc
First, we show that for someW ′R andW
′
M such thatWR⊕WM = W ′R⊕W ′M , we have that (n− 1, (Φ′S .reg ,Φ′T .reg)) ∈
R,gctst (W ′R) and Φ′S .mem,Φ′S .stk ,Φ′S .msstk ,Φ′T .mem :gcn−1 W ′M . We have that Φ′S = updatePc(ΦS [reg .r1, r2 7→
w1, w2][mem.a 7→ w]) and Φ′T = updatePc(ΦT [reg .r′1, r′2 7→ w′1, w′2][mem.a 7→ w′]) and we distinguish the following
two cases:
76
• (store) w1 = w′1 = ΦS(r1) = ΦT (r1) = ((perm, l), b, e, a), and perm ∈ writeAllowed , and withinBounds(w1),
and w = ΦS(r2), and w
′ = ΦT (r2), and w2 = linearityConstraint(ΦS(r2)), w′2 = linearityConstraint(ΦT (r2)),
r2 6= pc:
From (n, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR), we know that
– (n, (w,w′)) ∈ V,gctst (WR,2)
– (n, (w2, w
′
2)) ∈ V,gctst (purePart(WR,2])) and
– (n, (ΦS .reg [r2 7→ w2],ΦT .reg [r2 7→ w′2])) ∈ R,gctst (W ′R)
with WR = W
′
R ⊕WR,2 (using Lemma 8 and 6).
From reasonability of ΦS , we know that Φ.reg(r2) is reasonable in memory Φ.mem up to n − 1 steps.
Lemma 20 then tells us that (n, (w,w′)) ∈ V,gcuntrusted(WR,2).
The result then follows from Lemma 64, redistributing ownership in the obvious way.
• (load) w2 = w′2 = ΦT (r2) = ΦS(r2) = ((perm, l), b, e, a), and perm ∈ readAllowed , withinBounds(((perm, l), b, e, a)),
and w1 = ΦS .mem(a), and w
′
1 = ΦT .mem(a), and w = linearityConstraint(w1), w
′ = linearityConstraint(w′1),
linearityConstraintPerm(perm, w1), linearityConstraintPerm(perm, w
′
1) and r1 6= pc
Follows from Lemma 62, redistributing ownership in the obvious way.
By the induction hypothesis, it suffices to prove that:
• One of the following sets of requirements holds:
– tst = trusted, Φ′S is reasonable up to n steps and [b, e] ⊆ dom(mscode) = TA
– tst = untrusted and [b, e] # TA and (n, [b, e]) ∈ readCondition,gc(normal,Wpc)
:
Follows by the same assumption of this lemma, in the first case using the definition of execution configuration
reasonability, using the fact that ΦS does not point to call
off pc,off σ r1 r2 or xjmp r1 r2.
• Φ′S(pc) = Φ′T (pc) = ((rx,normal), b, e, ):
Follows by definition of updatePc and the fact that stores from pc into memory and loads into pc are not
allowed.
• (n− 1, [b, e]) ∈ readXCondition,gc(Wpc):
Follows by the same assumption of this lemma, using Lemma 44.
• (n− 1, (Φ′S .reg ,Φ′T .reg)) ∈ R,gctst (W ′R):
See above.
• Φ′S .mem,Φ′S .stk ,Φ′S .msstk ,Φ′T .mem :gcn−1 W ′M :
See above.
• Wpc ⊕W ′R ⊕W ′M is defined.
• Theorem 2 holds for all n′ < n− 1:
Follows by the same assumption of this lemma.
Case 7.
By Lemma 50 it suffices to show
(n− 1,Φ′S ,Φ′T ) ∈ O,gc
First, we show that for someW ′R andW
′
M such thatWR⊕WM = W ′R⊕W ′M , we have that (n− 1, (Φ′S .reg ,Φ′T .reg)) ∈
R,gctst (W ′R) and Φ′S .mem,Φ′S .stk ,Φ′S .msstk ,Φ′T .mem :gcn−1 W ′M . We have that Φ′S = updatePc(ΦS [reg .r1, r2 7→
w1, w2][msstk .a 7→ w]), Φ′T = updatePc(ΦT [reg .r′1, r′2 7→ w′1, w′2][msstk .a 7→ w′]) and we distinguish the following
two cases:
• (store) w1 = ΦT (r1) = ((perm, linear), b, e, a), w′1 = ΦS(r1) = stack-ptr(perm, b, e, a), and perm ∈ writeAllowed ,
and withinBounds(w1), and w = ΦS(r2), and w
′ = ΦT (r2), and w2 = linearityConstraint(ΦS(r2)), w′2 =
linearityConstraint(ΦT (r2)):
Follows from Lemma 65, redistributing ownership in the obvious way.
77
• (load) w′2 = ΦT (r2) = ((perm, linear), b, e, a), and w2 = ΦS(r2) = stack-ptr(perm, b, e, a), and perm ∈
readAllowed , withinBounds(((perm, l), b, e, a)), and a ∈ dom(Φ.msstk ), and a ∈ dom(Φ.msstk ), and
w1 = ΦS .msstk (a), and w
′
1 = ΦT .msstk (a), and w = linearityConstraint(w1), w
′ = linearityConstraint(w′1),
linearityConstraintPerm(perm, w1,) and linearityConstraintPerm(perm, w
′
1,) and r1 6= pc:
Follows from Lemma 63, redistributing ownership in the obvious way.
By the induction hypothesis, it suffices to prove that:
• One of the following sets of requirements holds:
– tst = trusted, Φ′S is reasonable up to n steps and [b, e] ⊆ dom(mscode) = TA
– tst = untrusted and [b, e] # TA and (n, [b, e]) ∈ readCondition,gc(normal,Wpc)
:
Follows by the same assumption of this lemma, in the first case using the definition of execution configuration
reasonability, using the fact that ΦS does not point to call
off pc,off σ r1 r2 or xjmp r1 r2.
• Φ′S(pc) = Φ′T (pc) = ((rx,normal), b, e, ):
Follows by definition of updatePc and the fact that stores from pc into memory and loads into pc are not
allowed.
• (n− 1, [b, e]) ∈ readXCondition,gc(Wpc):
Follows by the same assumption of this lemma, using Lemma 44.
• (n− 1, (Φ′S .reg ,Φ′T .reg)) ∈ R,gctst (W ′R):
See above.
• Φ′S .mem,Φ′S .stk ,Φ′S .msstk ,Φ′T .mem :gcn−1 W ′M :
See above.
• Wpc ⊕W ′R ⊕W ′M is defined.
• Theorem 2 holds for all n′ < n− 1:
Follows by the same assumption of this lemma.
Case 8.
We have that
• ΦS →gc Φ′S
• ΦT → Φ′T
• ΦS does not point to calloff pc,off σ r1 r2 or xjmp r1 r2
• One of the following holds
1. (jmp,jnz) Φ′S = ΦS [reg .pc, r1 7→ ΦS(r1), w1] and Φ′T = ΦT [reg .pc, r′1 7→ ΦT (r1), w′1] and ΦS(r1) =
ΦT (r1) = ((perm1, l1), b1, e1, a1), executable(ΦS(r1)), withinBounds(ΦS(r1)), w1 = linearityConstraint(ΦS(r1))
and w′1 = linearityConstraint(ΦT (r1))
2. (xjmp)
– ΦS(r1) = sealed(σ, c1) and
– ΦS(r2) = sealed(σ, c2) and
– ΦT (r1) = sealed(σ, c
′
1) and
– ΦT (r2) = sealed(σ, c
′
2) and
– c′1 6= ret-ptr-code( ) and
– c′2 6= ret-ptr-data( ) and
– nonExecutable(ΦS(r2)) and
– nonExecutable(ΦT (r2)) and
– Φ′′S = ΦS [reg .r1, r2 7→ linearityConstraint(c1), linearityConstraint(c2)] and
– Φ′S = xjumpResult(c1, c2,Φ
′′
S) and
– Φ′′T = ΦT [reg .r1, r2 7→ linearityConstraint(c′1), linearityConstraint(c′2)] and
– Φ′T = xjumpResult(c
′
1, c
′
2,Φ
′′
T )
78
According to Lemma 50, it suffices to show:
(n− 1, (Φ′S ,Φ′T )) ∈ O,gc
If n− 1 = 0, then this holds vacuously (by definition of O,gc and O,gc), so we assume that n− 1 > 0.
In the first case (jmp,jnz), the fact that ΦS is reasonable, with ΦS →gc Φ′S and ΦS does not point to
calloff pc,off σ r1 r2 or xjmp r1 r2, gives us that perm1 = perm, l1 = normal, b1 = b, e1 = e. The fact that
l1 = normal implies that w1 = ΦS(r1) and w
′
1 = ΦT (r1).
The induction hypothesis tells us that it suffices to prove the following:
• One of the following sets of requirements holds:
– tst = trusted, Φ′S is reasonable up to n− 1 steps and [b, e] ⊆ TA
– tst = untrusted and [b, e] # TA and (n− 1, [b, e]) ∈ readCondition,gc(normal,Wpc)
This follows from the corresponding assumption of this lemma, the fact that ΦS →gc Φ′S and ΦS does not
point to calloff pc,off σ r1 r2 or xjmp r1 r2 and 44.
• Φ′S(pc) = Φ′T (pc) = ((rx,normal), b, e, ): See above.
• (n− 1, [b, e]) ∈ readXCondition,gc(Wpc): Follows by Lemma 44 from the fact that (n, [b, e]) ∈ readXCondition,gc(Wpc).
• (n− 1, (Φ′S .reg ,Φ′T .reg)) ∈ R,gctst (WR):
We have that Φ′S .reg(r) = ΦS .reg(r) for all r 6= pc, so the result follows by Lemma 44 from the corresponding
assumption of this lemma.
• Φ′S .mem,Φ′S .stk ,Φ′S .msstk ,Φ′T .mem :gcn−1 WM :
These components of Φ′S and Φ
′
T are all unmodified from ΦS and ΦT , so the result follows by Lemma 44
from the corresponding assumption of this lemma.
• Wpc ⊕WR ⊕WM is defined: by assumption.
• Theorem 2 holds for all n′ < n− 1: Follows by the same assumption of this lemma.
In the second case (xjmp), we have that (n, (ΦS(r1),ΦT (r1))) ∈ V,gctst (WR,1), (n, (ΦS(r2),ΦT (r2))) ∈ V,gctst (WR,2)
and (n, (Φ′′S ,Φ
′′
T )) ∈ R,gctst ({r1, r2})(W ′R) for some WR,1,WR,2,W ′R with WR = WR,1 ⊕WR,2 ⊕W ′R.
Using the facts that ΦS(r1) = sealed(σ, c1) and ΦS(r2) = sealed(σ, c2) and ΦT (r1) = sealed(σ, c
′
1) and ΦT (r2) =
sealed(σ, c′2) and nonExecutable(ΦS(r2)) and nonExecutable(ΦT (r2)), and the above points, Lemma 66 tells us that
(n− 1, (c1, c2, c′1, c′2)) ∈ E,gcxjmp(WR,1 ⊕WR,2).
By definition of E,gcxjmp, it suffices to prove that
• (
n− 1,
(
ΦS .reg [r1, r2 7→ linearityConstraint(c1), linearityConstraint(c2)],
ΦT .reg [r1, r2 7→ linearityConstraint(c′1), linearityConstraint(c′2)]
))
∈ R,gcuntrusted({rdata})(W ′R)
It is easy to show that (n, linearityConstraint(c1), linearityConstraint(c
′
1)) ∈ V,gctst (purePart(WR,1)) and
(n, linearityConstraint(c2), linearityConstraint(c
′
2)) ∈ V,gctst (purePart(WR,2)), by using Lemma 29 in the
non-linear case and the fact that 0 is always related to itself by definition of V,gctst in the linear case. We also
have that purePart(W ′R) = purePart(WR,1) = purePart(WR,2) by Lemma 8 and the fact that WR = WR,1⊕
WR,2 ⊕W ′R, so it follows that (n, linearityConstraint(c1), linearityConstraint(c′1)) ∈ V,gctst (purePart(W ′R))
and (n, linearityConstraint(c2), linearityConstraint(c
′
2)) ∈ V,gctst (purePart(W ′R)). From this and the fact
that (n, (Φ′′S ,Φ
′′
T )) ∈ R,gctst ({r1, r2})(W ′R), it follows easily that(
n− 1,
(
ΦS .reg [r1, r2 7→ linearityConstraint(c1), linearityConstraint(c2)],
ΦT .reg [r1, r2 7→ linearityConstraint(c′1), linearityConstraint(c′2)]
))
∈ R,gctst ({rdata})(W ′R)
From the fact that ΦS is reasonable up to n steps, tells us that Φ.reg(r) is reasonable in memory Φ.mem
and free stack Φ.msstk up to n− 1 steps for all r 6= pc. Lemma 20 then tells us that(
n− 1,
(
ΦS .reg [r1, r2 7→ linearityConstraint(c1), linearityConstraint(c2)],
ΦT .reg [r1, r2 7→ linearityConstraint(c′1), linearityConstraint(c′2)]
))
∈ R,gcuntrusted({rdata})(W ′R)
using the fact that n− 1 > 0 (by assumption above), Theorem 2 holds up to n− 1 steps (by assumption).
79
• msS , stk ,msstk ,msT :gcn−1 WM Follows by Lemma 44 from the corresponding assumption of this lemma.
• WM ⊕W ′R ⊕WR,1 ⊕WR,2 is defined.
This follows easily from the facts that WR = WR,1 ⊕ WR,2 ⊕ W ′R (see above) and the assumption that
Wpc ⊕W ′R ⊕W ′M is defined.
Proof of Theorem 2. By complete induction over n7. Assume
• (n, [b, e]) ∈ readXCondition,gc(W )
and one of the following sets of requirements holds:
i) • [b, e] ⊆ TA
• ((rx,normal), b, e, a) behaves reasonably up to n steps.
ii) • [b, e] # TA
and show
(n, (c, c)) ∈ E,gc(W )
For c = ((rx,normal), b, e, a).
Let n′ ≤ n be given and assume
1. (n′, (regS , regT )) ∈ R,gcuntrusted(WR)
2. msS , stk ,msstk ,msT :
gc
n′ WM
3. W ⊕WR ⊕WM is defined
Further let
• ΦS = (msS , regS [pc 7→ c], stk ,msstk )
• ΦT = (msT , regT [pc 7→ c])
and show
(n′, (ΦS ,ΦT )) ∈ O,gc
By Lemma 67, taking tst = trusted iff [b, e] ⊆ TA and tst = untrusted otherwise, it suffices to show that:
• If tst = trusted then ΦS is reasonable up to n′ steps.
We know by assumption that c behaves reasonably up to n steps.
By definition, it suffices to show that regS(r) is reasonable up to n steps in memory msS and free stack msstk
for r
n
= pc and that msS , msstk and stk are all disjoint.
Take an r 6= pc and gc = (TA, stk base, σglob ret, σglob clos). By Lemma 18, it suffices to prove the following:
– (n, (w, )) ∈ V,gcuntrusted(Ww): follows from (n′, (regS , regT )) ∈ R,gcuntrusted(WR).
– msS , stk ,msstk , :
gc
n WM : by assumption.
– purePart(Ww)⊕ purePart(WM ) is defined: By Lemma 8
• tst = trusted ∨ (n′, [b, e]) ∈ readCondition,gc(l ,W ): If tst = untrusted then we know that [b, e] # TA, so
that (n, [b, e]) ∈ readCondition,gc(l ,W ) follows by Lemma 27.
• ΦS(pc) = ΦT (pc) = ((rx, l), b, e, a): We know that ΦS(pc) = ΦT (pc) = c = ((rx, l), b, e, a).
• (n′, [b, e]) ∈ readXCondition,gc(W ): Follows from (n, [b, e]) ∈ readXCondition,gc(W ) using Lemma 44.
• (n′, (ΦS .reg ,ΦT .reg)) ∈ R,gctst (WR): Follows directly from (n′, (regS , regT )) ∈ R,gcuntrusted(WR) sinceR,gcuntrusted(WR) ⊆
R,gctst (WR).
• ΦS .mem,ΦS .msstk ,ΦS .stk ,ΦT .mem :gcn′ WM : By assumption.
• W ⊕WR ⊕WM is defined: By assumption.
7if n = 0, then we have a contradiction with ΦS⇓i and ΦT⇓i when we get to O,gc .
80
• Theorem 2 holds for all n′′ < n′: Follows from our induction hypothesis since n′ ≤ n.
Lemma 68. If W.free = W ′.free and W ′ w W and (n, (msstk ,msT )) ∈ Fgc(W ), then (n, (msstk ,msT )) ∈
Fgc(W ′). 
Proof. Follows by inspecting the definition of (n, (msstk ,msT )) ∈ Fgc(W ) and by the monotonicity of memory
relations in the world.
Lemma 69. If purePart(W ).heap = purePart(W ′).heap and W ′h wWh and (n, (σ,msS ,msT )) ∈ H(W.heap)(Wh),
then (n, (σ,msS ,msT )) ∈ H(W ′.heap)(W ′h). 
Proof. Follows by inspecting the definition of H and purePart and using the monotonicity of memory relations in
the world.
Lemma 70. ιstd,v,{∗},gc is address-stratified. 
Proof. Trivial.
Lemma 71 (Unique return seals). If
• mscode([a..a + call len− 1]) = calloff pc,off σ r1 r2
• mscode([a ′..a ′ + call len− 1]) = calloff ′pc,off ′σ r′1 r′2
• mscode(a + off pc) = seal(σb, σe, σb) and σ = σb + off σ
• mscode(a ′ + off ′pc) = seal(σ′b, σ′e, σ′b) and σ = σ′b + off ′σ
• σret, σclos `comp−code mscode
then
a = a ′
and off pc = off
′
pc and off σ = off
′
σ and r1 = r
′
1 and r2 = r
′
2 and σb = σ
′
b and σe = σ
′
e. 
Proof. From σret, σclos `comp−code mscode, we get a dσ : dom(mscode)→ P(Seal) such that the following holds:
• mscode has no hidden calls
• σret # σclos
• σret =
⊎
a∈dom(mscode) dσ(a)
• ∀a ∈ dom(mscode). σret, dσ(a), σclos `comp−code mscode, a
• ∃a.mscode(a) = seal(σb , σe , ) ∧ [σb , σe ] 6= ∅
Particularly, we have σret, dσ(a), σclos `comp−code mscode, a and σret, dσ(a′), σclos `comp−code mscode, a′. From
these, and the facts that mscode([a..a + call len − 1]) = calloff pc,off σ r1 r2 and mscode([a ′..a ′ + call len − 1]) =
calloff
′
pc,off
′
σ r′1 r
′
2, it follows that
• mscode(a+ off pc) = seal(σb , σe , σb) and σb + off σ ∈ dσ(a)
• mscode(a′ + off ′pc) = seal(σ′b , σ′e , σ′b) and σ′b + off ′σ ∈ dσ(a′)
From the facts that σ = σb + off σ = σ
′
b + off
′
σ, σb + off σ ∈ dσ(a), σ′b + off ′σ ∈ dσ(a′) and the disjointness of the
dσ(a), we get that a = a
′. With this fact, the rest of the proof obligations follow directly from the other assumed
equations.
Lemma 72. For all W , n, w1, w2 if
• (n, (w1, w2)) ∈ V,gctst (W )
then
isLinear(w1) iff isLinear(w2)

Proof. (Trivial) We consider the possible cases for w1 and w2
81
• Case w1, w2 ∈ Z: By definition of isLinear .
• Case w1 = sealed(σ, sc1) and w2 = sealed(σ, sc2): From the assumption (n, (w1, w2)) ∈ V,gcuntrusted(W ) we get
the desired result.
• Case w1 = seal( , , ) and w2 = seal( , , ): By definition of isLinear .
• Case w1 = stack-ptr( , , , ) and w2 = (( , linear), , , ): By definition of isLinear , stack pointers are linear.
• Case w1 = (( , l), , , ) and w2 = (( , l), , , ): By definition of isLinear .
If tst = trusted, then there are two more cases to consider, but like the above cases, they are trivial.
Lemma 73. For all W ′ wW , n, w1, w2 if
• isLinear(w1) or isLinear(w2)
or
• (n, (w1, w2)) ∈ V,gcuntrusted(W )
• nonLinear(w1) or nonLinear(w2)
then
(n, (linearityConstraint(w1), linearityConstraint(w2))) ∈ V,gcuntrusted(purePart(W ′))

Proof. For the first set of assumptions, we can conclude isLinear(w1) and isLinear(w2) by Lemma 72 which means
that we need to argue
(n, (0, 0)) ∈ V,gcuntrusted(purePart(W ′))
which is trivially true.
For the second set of assumptions, we can conclude nonLinear(w1) and nonLinear(w2) by Lemma 72 which
means that we need to show (n, (w1, w2)) ∈ V,gcuntrusted(purePart(W ′)) which is true by assumption and Lemma 47
and 29.
Lemma 74. If
• c = ((perm, l), b, e, a)
• perm = {rx,rwx}
• (n, (c, )) ∈ V,gcuntrustedtst(W )
then
l = normal

Proof. Follows from the definition.
Lemma 75. If
• cc = ((rx,normal), b, e, a)
• a ∈ [b, e]
• (n, [b, e]) ∈ executeCondition,gc(W )
• nonExecutable(cd)
• (n, (cd, c′d)) ∈ V,gcuntrusted(Wo)
• (n, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR)
• msS , stk ,msstk ,msT :gcn WM
• ΦS = (msS , regS [pc 7→ cc][rdata 7→ cd], stk ,msstk )
• ΦT = (msT , regT [pc 7→ c′c][rdata 7→ c′d])
• W ′ w purePart(W )
82
• W ′ ⊕Wo ⊕WR ⊕WM is defined
then
(n− 1, (ΦS ,ΦT )) ∈ O,gc

Proof. From Lemma 47 and Lemma 29 we get
(n, [b, e]) ∈ executeCondition,gc(W )
from which we get
(n− 1, (cc, c′c)) ∈ E,gc(W ′)
From (n, (regS , regT )) ∈ R,gcuntrusted({rdata})(WR), (n, (cd, c′d)) ∈ V,gcuntrusted(Wo), and W ′⊕Wo⊕WR⊕WM is defined,
we conclude
(n, (regS [rdata 7→ cd], regT [rdata 7→ cd])) ∈ R,gcuntrusted(WR ⊕Wo)
along with msS , stk ,msstk ,msT :
gc
n WM and Lemma 46 we can now conclude
(n− 1, (ΦS ,ΦT )) ∈ O,gc
7 Notes
7.1 Notes on linear capabilities
It seems reasonable to have enough instructions to let any program be able to make sufficient checks that it can
verify that its execution won’t fail. With our current instruction set, a load may fail if a linear capability happens
to be located at a memory address that on attempts to load from with a capability without write permission. To
make up for this, one could make an instruction that checks the linearity of a capability in memory without loading
it. It may not be practical to make such an instruction if linearity is kept track as a field on each capability, but
it may be tractable if linearity tags are kept track of in a table.
7.2 Calling convention design decisions
7.2.1 Returning the full stack
When a callee return from a call, they must return all of the stack they were passed. If we omit this requirement,
then we cannot guarantee well-bracketedness. The following is an example of circumventing well-bracketedness by
keeping part of the stack:
• An adversary calls our trusted code with a call-back.
• Our code uses part of the stack and calls the callback with the rest of the stack.
• The adversary splits that stack in two and saves the part of the stack adjacent to our stack in some persistent
memory. The adversary calls us anew with a callback and the part of the stack they did not save.
• We use part of the stack we receive and call the callback with the rest of the stack. The adversary can now
use the saved stack to return from the first call to the callback breaking well-bracketedness. The reason this
is possible is because we do not check the size of the stack.
Figure 2 illustrates the above example. In the figure, f is the function to “is” and g is the callback passed to “us”.
In the end, the part of the stack marked kept by adv can be used to return from the first call-back (the call with
the *). The stack that is used to return lines up with Uspriv , so the return is successful.
7.2.2 Restriction on stack allocation
We need to somehow make sure that it is always the same stack that is used. If we don’t, then an adversary can
simply split the stack in two, use one part for one call and the other for another call. At this point, they can return
to either of the two calls - in other words, well-bracketedness is not enforced.
• An adversary starts the execution. They split the stack in two and call us with one part (say the top part)
along with a callback.
• We use part of the stack and call the adversary with the rest of the stack.
83
Figure 2: Illustration of the stack in the example that illustrates why the entire stack must be returned.
84
Figure 3: Illustration of the potential stack allocation issue.
• The adversary calls us again this time using the other part of the stack (here the bottom part of the stack).
• Again, we use part of the stack and call the adversary with the rest of this part of the stack.
At this point, the adversary can return from either of the two calls. Swapping around the order in which the
adversary uses the two parts of the stack changes nothing.
The example is illustrated in Figure 3.
One way to solve this problem is to make the ”top address” of the stack known. There are many ways to do
this, but we have chosen to do the following:
• The stack grows downwards, so the “last address” of the stack is the base address of the initial stack capability.
• The base address of the stack capability is a fixed address, so in the semantics, it will be expressed as a
constant that is publicly known.
• At some point before a call, it must be checked whether the stack we are using actually has the globally
known base address (if not we must fail because we cannot trust this stack).
• To ensure that the check is made, we require it in the semantic condition (at this moment of time not defined,
so we are yet to see what it looks like).
8 Related Work
8.1 Conditional Full-Abstraction
The idea of conditional full-abstraction was used by Juglaret et al. [2016] to define full abstraction for unsafe
languages. Their definition requires both the programs and the context to be fully defined (i.e. not cause undefined
behavior). If the programs are not required to be fully-defined, then anything can happen which makes it impossible
to reason about.. In our work, undefined behavior marks cases that we do not want to consider because they should
be excluded further up in the compilation chain. Further, if we have to take these cases into account, then we
need to add checks which protects the trusted code against itself, but properly compiled code should not have to
protect itself against itself.
Update: followup paper to the above presented at PriSC 2018, perhaps published elsewhere? https://popl18.
sigplan.org/event/prisc-2018-formally-secure-compilation-of-unsafe-low-level-components
85
References
Yannis Juglaret, Catalin Hritcu, Arthur Azevedo de Amorim, and Benjamin C. Pierce. Beyond full abstraction:
Formalizing the security guarantees of low-level compartmentalization. CoRR, abs/1602.04503, 2016. URL
http://arxiv.org/abs/1602.04503.
86
