Reasoning About a Machine with Local Capabilities: Provably Safe Stack
  and Return Pointer Management - Technical Appendix Including Proofs and
  Details by Skorstengaard, Lau et al.
ar
X
iv
:1
90
2.
05
28
3v
1 
 [c
s.P
L]
  1
4 F
eb
 20
19
Reasoning About a Machine with Local Capabilities
Provably Safe Stack and Return Pointer Management
Technical Appendix Including Proofs and Details
Lau Skorstengaard
Aarhus University
lau@cs.au.dk
Dominique Devriese
Vrije Universiteit Brussel
dominique.devriese@vub.be
Lars Birkedal
Aarhus University
birkedal@cs.au.dk
February 15, 2019
Contents
1 Capability Machine Definition and Operational Semantics 2
1.1 Domains and Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Operational Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Malloc specification 9
3 Macros 9
3.1 Linking and ABI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Flag table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Macro definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.4 Stack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.5 Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Examples 25
4.1 Encapsulation of Local State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.2 Encapsulation of Local State Using Local Capabilities and scall . . . . . . . . . 28
4.3 Well-Bracketedness Using Local Capabilities and scall . . . . . . . . . . . . . . 32
4.4 Inverted Control and Return From Closure . . . . . . . . . . . . . . . . . . . . . 38
4.5 Variant of the “awkward” example . . . . . . . . . . . . . . . . . . . . . . . . . . 38
5 Logical Relation 48
5.1 Worlds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2 The logical relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
5.3 Useful regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.4 Lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.4.1 Anti-reduction for the observation relation . . . . . . . . . . . . . . . . . . 54
5.4.2 Standard regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.4.3 Observation relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.4.4 Register-file relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.4.5 Expression relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
1
5.4.6 Permission based conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5.4.7 LR Sanity lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
5.4.8 Malloc safe to pass to adversary . . . . . . . . . . . . . . . . . . . . . . . 66
5.4.9 Fundamental theorem of logical relations . . . . . . . . . . . . . . . . . . 68
5.4.10 Scall macro-instruction correctness . . . . . . . . . . . . . . . . . . . . . . 75
5.4.11 Malloc macro-instruction correctness . . . . . . . . . . . . . . . . . . . . . 79
5.4.12 Create closure macro-instruction correctness . . . . . . . . . . . . . . . . . 80
5.4.13 Stack helper lemmas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.4.14 Memory Segment Satisfaction . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.4.15 Future worlds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.4.16 Value relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6 Other examples and applications 87
6.1 Stack and return pointer handling without OS involvement using local capabilities 87
6.2 A result to prove... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
7 Related reading 89
7.1 Capability machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
7.1.1 M-Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
7.1.2 CHERI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
7.2 Logical Relations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
1 Capability Machine Definition and Operational Seman-
tics
1.1 Domains and Notation
Addr
def
= N
Word
def
= Cap + Z
Reg
def
= RegisterName→Word
Mem
def
= Addr→Word
Perm ::= o | ro | rw | rwl | rx | e | rwx | rwlx
ExecConf
def
= Reg ×Mem
Global ::= global | local
Cap
def
= (Perm×Global)×Addr × (Addr + {∞})× Addr
Conf
def
= ExecConf + {failed}+ {halted} ×Mem
MemSegment
def
= Addr ⇀Word
Local capabilities have been added by adding a new domain Global which represents whether a
capability is local or global. There are two new permissions rwl and rwlx that permits writing
local capabilities. They are otherwise the same as their non-”permit write local” counterparts.
As we have ∞ as a possible address, but our words cannot express ∞. We pick −42 as a
representative for ∞ when it is in memory (we could have picked any negative noumber). Note
2
that −42 is not an address, so for address operations −42 only represents∞. It is the responsible
of the programmer to keep track of what represents addresses (and take necessary precautions).
Define the following predicate:
Definition 1. We say word w ”w is non-local” iff either
• w = ((perm , g), base , end , a) (perm ,global) for some perm, a, base, and end; or
• w ∈ Z

global
local
Figure 1: Locality hierarchy
Things to note:
• RegisterName contains pc, but is otherwise a sufficiently large finite set.
• Table 1 describes what all the permissions grant access to.
• Figure 2 shows the ordering of the permissions, i.e, the elements of Perm.
• Figure 1 shows the ordering of local and global, i.e., the elements of Global.
• The ordering of Perm×Global is pointwise.
o No permissions. Grants no permissions
ro Read only. Grants read permission
rw Read-write. Grants read and write permis-
sion. Storage of local capabilities prohibited.
rwl Read-write, permit write local. Grants read
and write permission. Storage of local capa-
bilities possible.
rx Execute permission. Grants execute and read
permissions.
e Enter permission. This permission grants no
access, but when jumped to, it will turn into
an rx permission.
rwx Read-write-execute permission. Grants read,
write, and execute permissions. Storage of lo-
cal capabilities prohibited.
rwlx Read-write-execute, permit write local.
Grants read, write, and execute permissions.
Storage of local capabilities possible.
Table 1: The permissions in this capability system
3
rwlx
rwl rwx
rx
e
rw
ro
o
Figure 2: Permission hierarchy
Notation:
i ∈ Instructions
r ∈ RegisterName
pc ∈ Cap
pc ∈ RegisterName
Φ ∈ ExecConf
m,Φ.mem ∈ Mem
Φ.reg ∈ Reg
a ∈ Addr
perm ∈ Perm
((perm , g), base, end , a) ∈ Cap
n ∈ Z
ms ∈ MemSegment
Words and instructions:
lv ::= ⌊r⌋
hv ::= 〈r〉m
rv ::= n | lv
i ::= jmp lv | jnz lv lv | move lv rv | load lv hv | store hv rv |
plus lv rv rv | minus lv rv rv | lt lv rv rv | lea lv rv | restrict lv rv | subseg lv rv rv |
isptr lv rv | getp lv lv | getl lv lv | getb lv lv | gete lv lv | geta lv lv |
fail | halt
Further define reg0 ∈ Reg such that
∀r ∈ RegisterName. reg0(r) = 0
1.2 Operational Semantics
Assume a decode function that decodes words to instructions:
decode : Word→ Instructions
Assume an encodePerm , encodeLoc, and encodePermPair function that encodes a permissions,
locality, and permission pair, respectively, as an integer:
encodePerm : Perm→ Z
encodeLoc : Global→ Z
encodePermPair : (Perm×Global)→ Z
4
Further, assume a left inverse function, decodePermPair , that decodes permissions
decodePermPair : Z→ (Perm×Global)
We define the operational semantics as follows:
Φ→ Jdecode(Φ.mem(a))K (Φ)
if Φ.reg(pc) = ((perm , g), base , end , a)
and base ≤ a ≤ end
and perm ∈ {rx,rwx,rwlx}
Φ→ failed otherwise
A number of functions and predicates used in the definition of J−K (defined later). Notice all of
them are total.
readAllowed(perm) =
{
true if perm ∈ {rwx,rwlx,rx,rw,rwl,ro}
false otherwise
writeAllowed(perm) =
{
true if perm ∈ {rwx,rwlx,rw,rwl}
false otherwise
updatePcPerm(w) =
{
((rx, g), base , end , a) if w = ((e, g), base, end , a)
w otherwise
nonZero(w) =
{
true if w ∈ Cap or w ∈ Z and w 6= 0
false otherwise
withinBounds(( , base, end , a)) =
{
true if base ≤ a ≤ end
false otherwise
updatePc(Φ) =


Φ[reg.pc 7→ newPc] if Φ.reg(pc) = ((perm , g), base, end , a)
and newPc = ((perm , g), base , end , a + 1)
failed otherwise
5
JfailK (Φ) = failed
JhaltK (Φ) = (halted,Φ.mem)
Jjmp lvK (Φ) = Φ[reg.pc 7→ updatePcPerm(Φ.reg(lv))]
Jjnz lv rvK (Φ) =


Φ[reg.pc 7→ updatePcPerm(Φ.reg(lv ))] if nonZero(Φ.reg(rv))
updatePc(Φ) if not nonZero(Φ.reg(rv ))
failed otherwise
Jload ⌊r1⌋ 〈r2〉mK (Φ) =


updatePc(Φ[reg.r1 7→ w ]) if Φ.reg(r2) = ((perm, g), base , end , a) = c
and readAllowed(perm) and withinBounds(c)
and w = Φ.mem(a)
failed otherwise
Jstore 〈r1〉m ⌊r2⌋K (Φ) =


updatePc(Φ[mem.a 7→ w ]) if Φ.reg(r1) = ((perm , g), base, end , a) = c
and writeAllowed(perm) and withinBounds(c)
and w = Φ.reg(r2)
and if w = (( , local), , , ),
then perm ∈ {rwlx,rwl}
failed otherwise
Jmove ⌊r1⌋ rvK (Φ) =
{
updatePc(Φ[reg.r1 7→ rv ]) rv ∈ Z
updatePc(Φ[reg.r1 7→ Φ.reg(rv)]) otherwise
Jlea ⌊r1⌋ rvK (Φ) =


updatePc(Φ[reg.r1 7→ c]) if either n = rv or rv = ⌊r2⌋ and n = Φ.reg(r2)
and in either case n ∈ Z
and Φ.reg(r1) = ((perm , g), base, end , a)
and perm 6= e
and c = ((perm , g), base, end , a + n)
failed otherwise
Jrestrict ⌊r⌋ rvK (Φ) =


updatePc(Φ[reg.r 7→ c]) if Φ.reg(r) = (permPair , base, end , a)
and either rv = n or Φ.reg(rv) = n
and in either case n ∈ Z
and decodePermPair (n) ⊑ permPair
and c = (decodePermPair (n), base, end , a)
failed otherwise
6
Jplus ⌊r1⌋ rv1 rv2K (Φ) =


updatePc(Φ[reg.r1 7→ n1 + n2]) if for i ∈ {1, 2}
ni = rv i or ni = Φ.reg(rv i)
and in either case ni ∈ Z
failed otherwise
Jminus ⌊r1⌋ rv1 rv2K (Φ) =


updatePc(Φ[reg.r1 7→ n1 − n2]) if for i ∈ {1, 2}
ni = rv i or ni = Φ.reg(rv i)
and in either case ni ∈ Z
failed otherwise
Jlt ⌊r1⌋ rv1 rv2K (Φ) =


updatePc(Φ[reg.r1 7→ 1]) if for i ∈ {1, 2}
ni = rv i or ni = Φ.reg(rv i)
and in either case ni ∈ Z
and n1 < n2
updatePc(Φ[reg.r1 7→ 0]) if for i ∈ {1, 2}
ni = rv i or ni = Φ.reg(rv i)
and in either case ni ∈ Z
and n1 6< n2
failed otherwise
Jsubseg ⌊r⌋ rv1 rv2K (Φ) =


updatePc(Φ[reg.r 7→ c]) if Φ.reg(r) = ((perm , g), base, end , a)
and for i ∈ {1, 2}
ni = rv i or ni = Φ.reg(rv i)
and in either case n1 ∈ N
and base ≤ n1
and n2 ≤ end where n2 ∈ N
or n2 = −42 and end =∞
and perm 6= e
and c = ((perm , g), n1, n2, a)
failed otherwise
Jgeta ⌊r1⌋ ⌊r2⌋K (Φ) =
{
updatePc(Φ[reg.r1 7→ a]) if Φ.reg(r2) = (( , ), , , a)
failed otherwise
Jgetb ⌊r1⌋ ⌊r2⌋K (Φ) =
{
updatePc(Φ[reg.r1 7→ base]) if Φ.reg(r2) = (( , ), base, , )
failed otherwise
Jgete ⌊r1⌋ ⌊r2⌋K (Φ) =


updatePc(Φ[reg.r1 7→ end ]) if Φ.reg(r2) = (( , ), , end , ) and end 6=∞
updatePc(Φ[reg.r1 7→ −42]) if Φ.reg(r2) = (( , ), ,∞, )
failed otherwise
Jgetp ⌊r1⌋ ⌊r2⌋K (Φ) =
{
updatePc(Φ[reg.r1 7→ encodePerm(perm)]) if Φ.reg(r2) = ((perm , ), , , )
failed otherwise
Jgetl ⌊r1⌋ ⌊r2⌋K (Φ) =
{
updatePc(Φ[reg.r1 7→ encodeLoc(g)]) if Φ.reg(r2) = (( , g), , , )
failed otherwise
Jisptr ⌊r⌋ rvK (Φ) =
{
updatePc(Φ[reg.r1 7→ 1]) if Φ.reg(rv) ∈ Cap
updatePc(Φ[reg.r1 7→ 0]) otherwise
7
Define the following macros: restrict, subseg, and lea that does not overwrite the source
register. A store that allows integers to be stored directly. store requires a register rt for
storage of temporary values to be available.
restrict r1 r2 r3 r4
def
= move r1 r2
restrict r1 r3 r4
subseg r1 r2 r3 r4
def
= move r1 r2
subseg r1 r3 r4
lea r1 r2 r3
def
= move r1 r2
lea r1 r3
store r n
def
= move rt n
store r rt
Lemma 1 (Determinacy). If Φ → Φ′ and Φ → Φ′′, then Φ′ = Φ′′. If Φ →n Φ′ and Φ →n
Φ′′, then Φ′ = Φ′′. If Φ →n Φ′ and Φ →n′ (halted,mem ′′), then n ≤ n′ and Φ′ →n′−n
(halted,mem ′′). 
Proof. By easy inspection of the definition of the operational semantics.
8
2 Malloc specification
Specification 1 (Malloc Specification). cmalloc satisfies the specification for malloc iff
cmalloc = ((e,global), , , )∧
∃ιmalloc,0.
(∀ι′ ⊒priv ιmalloc,0. ∀W, i.W (i) = ι
′ ⇒ ι′.H(ι′.s)(ξ−1(W )) = ι′.H(ι′.s)(ξ−1([i 7→W (i)]))) ∧
ιmalloc,0.v = perm ∧
(∀Φ ∈ ExecConf. ∀ms footprint ,msframe ∈MemSegment.
∀i, n, size ∈ N. ∀wret ∈Word.
∀ιmalloc ⊒
priv ιmalloc,0∧
Φ.mem = msfootprint ⊎ms frame ∧ms footprint :n [i 7→ ιmalloc]∧
Φ.reg(r1) = size ∧ size ≥ 0 ∧ Φ.reg(r0) = wret∧
Φ.reg(pc) = updatePcPerm(cmalloc)
⇒
∃Φ′ ∈ ExecConf. ∃ms ′footprint ,msalloc ∈MemSegment.
∃j ∈ N. j > 0 ∧ ∃b′, e′ ∈ Addr. ∃ι′malloc ∈ Region.
Φ→j Φ
′∧
Φ′.mem = ms ′footprint ⊎msalloc ⊎msframe∧
ι′malloc ⊒
pub ιmalloc∧
ms ′footprint :n−j [i 7→ ι
′
malloc]∧
dom(msalloc) = [b
′, e′] ∧ ∀a ∈ [b′, e′].msalloc(a) = 0∧
Φ′.reg = Φ.reg[pc 7→ updatePcPerm(wret)][r1 7→ ((rwx,global), b
′, e′, b′)]∧
size − 1 = e′ − b′)∧
(∀Φ ∈ ExecConf. (Φ.reg(r1) 6∈ Z ∨ Φ.reg(r1) < 0) ∧ Φ.reg(pc) = updatePcPerm(cmalloc)⇒ ∃j ∈ N.Φ→j failed)

In the specification above ι′malloc is a future region of the initial region that governs malloc.
3 Macros
In order to write readable example programs, we provide macros (macro-instructions) that can
be implemented in terms of the instruction set given in the formalisation.
In order to compute offsets and the like, the macros need registers to keep temporary compu-
tations in. We assume such a small set of registers RegisterNamet ⊆ RegisterName is available
and that RegisterNamet does not contain registers explicitely named in a program nor r0, rstk ,
or pc (but clearing all registers still clears the temporary registers).
3.1 Linking and ABI
In order to make capabilities to trusted code (and possibly untrusted code) available, we assume
that some sort of linker has made these available. This is done in the following way: For every
function, the first memory cell the capability for that function governs contains a capability for
9
the linking table. Each function name in a program corresponds to an offset in the table, e.g.,
malloc could be at offset 0. When a name is used in a program, it indicates what entry from the
linking table to pick. The table should always be accessible by taking a copy of the capability in
the pc-register and adjusting it to point to the first cell it governs.
The capability linking table can be shared between multiple functions that are linked to the
same capabilities as it is accessed through read-only capabilities.
3.2 Flag table
A function may use flags to signal failure. We use the convention that a flag table is available
in the second memory cell of a functions code (so just after the linking table). The flag table is
accessed through a read-write capability and initially it contains all zero. Like the linking table,
each entry is associated with a name which may appear in the macros.
The flag table should never be shared between distrusting parties.
We will often want to make room in memory for a linking-table capability and a flag-table
capability. We therefore define a constant that represents the offset of the actual code of a
function caused by these two capabilities:
offsetLinkFlag
def
= 2
3.3 Macro definitions
In the following, we describe each of the macros. The descriptions are so detailed that it should
be a simple matter to implement the macros. We provide a proposed implementation for each of
the macros in order to install some confidence in the fact that it is possible to implement each
of the macro.
fetch r f load the entry of the linking table corresponding to f to register r.
One possible fetch implementation (r t1 and r t2 are registers in RegName t).
move r pc
getb r_t1 r
geta r_t2 r
minus r_t1 r_t1 r_t2 // Offset to first address, i.e., linking table (b-a)
lea r r_t1
load r r
lea r ... // ... replaced with offset to f in the linking table
move r_t1 0
move r_t2 0
load r r // f capability loaded to register r
call r(r¯args , r¯priv )
r¯args and r¯priv are lists of registers. An overview of this call:
• Set up activation record
• Create local enter capability for activation (protected return pointer)
• Clear unused registers
• Jump
• Upon return: Run activation code
10
A more detailed description of each of the above steps:
Set up activation record
• Run malloc to get a piece of memory with space for:
– Words in r¯priv
– Code return capability (opc)
– Activation code
• Store the words in r¯priv to the activation record.
• Adjust a copy of the current pc to point to the return address in code and save
it to the activation record.
• Write the activation code to the activation record.
Create local enter capability for activation Adjust the capability for the activation
record to point to the beginning of the activation record and restrict it to a local
enter-capability. Place this capability in r0.
Clear unused registers Clear all the register that are not pc, r, r0 or in r¯args .
Jump Jump to register r
Activation code The activation code does the following:
• Move the stored “private” words in to their respective r¯priv registers.
• Load the return capability to pc
Possible implementation. We will use malloc r n and rclear r¯ (defined below). Assume
¯rpriv = rpriv ,1, . . . , rpriv ,n
malloc r_t ... // ... is the size of activation record
// store private state in activation record
store r_t r_priv,1
lea r_t 1
store r_t r_priv,2
lea r_t 1
...
lea r_t 1
store r_t r_priv,n
lea r_t 1
// store old pc
move r_t1 pc
lea r_t1 ... // ... is the offset to return address
store r_t r_t1
lea r_t1 1
// store activation record
store r_t encode(i_1)
lea r_t1 1
...
lea r_t1 1
store r_t encode(i_m)
lea r_t1 k // k is m-1, i.e. the offset to the first instruction of the activation code.
restrict r_t1 encodePermPair((Local,e))
move r_0 r_t1
11
rclear R // R = RegisterName - {r,pc,r_0,r_args}
jmp r
Activation record. The instructions correspond to i1, . . . , im in the above.
move r_t pc
getb r_t1 r_t
geta r_t2 r_t
minus r_t1 r_t1 r_t2
// load private state
lea r_t r_t1
load r_priv,1 r_t
lea r_t 1
load r_priv,2 r_t
lea r_t 1
...
lea r_t 1
load r_priv,n r_t
lea r_t 1
// load old pc
load pc r_t
malloc r n Calls malloc to allocates a piece of memory of size n. The capability will be stored
in register r. One possible malloc implementation (r t1 is a register in RegName t) and
r 1 is the register from the malloc specification.
fetch r malloc
move r_1 n
// save return pointer
move r_t1 r_0
// setup new return pointer
move r_0 pc
lea r_0 4 // 4 is the offset to just after jmp r
restrict r_0 encodePerm(e)
jmp r
move r r_1
move r_0 r_t1 // restore return pointer
move r_1 0
move r_t1 0
assertflag r1 r2 Compares the words in register r1 and r2 (if one of them is an integer, then use
that in the comparison). If they are equal, then execution continues. If they are unequal,
then the assertion flag named flag in the flag list is set to 1 and execution halts (if no flag
is specified, then the first flag in the list is set to 1).
There are four different asserts based on whether r1 and r2 are registers or numbers. If r1
and r2 are registers:
// setup pointer to fail.
move r_t3 pc
lea r_t3 ... // ... is the offset to fail
// make sure both registers contain either capability or integer
12
isptr r_t1 r_1
isptr r_t2 r_2
minus r_t1 r_t1 r_t2
jnz r_t3 r_t1
// set up capability for cap case:
move r_t4 pc
lea r_t4 ... // ... is the offset to caps
jnz r_t4 r_t2 // jump to caps if r_t2 contains a capability
// the two registers contain an integer
minus r_t1 r_1 r_2
jnz r_t3 r_t1
// the two integers in the registers are equal
move r_t4 pc
lea r_t4 ... // .. offset to success
caps:
geta r_t1 r_1
geta r_t2 r_2
minus r_t1 r_t1 r_t2
jnz r_t3 r_t1
getb r_t1 r_1
getb r_t2 r_2
minus r_t1 r_t1 r_t2
jnz r_t3 r_t1
gete r_t1 r_1
gete r_t2 r_2
minus r_t1 r_t1 r_t2
jnz r_t3 r_t1
getp r_t1 r_1
getp r_t2 r_2
minus r_t1 r_t1 r_t2
jnz r_t3 r_t1
getl r_t1 r_1
getl r_t2 r_2
minus r_t1 r_t1 r_t2
jnz r_t3 r_t1
// the two capabilities in the registers are equal
move r_t4 pc
lea r_t4 ... // .. offset to success
fail:
// get the flag capability
move r_t3 pc
getb r_t1 pc
geta r_t2 pc
minus r_t1 r_t1 r_t2
lea r_t3 r_t1
lea r_t3 1 // the flag table capability is at the second address of cap.
load r_t1 r_t3
lea r_t1 ... // ... is the offset of flag in the table
store r_t1 1
13
halt
success:
// clean up
move r_t1 0
move r_t2 0
move r_t3 0
move r_t4 0
If r1 is a register, but r2 is a constant:
// setup pointer to fail.
move r_t3 pc
lea r_t3 ... // ... is the offset to fail
// make sure both registers contain either capability or integer
isptr r_t1 r_1
jnz r_t3 r_t1
minus r_t1 r_1 r_2
jnz r_t3 r_t1
// the two integers in the registers are equal
move r_t3 pc
lea r_t3 ... // .. offset to success
fail:
// get the flag capability
move r_t3 pc
getb r_t1 pc
geta r_t2 pc
minus r_t1 r_t1 r_t2
lea r_t3 r_t1
lea r_t3 1 // the flag table capability is at the second address of cap.
load r_t1 r_t3
lea r_t1 ... // ... is the offset of flag in the table
store r_t1 1
halt
success:
// clean up
move r_t1 0
move r_t3 0
The case where r1 is a constant and r2 is a register is omitted. The case where both are
constant is also omitted - if the constants are the same, then the macro is nothing. If they
are different, then it corresponds to the failed part of both of the above implementations.
mclear r Stores 0 to all the memory cells the capability r governs.1
Possible implementation:
move r_t r
getb r_t1 r_t
geta r_t2 r_t
minus r_t2 r_t1 r_t2
1This may in some cases seem like an unreasonable slow instruction. In a real system it would probably be
implemented as a vector operation which allows modification of continuous segments of memory rather fast.
14
lea r_t r_t2
gete r_t2
minus r_t1 r_t2 r_t1
plus r_t1 r_t1 1
move r_t2 pc
lea r_t2 ... // ... is the offset to end
move r_t3 pc
lea r_t3 ... // ... is the offset to iter
iter:
jnz r_t2 r_t1
store r_t 0
lea r_t 1
plus r_t1 r_t1 1
jmp r_t3
end:
move r_t 0
move r_t1 0
move r_t2 0
move r_t3 0
rclear r¯ Moves 0 to all the registers in the list r¯.
Possible implementation: Say r¯ = r1, . . . , rn
move r_1 0
move r_2 0
// ...
move r_n 0
Note:
• call will fail if we have local capabilities in one of the registers of the “private” register list
as it relies on a capability returned by malloc which will not be permit-write-local. This
severely limits how scall can be used and it provides very little in terms of control-flow
integrety when nested. Below, we introduce scall which can handle local capabilities in
the “private” state.
3.4 Stack
Some programs will assume access to a stack which will be in part indicated by the program
macros but also in the correctness lemma. The stack is accessed through a local rwlx-capability.
Programs will assume that the stack resides in some register, say rstk .
The stack resides entirely in memory. There is no separation between the memory and the
stack, so when we talk about the stack it is as a conceptual thing.
Even though the memory is infinite, we will only use a finite part for the stack. If we
have allocated too little memory for the stack, and we try to push something anyway, then the
execution will fail. As we consider failing admissible, we are okay with this.
When not in the middle of a push or a pop, the stack capability points to the top word of
the stack. For an empty stack, the stack capability points to the address just below of the range
of authority for the stack capability.
The stack grows upwards
15
push r Pushes the word in register r to the stack by incrementing the address of the stack
capability by one and storing the word through the stack capability.
Possible implementation:
lea r_stk 1
store r_stk r
pop r Pops the top word of the stack by loading it to register r, and decrementing the address
of the stack capability.
load r r_stk
minus r_t1 0 1
lea r_stk r_t1
scall r(r¯args , r¯priv )
r¯args and r¯priv are lists of registers. This call assumes rstk contains a stack capability. An
overview of this call:
• Push “private” registers to the stack.
• Push the restore code to the stack.
• Push return address capability
• Push stack capability
• Create protected return pointer
• Restrict stack capability to unused part
• Clear the part of the stack we release control over
• Clear unused registers
• Jump
• Upon return: Run the on stack restore code
• Return address in caller-code: Restore “private” state
A more detailed description of the above steps:
Push “private” registers to the stack Push all the words in the registers in r¯priv to
the stack.
Push the restore code to the stack Push the restore code to the stack (described later).
This code needs to be on the stack to make sure the stack capability can be restored.
We keep the restore code on the stack minimal. The caller code does the rest of the
restoration.
Push return address capability Push a capability for the return address (in the mem-
ory) to the stack.
Push stack capability Push the full stack capability to the stack.
Create protected return pointer Make a new version of the stack pointer that points
to the beginning of the restoration code. Restrict it to a local enter-capability and
put it in r0.
Restrict stack capability to unused part Make the stack capability only govern the
unused part.
16
Clear the part of the stack we release control over Store 0 to all the memory cells
the restricted stack pointer has authority over.
Clear unused registers Clear all registers but pc, r, r0, rstk , and r¯args .
Jump Jump to register r.
Run the on stack restore code Load the stack capability to rstk . Pop the old program
counter (the return address in caller-code) from the stack to pc.
Return address in caller-code: Restore “private” state
• Pop the restore code of the stack
• Pop the private state on the stack into their respective r¯priv registers.
Possible implementation, say r¯args = rargs,1, . . . , rargs,m and r¯priv = rpriv ,1, . . . , rpriv ,n:
// push private state
push r_priv,1
...
push r_priv,n
// push activation code
push encode(i_1)
...
push encode(i_4)
// push old pc
move r_t1 pc
lea r_t1 ... // ... is the offset to after
push r_t1
// push stack pointer
push r_stk
// set up protected return pointer
move r_0 r_stk
lea r_0 -5 // -5 is the offset to the first instruction of the activation code
restrict r_0 encodePermPair((Local,e))
// restrict stack capability
geta r_t1 r_stk
plus r_t1 r_t1 1
getb r_t2 r_stk
subseg r_stk r_t1 r_t2
// clear unused part of the stack
mclear r_stk
// clear non-argument registers
rclear R // where R = RegisterName - {pc,r_stk,r_0,r,r_args}
jmp r
after:
// pop the restore code
pop r_t1
pop r_t1
pop r_t1
pop r_t1
17
// pop the private state into approriate registers
pop r_priv,1
...
pop r_priv,n
where the restore code is as follows:
i_1 = move r_t1 pc
i_2 = lea r_t1 5 // 5 is the offset to the address where the old stack pointer is located
i_3 = load r_stk r_t1
i_4 = pop pc
Note:
• If we want to have local capabilities as part of our private state, then we need to have a
stack and use scall. If we do not have any local capabilities we want to keep around, then
we can use call, but it will incur a small memory leak as the activation records cannot
be recycled! It is also possible to use a combination of scall and call, but when call is
used, then we have no way to store the stack, so we cannot use scall after that.
• As a rule of thumb: If you have provided an untrusted entity access to part of the stack,
then it needs to be cleared before it is passed to an untrusted party.
• As a rule of thumb: If you receive a stack from an untrusted source, then you need to check
that it is a local rwlx-capability and clear it! If any callbacks are provided, then they
need to be global.
crtcls [(x1, r1), . . . (xn, rn)] rcode
[(x1, r1), . . . (xn, rn)] is a list of variable bindings. If an instruction refers to a variable,
then it will assume that an environment is available in a designated register (say renv ).
The register rcode should contain a capability governs the code of the closure and that is
executable when jumped to.
Allocate memory for variable environment
Store register contents to environment
Allocate memory for record with environment capability, code capability, and activation code
Store capabilities and activation code to record
Restrict the capability for the “closure pair” to an enter capability
Activation code:
• Load the environment capability to a designated register
• Load the code capability.
• Jump to the code.
A more detailed description of each step:
Allocate memory for variable environment Have malloc allocate a piece of memory
of size n (the size of the variable environment).
Store register contents to environment Store the contents of each of the registers
r1, . . . , rn to the newly allocated memory.
18
Allocate memory for record with environment capability, code capability, and activation code
Allocate a new piece of memory with room for a capability for the environment.
Store capabilities and activation code to record Store the environment capability
and code capability in the record followed by the activation code.
Restrict the capability for the “closure pair” to an enter capability Adjust the ca-
pability to point to the start of the activation code and restrict it to a global enter-
capability.
Activation code:
• Load the environment capability to a designated register.
• Load the code capability.
• Jump to the code.
Possible implementation of crtcls (x, rv) rcode where |(x, rv)| = n (i1,...,i6, i.e. the acti-
vation code, is defined later):
malloc r_t1 n
store r_t1 r_v1
lea r_t1 1
store r_t1 r_v2
lea r_t1 1
...
lea r_t1 1
store r_t1 r_vn
lea r_t1 -n
restrict r_t1 encodePermPair((Global,rw))
malloc r_1 8 //length of activation record
store r_1 r_code // code capability
lea r_1 1
store r_1 r_t1 // environment capability
move r_t1 0
lea r_1 1
store r_1 encode(i_1)
lea r_1 1
store r_1 encode(i_2)
lea r_1 1
...
lea r_1 1
store r_1 encode(i_6)
lea r_1 -5 //offset to first instruction
restrict r_1 encodePerm(e)
Activation code (i1,...,i6):
i_1 = move r_t1 pc
i_2 = lea r_t1 -2
i_3 = load r_env r_t1
i_4 = lea r_t1 1
i_5 = load r_t1 r_t1
i_6 = jmp r_t1
19
load r x Assumes environment capability available in register renv . Loads the word at the
index associated with x in the environment list. Loads from this capability into r.
Possible implementation:
move r_t1 r_env
lea r_t1 ... // ... corresponds to offset of x in environment
load r r_t1
move r_t1 0
store x r Assumes environment capability available in register renv . Loads the word at the
index associated with x in the environment list. Stores the contents of register r through
this capability.
move r_t1 r_env
lea r_t1 ... // ... corresponds to offset of x in environment
store r_t1 r
move r_t1 0
reqglob r Tests if register r contains a global capability. If not fail, otherwise continue exe-
cution.
Possible implementation:
getl r_t1 r
minus r_t1 r_t1 encodeLoc(Global)
move r_t2 pc
lea r_t2 4 // 4 is the offset to just after fail
jnz r_t1 r_t2
fail
move r_t1 0
move r_t2 0
reqperm r n Tests if register r contains a capability with permission decodePerm(n). If not fail,
otherwise continue execution.
Possible implementation:
getp r_t1 r
minus r_t1 r_t1 n
move r_t2 pc
lea r_t2 4 // 4 is the offset to just after fail
jnz r_t1 r_t2
fail
move r_t1 0
move r_t2 0
prepstack r Tests if register r contains a capability with permission rwlx. If not fail, otherwise
assume r points to ((rwlx, g), base, end , a) adjust it to ((rwlx, g), base , end , base − 1).
Possible implementation
reqperm r encodePerm(rwlx)
getb r_t1 r
geta r_t2 r
20
Stack
...
0
cstk → local stack
...
Register file
pc cpc
r0 c0
rstk cstk
rargs,1 wa,1
...
rargs,n wa,n
rpriv ,1 wp,1
...
rpriv ,m wp,m
...
Figure 3: This is the first figure of 6 that illustrates how scall works. In this exam-
ple, the call scall r([rargs,1, . . . , rargs,n], [r0, rpriv ,1, . . . , rpriv ,m]). In this example the two
lists of registers are disjoint even though that does not have to be the case.
minus r_t1 r_t1 r_t2
lea r r_t1
minus r_t1 0 1
lea r r_t1
move r_t1 0
move r_t2 0
Note:
• In a real setting due to a limited number of registers, some of the arguments might be
spilled to the stack. It would be possible to do something similar here, but to keep matters
simple, we opt not to do so.
• reqperm can be used to test whether something can pass as a stack.
• reqglob can be used to test whether a callback is admissible in the presence of a stack.
• The code of a closure will often be found in conjunction with the code that creates it.
• prepstack as “prepare stack”. This ensures that the register contains something that looks
like a stack and it is prepared for our stack convention.
3.5 Labels
l: is a meta level label that can be used to refer to a specific address. When placed on the line
of a macro, it refers to the first instruction of this macro.
21
Stack
...
c′stk → c
′
stk
c′pc
c0
wp,1
...
wp,m
Restore code
local stack
...
Register file
pc c′′pc
r0 c0
rstk c
′
stk
rargs,1 wa,1
...
rargs,n wa,n
rpriv ,1 wp,1
...
rpriv ,m wp,m
...
Figure 4: Stack and register-file after the restore code, “private” registers (remember r0 is here
private.), return address (c′pc), and stack capability (c
′
stk ) have been pushed to the stack.
Stack
...
?
c′′stk → c
′
stk
c′pc
c0
wp,1
...
wp,m
c′0 → Restore code
...
local stack
...
Register file
pc c
(3)
pc
r0 c
′
0
rstk c
′′
stk
rargs,1 wa,1
...
rargs,n wa,n
rpriv ,1 0
...
rpriv ,m 0
...
Figure 5: Stack and register-file after the c′stk has been limited to only give authority over
the empty part of the stack (the new capability is c′′stk ). The empty part of the stack has been
cleared. c′0 is made from c
′
stk by setting it to point to the restore code and restricting it to a
local enter-capability. The “private” registers have been cleared.
22
Stack
...
?
c′stk → c
′
stk
c′pc
c0
wp,1
...
wp,m
c′0 → Restore code
...
local stack
...
Register file
pc c′0
r0 ?
rstk ?
r1 w1
rpriv ,1 ?
...
rpriv ,m ?
...
Figure 6: Stack and register-file upon return from f . At this point we have no idea what is in
the register-file apart from the pc which we know points to the restore code. The contents of
the stack we released access to is also unknown. (Notice that we have changed the order of the
registers as we are no longer interested in the argument registers. By convention we expect a
return value to be in r1, which is why we have named that word, but the words in the remaining
non-special-purpose registers could also be considered return values.)
Stack
...
?
c
(3)
stk → c0
wp,1
...
wp,m
Restore code
...
local stack
...
Register file
pc c′pc
r0 ?
rstk c
(3)
stk
r1 w1
rpriv ,1 ?
...
rpriv ,m ?
...
Figure 7: Stack and register-file after executing the restore code. The old stack capability has
been restored and the pc-register now points to the return address in memory.
23
Stack
...
?
→ c0
wp,1
...
wp,m
Restore code
...
cstk → local stack
...
Register file
pc c
(3)
pc
r0 c0
rstk cstk
r1 w1
rpriv ,1 wp,1
...
rpriv ,m wp,m
?
...
Figure 8: Stack and register-register file after the clean up code has been run. The “private”
words have been popped to their respective registers. The restore code has been popped off the
stack.
24
4 Examples
4.1 Encapsulation of Local State
Assembly program not using stack. Assume that rl 6∈ {pc, r0} is a register.
f1: malloc r_l 1
store r_l 1
fetch r_adv adv
call r_adv([],[r_l])
assert r_l 1
1f: halt
For f1 to work, its local state needs to be encapsulated.
Lemma 2 (Correctness lemma for f1).
For all n ∈ N let
cadv
def
= ((e,global), baseadv , endadv , baseadv + offsetLinkFlag)
cf1
def
= ((rwx,global), f1− offsetLinkFlag , 1f, f1)
cmalloc
def
= ((e,global), basemalloc, endmalloc, basemalloc + offsetLinkFlag)
m
def
= msf1 ⊎msflag ⊎ms link ⊎msadv ⊎msmalloc ⊎msframe
and
• cmalloc satisfies the specification for malloc and ιmalloc,0 is the region from the specification.
where
dom(msf1) = [f1− offsetLinkFlag , 1f]
dom(msflag) = [flag,flag ]
dom(ms link ) = [link , link + 1]
dom(msadv ) = [baseadv , endadv ]
msmalloc :n [0 7→ ιmalloc,0]
and
• msf1(f1−offsetLinkFlag) = ((ro,global), link , link+1, link), msf1(f1−offsetLinkFlag+
1) = ((rw,global),flag ,flag ,flag), the rest of msf1 contains the code of f1.
• msflag = [flag 7→ 0]
• ms link = [link 7→ cmalloc, link + 1 7→ cadv ]
• msadv contains a global read-only capability for ms link on its first address. The remaining
cells of the memory segment only contain instructions.
if
(reg [pc 7→ cf1],m)→n (halted,m
′),
then
m′(flag) = 0

25
Proof of Lemma 2. Let n be given and assume the premises in the lemma. Consider the following
part of the execution:
(reg [pc 7→ cf1],m)→i (reg0[pc 7→ cmalloc][r0 7→ c
′
f1][r1 7→ 1],m)
Where c′f1 is the return address. Use the malloc specification with
ιmalloc = ιmalloc,0
ms footprint = msmalloc
Φ.reg(r1) = size = 1
to get
(reg0[pc 7→ cmalloc][r0 7→ c
′
f1][r1 7→ 1],m)→j (reg0[pc 7→ c
′
f1][r0 7→ c
′
f1][r1 7→ cl],m
′)
for some j where for some ι′malloc ⊒
pub ιmalloc,0
1. m′ = msf1 ⊎msflag ⊎ms link ⊎msadv ⊎ms l ⊎ms
′
malloc ⊎msframe
2. ms ′malloc :n−j [0 7→ ιmalloc ]
3. dom(ms l) = [l, l]
4. cl = ((rwx,global), l, l, l)
5. msl(l) = 0
Continue the execution to the next malloc hidden in call.
(reg0[pc 7→ c
′
f1][r0 7→ c
′
f1][r1 7→ cl],m
′)→k (reg0[pc 7→ cmalloc][r0 7→ c
′′
f1][r1 7→ lenar ][rl 7→ cl],m
′′)
where
6. m′′ = m′[l 7→ 1]
Use the malloc specification notice:
• lenar is the needed size for the activation record.
• 8. and (downwards closure) gives us the needed memory segment satisfaction.
• msfootprint = ms ′malloc
Get:
(reg0[pc 7→ cmalloc ][r0 7→ c
′′
f1][r1 7→ lenar ][rl 7→ cl],m
′′)→j′ (reg0[pc 7→ c
′′
f1][r0 7→ c
′′
f1][r1 7→ car ][rl 7→ cl],m
(3))
for some j′ where for some [0 7→ ι′malloc ]⊒
pub [0 7→ ιmalloc ]
7. m′′ = msf1 ⊎msflag ⊎ms link ⊎msadv ⊎ms l ⊎msar ⊎ms ′′malloc ⊎ms frame
8. ms ′′malloc :n−j−j′ [0 7→ ι
′
malloc]
9. dom(msar ) = [b, e], and e − b = lenar
10. cl = ((rwx,global), b, e, b)
26
11. ∀a ∈ [b, e].msar (a) = 0
Continue execution until just after the jump to adv .
(reg0[pc 7→ c
′′
f1][r0 7→ c
′′
f1][r1 7→ car ][rl 7→ cl],m
(3))→k′ (reg0[pc 7→ updatePcPerm(cadv )][r1 7→ cadv ][r0 7→ c
′
ar],m
(3))
for some k′ where
• m(3) = msf1 ⊎msflag ⊎ms link ⊎msadv ⊎ms l ⊎ms ′ar ⊎ms
′′
malloc ⊎ms frame
• ms ′ar contains the activation record, i.e., cl, c
(3)
f1 (the return address in f1), and activation
code.
• c′ar = ((e, local)b, e, b+ offset) where b+ offset is the first address of the activation code.
Define
• W = [0 7→ ι′malloc ][1 7→ ι
nwl ,p
baseadv ,endadv
][2 7→ ιsta (perm,msf1 ⊎ msar ⊎ ms l ⊎ msflag)][3 7→
ιsta,u(perm,ms link )]
define
1. ms = msf1 ⊎msflag ⊎ms link ⊎msadv ⊎msl ⊎ms ′ar ⊎ms
′′
malloc
Use the FTLR on updatePcPerm(cadv ) using world W , so show
• (n, (baseadv , endadv )) ∈ readCondition(global)(W )
– Show: ιnwl ,pbaseadv ,endadv
n
⊂∼ ι
pwl
baseadv ,endadv
: Follows from Lemma 22.
Have
2. (n, updatePcPerm(cadv )) ∈ E(W )
Let n′ = n− j − j′ − k − k′ and show
1. ms :n′ W
1.1. Split the memory into the disjoint unions of 1 and show:
1.1.1. case: (n′,msmalloc) ∈ ι′malloc.H(ι
′
malloc .s)(W )
1.1.1.1. Use msmalloc :n′ [0 7→ ι
′
malloc ] with malloc specification context independence
property.
1.1.2. case: (n′,msadv ) ∈ Hnwlbaseadv ,endadv 1W
1.1.2.1. Show ∀a ∈ [baseadv , endadv ]. ((n′ − 1,ms(a)) ∈ V(W ) ∧ms(a) is non-local)
1.1.2.1. a 6= baseadv : trivial, contains instruction only and they are non-local.
1.1.2.2. a = baseadv : show ((ro,global), link , link + 1, link) ∈ V(W )
global capabilities are non-local.
SFTS ιsta ,u(perm ,ms link )
n′
⊂∼ ι
pwl
link ,link+1 which follows from Lemma 23.
1.1.3. (n′,ms link ) ∈ Hsta,u(1)(W ):
This boils down to showing:
1.1.3.1. (n′ − 1, cmalloc) ∈ V(W ): Follows from Lemma 50.
27
1.1.3.2. (n′ − 1, cadv) ∈ V(W ): for n′′ < n′ − 1 and W ′ ⊒
priv W show:
(n′′, updatePcPerm(cadv )) ∈ E(W
′). Follows from Lemma 49, together with
Lemma 79 and the fact that cadv is non-local.
1.1.4. The last case follows from Lemma 67
2. (n′, reg0[pc 7→ updatePcPerm(cadv )][r1 7→ cadv ][r0 7→ c
′
ar]) ∈ R(W )
2.1. case: (n′, cadv ) ∈ V(W )
2.1.1. Similar to 1.1.3.2.
2.2. case: (n′, c′ar ) ∈ V(W ).
2.2.1. Let n′′ < n′ andW ′⊒pubW be given and show (n′′, updatePcPerm(c′ar )) ∈ E(W
′)
Let n(3) ≤ n′′, ms ′ :n(3) W
′, and
(
n(3), reg
)
be given
Show:
(
n(3), (reg[pc 7→ updatePcPerm(c′ar )],ms
′)
)
∈ O(W ′)
Assume (reg [pc 7→ updatePcPerm(c′ar )],ms
′ ⊎ ms frame) →k′′ (halted,m′), for
some k′′ ≤ n(3), m′ and ms frame . Due to ms ′ :n(3) W
′, msf1, msflag , ms
′
ar ,
and ms l are unchanged.
The execution loads cl to rl and jumps to c
(3)
f1 (the point just before the assertion).
As ms l = 1, the assertion is successful and the execution halts. In other words,
there were no changes to the memory.
Use W ′, msr = ∅, and ms
′ to get the desired result, i.e., m′ = ms ′ ⊎ms frame and
ms ′ :n(3)−k′′ W
′ (using downwards closure of memory satisfaction).
2.3. case: (n′, 0) ∈ V(W ) (the contents remaining registers)
Trivial to show.
Get (
n′, (reg0[pc 7→ updatePcPerm(cadv )][r1 7→ cadv ][r0 7→ c
′
ar],m
(3))
)
∈ O(W )
By initial assumption of the lemma, the execution halts. Use msframe , m
′ and the number of
steps it takes to halt to get: W ′ ⊒priv W , msr and ms ′ s.t. m′ = msr ⊎ ms ′ ⊎ ms frame and
ms ′ :n W
′. As ιflag is a permanent region, we know it is still in W
′, so m′(flag) = 0.
4.2 Encapsulation of Local State Using Local Capabilities and scall
Assembly program using the stack. This program assumes a rstk 6∈ {pc, r0} register that contains
a stack capability (a local rwlx-capability):
f2: push 1
fetch r1 adv
scall r1([],[])
pop r1
assert r1 1
2f: halt
28
Lemma 3 (Correctness lemma for f2). let
cadv
def
= ((e,global), baseadv , endadv , baseadv + offsetLinkFlag)
cf2
def
= ((rwx,global), f2− offsetLinkFlag , 2f, f2)
cmalloc
def
= ((e,global), basemalloc, endmalloc, basemalloc + offsetLinkFlag)
cstk
def
= ((rwlx, local), basestk , end stk , basestk − 1)
clink
def
= ((ro,global), link , link + 1, link)
reg ∈ Reg
m
def
= msf2 ⊎msflag ⊎ms link ⊎msadv ⊎msmalloc ⊎msstk ⊎ms frame
and
• cmalloc satisfies the specification for malloc and ιmalloc,0 is the region from the specification.
where
dom(msf2) = [f2− offsetLinkFlag , 2f]
dom(msflag) = [flag ,flag ]
dom(ms link ) = [link , link + 1]
dom(msstk ) = [basestk , end stk ]
dom(msadv ) = [baseadv , endadv ]
msmalloc :n [0 7→ ιmalloc,0] for all n ∈ N
and
• msf2(f2−offsetLinkFlag) = ((ro,global), link , link+1, link), msf2(f2−offsetLinkFlag+
1) = ((rw,global),flag ,flag ,flag), the rest of msf2 contains the code of f2.
• msflag = [flag 7→ 0]
• ms link = [link 7→ cmalloc, link + 1 7→ cadv ]
• msadv (baseadv ) = clink and ∀a ∈ [baseadv + 1, end ].msadv (a) ∈ Z
if
(reg [pc 7→ cf2][rstk 7→ cstk ],m)→n (halted,m
′),
then
m′(flag) = 0

Proof of Lemma 3 (using scall lemma). Let n be given and make the assumptions of the lemma.
If we can show
(n, (reg [pc 7→ cf2][rstk 7→ cstk ],ms ⊎msstk )) ∈ O(W ) (1)
for
ms = msf2 ⊎msflag ⊎ms link ⊎msadv ⊎msmalloc
and
W = [0 7→ ιmalloc,0][1 7→ ι
sta (perm,msf2 ⊎msflag)][2 7→ ι
sta ,u(perm,ms link )][3 7→ ι
nwl ,p
baseadv ,endadv
]
29
then we are done as we by assumption has
(reg [pc 7→ cf2][rstk 7→ cstk ],m)→n (halted,m
′)
so 1 gives us a W ′⊒priv W where W ′ satisfy part of m′. As msflag is governed by a perm region,
so it is unchanged. In other words
m′(flag) = 0
So it suffices to show 1. To this end use Lemma 8. Let msf be given, then
(reg [pc 7→ cf2][rstk 7→ cstk ],ms ⊎msstk ⊎msf )→k (reg
′,ms ⊎ms ′stk ⊎msf )
where
• (reg ′,ms) is looking at scall radv ([], [rl]) followed by cnext
• cnext is cf2 that points to the instruction after the scall.
• reg ′ points to stack with [basestk 7→ 1] used and msunused unused
– for some msunused where ms
′
stk = [basestk 7→ 1] ⊎msunused .
• reg ′(radv ) = cadv
In order to show the observation part necessary for Lemma 8, we use the ”scall works”-Lemma
(Lemma 58). Show the following
1. ms :n−k W
Use Lemma 66 with
1.1. msf2 ⊎msflag :n−k [1 7→ ιsta (perm,msf2 ⊎msflag)]
Lemma 67
1.2. msadv ⊎msmalloc ⊎ms link :n−k Wpart
where
Wpart = [0 7→ ιmalloc,0][2 7→ ι
sta ,u(perm,ms link )][3 7→ ι
nwl ,p
baseadv ,endadv
]
This amounts to
1.2.1. (n− k − 1,msmalloc) ∈ H 1 Wpart where H is the interpretaion of the ιmalloc,0
region.
Follows from the malloc specification.
1.2.2. (n− k − 1,msadv ) ∈ Hnwl 1 Wpart
Can be shown using Lemma 23.
1.2.3. (n− k − 1,ms link ) ∈ Hsta,u(ms link ) 1Wpart
This amounts to showing
1.2.3.1. (n− k − 2, cmalloc) ∈ V(Wpart ) Follows from Lemma 50.
1.2.3.2. (n− k − 2, cadv) ∈ V(Wpart )
Follows from Theorem 2 using Lemma 22.
2. Hyp-Callee
Assume
• dom(msunused) = dom(msact ⊎ms ′unused),
30
• W ′ = revokeTemp(W )[ιsta (temp,msstk ⊎msact), ιpwl (dom(ms ′unused))],
• ms ′′ :n−k−1 W ′
• reg ′ points to stack with ∅ used and ms ′unused unused
• reg ′ = reg0[pc 7→ updatePcPerm(cadv ), r0 7→ cret , rstk 7→ c
′
stk , radv 7→ cadv ]
• (n− k − 1, cret) ∈ V(W ′)
• (n− k − 1, c′stk ) ∈ V(W
′)
Show
(n− k − 1, (reg ′,ms ′′)) ∈ O(W ′)
By Theorem 2 we get
(n− k − 1, updatePcPerm(cadv )) ∈ E(W
′)
getting the desired result amounts to2
2.1. (n− k − 1, cadv ) ∈ V(W )
To this end let n′ < n− k − 1 and W ′′ ⊒priv W ′ be given and show
(n′, updatePcPerm(cadv )) ∈ E(W
′′)
Follows from Theorem 2 and Lemma 22.
3. Hyp-Cont
Assume
• n′ ≤ n− 2
• W ′′ ⊒pub revokeTemp(W )
• ms ′′ :n′ revokeTemp(W ′′)
• reg ′′(pc) = cnext
• reg ′′ points to stack with msstk used and ms
′′
unused unused for some ms
′′
unused
and show
(n′, (reg ′′,ms ′′ ⊎ [basestk 7→ 1] ⊎ms
′′
unused)) ∈ O(W
′′)
From ms ′′ :n′ revokeTemp(W
′′), we get that msf2 is unchanged. Given a frame ms
′
f and
assuming n′ is sufficiently large, the execution continues as follows:
(reg ′′,ms ′′⊎[basestk 7→ 1]⊎ms
′′
unused⊎msf )→k (halted,ms
′′⊎[basestk 7→ 1]⊎ms
′′
unused⊎msf )
because 1 is popped of the stack to a register, then it is compared with 1 in the assertion,
so the assertion succeeds and halts immediately after.
By assumption we had ms ′′ :n′ revokeTemp(W
′′) which gives us exactly the memory satis-
faction required by O(W ′′).
ML-like program:
2We have memory satisfaction by assumption and the above entails the register-file is in the register-file relation.
31
let f = fun adv =>
let l = 1 in
adv(l);
l := 1;
adv(0);
assert(!l == 1)
In this example let l = 1 in allocates a new local capability l with read-write permissions.
Assuming adv has no access to capabilities with permit write local, they cannot store l and thus
change its value in the second call.
4.3 Well-Bracketedness Using Local Capabilities and scall
f3: push 1
fetch r1 adv
scall r1([],[])
pop r1
assert r1 1
push 2
fetch r1 adv
scall r1([],[])
3f: halt
The assertion of f3 may seem a bit awkward because it is between two calls. If an adversary
could capture the protected return pointer from the first call and save it until the second call,
then the adversary could jump to it again. At this point the top of the stack would be 2, so
when the execution reaches the assertion, it would fail. However, the produced return pointer
is passed as a local capability, so the only place the adversary can store it is on the stack. The
adversary loses control of the stack when control is returned to f3 where the scall makes sure
to sanitise the stack and register file before control is passed back to the adversary. In other
words, the adversary has no way to capture the continuation which makes the above safe and
well-bracketed.
Lemma 4 (Correctness lemma for f3). For all n ∈ N let
cadv
def
= ((e,global), baseadv , endadv , baseadv + offsetLinkFlag)
cf3
def
= ((rwx,global), f3− offsetLinkFlag , 3f, f3)
cstk
def
= ((rwlx, local), basestk , end stk , basestk − 1)
cmalloc
def
= ((e,global), basemalloc, endmalloc, basemalloc + offsetLinkFlag)
clink
def
= ((ro,global), link , link + 1, link)
reg ∈ Reg
m
def
= msf3 ⊎msflag ⊎ms link ⊎msadv ⊎msmalloc ⊎msstk ⊎ms frame
and
• cmalloc satisfies the specification for malloc.
32
where
dom(msf3) = [f3− offsetLinkFlag , 3f]
dom(msflag) = [flag,flag ]
dom(ms link ) = [link , link + 1]
dom(msstk ) = [basestk , end stk ]
dom(msadv ) = [baseadv , endadv ]
msmalloc :n [0 7→ ιmalloc,0]
and
• msf3(f3−offsetLinkFlag) = ((ro,global), link , link+1, link), msf3(f3−offsetLinkFlag+
1) = ((rw,global),flag ,flag ,flag), the rest of msf3 contains the code of f3.
• msflag = [flag 7→ 0]
• ms link = [link 7→ cmalloc, link + 1 7→ cadv ]
• msadv (baseadv ) = clink and all other addresses of msadv contain instructions.
if
(reg [pc 7→ cf3][rstk 7→ cstk ],m)→n (halted,m
′),
then
m′(flag) = 0

In an attempt to aid the reader, we first provide to high-level descriptions of possible proof
of Lemma 4 followed by a more detailed proof.
Proof of Lemma 4 (high-level description). Executing f2 until just after the jump in the first
scall brings us to a configuration where the stack contains 1 followed by some activation code
followed by all zeros. The pc-register contains an executable adversary capability, register r0
contains a protected return pointer - that is a local enter capability for the execution code, and
the rstk contains a capability for the cleared part of the stack.
At this point we can define a world with permanent regions
• fixing the assertion flag, the code of f2, and the linking table.
• the initial malloc region
• a ιnwl ,p region
and temporary regions
• a region fixing the private part of the stack
• a ιpwl region for the rest of the stack
From the FTLR, we get that in any future world ofW , the adversary capability and its executable
counter part is in the expression relation and thus safe to execute in suitable configurations. If
the configuration we consider right now is suitable, then the execution produces a memory where
the permanent invariants of W are kept which means that the flag is 0.
33
To argue that the configuration is suitable, we need to argue that invoking the continuation
produces an admissible result. As the continuation is a local capability, we take a public future
world of W . In this public world, the private part of the stack remains the same as before the
jump, so when we reach the assertion it succeeds and execution continues. At the point of the
jump in the second scall, the stack contains 2 instead of 1, but otherwise essentially the same.
Here we again use that it is safe to execute the adversary and that the continuation in this case
halts immediately in a configuration where the assertion flag must be 0.
Proof of Lemma 4 (high-level description 2). If we can show
(reg [pc 7→ cf3][rstk 7→ cstk ],msmalloc ⊎ms
′ ⊎msadv ⊎msstk ) ∈ O(W ), (2)
for a worldW where the assertion flag is permanently 0, then it is still 0 in any configuration the
execution halts in. W also needs to require the program and the linking table to permanently
remain the same, have a region that governs malloc and a standard permanent no-write local
region for the adversary.
Due to Lemma 58 the scall lemma, for each scall we have to argue that the adversary
and continuation produces results that respect the regions of W . Using Lemma 8 the O anti
reduction lemma, it suffices to argue that each part of f3 between scalls produces admissible
results.
Executing until the first scall only pushes 1 to the stack, so the invariants ofW are preserved.
Due to the scall lemma, we need to argue that that the adversary and the continuation produce
admissible results.
Using the FTLR, we get that the executable capability for the adversary is in the E-relation.
As we provide no arguments to the adversary, most of the conditions are satisfied by assumptions
and Lemma 62, which makes sure that the stack capability is in the value relation. Which gives
us that the adversary produces an admissible result.
With respect to the continuation, it is passed to the adversary as a local capability, so when
we reason about it, we consider public future worlds. The scall uses temporary regions for the
stack and these persist in public future worlds. This allows us to assume that the private part of
the stack still contains 1 after the call. Further, the program, flags, and linking table remain the
same in any kind of future world. Therefore, we know that the execution continues by popping 1
from the stack and then asserting that it is indeed 1, which is indeed the case, so 2 is pushed to
the stack. At this point we reach another scall. No changes where made to the permanent part
of the stack, so the invariants are still satisfied. At this point we use the scall lemma one last
time. The adversary call code is well-behaved for the same reasons as in the first call. The scall
lemma lets us assume that the continuation continues in a memory that satisfies the invariants of
W . The execution halts immediately in the continuation, so it produces an admissible result.
Proof of Lemma 4. Assume the premises of the lemma. Now define
W = [0 7→ ιmalloc,0]
[1 7→ ιsta (perm,msflag ⊎msf2)]
[2 7→ ιsta ,u(perm,ms link )]
[3 7→ ιnwl ,pbaseadv ,endadv ]
Further define
ms ′ = msflag ⊎msf2 ⊎ms link ⊎msadv
34
If we can show
(n+ 1, (reg[pc 7→ cf3][rstk 7→ cstk ],msmalloc ⊎ms
′ ⊎msadv ⊎msstk )) ∈ O(W ), (3)
then using ms frame as the frame and m
′ as the resulting memory, we get that m′ = ms ′′ ⊎msr ⊎
ms frame for some ms
′ and msr s.t. ms
′′ :1 W . Region 1 guarantees that the assertion flag is
unchanged, so we have
m′(flag) = 0
So SFTS 3. To do so, we use Lemma 8. Let msf be given. The execution proceeds as follows:
(reg [pc 7→ cf3][rstk 7→ cstk ],ms
′⊎msstk⊎msf )→i (reg
′,ms ′⊎[basestk 7→ 1]⊎msstk |basestk+1,endstk⊎msf ),
where
(reg ′,ms ′) is looking at scall r([], []) followed by cnext
where cnext is cf3 adjusted to point to the next instruction, namely pop r1. Further we have
• reg ′ points to stack with [basestk 7→ 1] used and msstk |basestk+1,endstk unused
and i is a suitable number of steps.
To show
(n− i, (reg ′,ms ′ ⊎ [basestk 7→ 1] ⊎msstk |basestk+1,endstk )) ∈ O(W )
We use Lemma 58 (we do not use the local frame in the lemma) which requires us to show
1. ms ′ :n−i W
Partition ms ′ as follows:
1.1. msmalloc: governed by ιmalloc,0, use malloc specification.
1.2. msflag ⊎msf2: governed by region 1, only this memory segment is accepted.
1.3. ms link : governed by region 2, only this memory segment is accepted. We also need to
show that the contents is safe, i.e. shoe
1.3.1. (n− i, cmalloc) ∈ V(W ): Follows from Lemma 50.
1.3.2. (n− i, cadv ) ∈ V(W ):
We will show
∀W ′ ⊒priv W. (n, cadv ) ∈ V(W
′) (4)
which will give us what we need using downwards closure as well as a result for
later use.
Let W ′ ⊒priv W be given and show
(n, (baseadv , endadv , baseadv + offsetLinkFlag)) ∈ enterCondition(global)(W
′)
to this end let W ′′ ⊒priv W ′ and n′ < n be given and show
(n′, updatePcPerm(cadv )) ∈ E(W
′′)
This follows from the FTLR (Theorem 2) if we can show
(n′, baseadv , endadv ) ∈ readCondition(global)(W
′′)
ι
nwl ,p
baseadv ,endadv
governs the adversary, so the result follows from Lemma 22.
35
1.4. msadv : Follows from Lemma 23.
2. Hyp-Callee
Assume
• dom(msstk |basestk+1,endstk ) = dom(msact ⊎ms
′
unused)
• W ′ = revokeTemp(W )[ιsta (temp, [basestk 7→ 1] ⊎msact), ιpwl (dom(ms ′unused))]
• ms ′′ :n−i−1 W ′
• reg ′′ points to stack with ∅ used and ms ′unused unused
• reg ′′ = reg0[pc 7→ updatePcPerm(reg
′(r)), r0 7→ cret , rstk 7→ c′stk , r 7→ reg
′(r)]
• (n− i− 1, cret) ∈ V(W ′)
• (n− i− 1, c′stk ) ∈ V(W
′)
for some msact , msunused , ms
′′, reg ′′, cret .
Using the FTLR, we get (n− i− 1, updatePcPerm(cadv )) ∈ E(W ′), from
2.1. ms ′′ :n−i−1 W
′ : By the above assumptions
2.2. (n− i− 1, reg ′′) ∈ V(W ′):
show
2.2.1. (n− i− 1, cret) ∈ V(W ′) : by above assumptions.
2.2.2. (n− i− 1, c′stk ) ∈ V(W
′) : by above assumptions.
2.2.3. (n− i− 1, cadv ) ∈ V(W ′) : follows from 4.
2.2.4. The remaining registers we need to consider contain 0 and are thus trivial to show.
we get
(n− i− 1, (ms ′′, reg ′′)) ∈ O(W ′)
3. Hyp-Cont
Assume:
• n′ ≤ n− i− 2
• W ′′ ⊒pub revokeTemp(W )
• ms ′′ :n′ revokeTemp(W ′′)
• for all r, we have that:
reg ′′(r)
{
= cnext if r = pc
∈ V(W ′′) if reg ′′(r) is a global capability and r 6∈ {pc, rstk}
• reg ′′ points to stack with [basestk 7→ 1] used and ms ′′unused unused for some ms
′′
unused
and show
3.1. (reg ′′,ms ′′ ⊎ [basestk 7→ 1] ⊎ms ′′unused) ∈ O(revokeTemp(W
′′))
As W ′′ ⊒priv W , we know that the program, assertion flag, and linking table remain
unchanged in ms ′′. Given some frame ms ′f , then the execution proceeds by first
succeeding the assertion and then pushing 2 to the stack:
(reg ′′,ms ′′⊎[basestk 7→ 1]⊎ms
′′
unused⊎ms
′
f )→k (reg
(3),ms ′′⊎[basestk 7→ 2]⊎ms
′′
unused⊎ms
′
f )
where
36
• (reg(3),ms ′′) is looking at scall r([], []) followed by c′next
• reg(3) points to stack with [base 7→ 2] used and ms ′′unused unused
• reg(3)(r) = cadv
By Lemma 8 it suffices to show
3.1.1.
(
n′ − k, (reg(3),ms ′′ ⊎ [basestk 7→ 2] ⊎ms ′′unused)
)
∈ O(revokeTemp(W ′′))
Show this using Lemma 58 a. Show:
3.1.1.1. ms ′′ :n′−k revokeTemp(W
′′) is satisfied by one of the first Hyp-cont assump-
tions and Lemma 47.
3.1.1.2. Hyp-Callee
Assume:
• dom(ms ′′unused ) = dom(ms
′
act ⊎ms
(3)
unused)
• W (3) = revokeTemp(W ′′)[ιsta (temp, [basestk 7→ 2]⊎ms ′act), ι
pwl (dom(ms
(3)
unused))]
• ms(3) :n′−k−1 W
(3)
• reg(4) points to stack with ∅ used and ms
(3)
unused unused
• reg(4) = reg0[pc 7→ updatePcPerm(cadv ), r0 7→ c
′
ret , rstk 7→ c
′′
stk , r 7→ cadv ]
• (n′ − k − 1, c′ret) ∈ V(W
(3))
• (n′ − k − 1, c′′stk ) ∈ V(W
(3))
This argument is almost identical to the one we just did for the first call:
Using the FTLR, we get (n− i− 1, updatePcPerm(cadv )) ∈ E(W (3)). Which
we use with
3.1.1.2.1. ms(3) :n′−k−1 W
(3): By assumption.
3.1.1.2.2.
(
n′ − k − 1, reg(4)
)
∈ R(W (3)): Show:
3.1.1.2.2.1. (n′ − k − 1, cadv) ∈ V(W (3)) by Assumption 4.
3.1.1.2.2.2. (n′ − k − 1, c′ret) by assumption.
3.1.1.2.2.3. (n′ − k − 1, c′′stk ) by assumption
to get (
n′ − k − 1, (reg(4),ms(3))
)
∈ O(W (3))
3.1.1.3. Hyp-Cont
Assume
• n′′ ≤ n′ − k − 2
• W (3) ⊒pub revokeTemp(W ′′)[ιsta (temp,msstk )][ιsta (temp,ms
(3)
unused)]
• ms(3) :n′′ revokeTemp(W
(3))
• for all r, we have that:
reg(4)(r)
{
= c′next if r = pc
∈ V(W ′′) if reg(4)(r) is a global capability and r 6∈ {pc, rstk}
• reg ′ points to stack with [basestk 7→ 2] used and ms
(3)
unused unused for some
ms
(3)
unused
and show
(n′′, (reg(3),ms(3) ⊎ [basestk 7→ 2] ⊎ms
(3)
unused)) ∈ O(revokeTemp(W
(3)))
37
To this end let ms ′′f , m
′′, and j ≤ n′′ be given and assume
(reg (3),ms(3) ⊎ [basestk 7→ 2] ⊎ms
(3)
unused ⊎ms
′′
f )→j (halted,m
′′)
As the execution halts immediately,
m′′ = ms(3) ⊎ [basestk 7→ 2] ⊎ms
(3)
unused ⊎ms
′′
f
By assumption we had ms(3) :n′′ revokeTemp(W
(3)) and the frame is un-
changed, so we can split the memory as needed.
4.4 Inverted Control and Return From Closure
The following example is constructed to investigate the difficulties of preserving an adversary’s
local frame. There is no assertion as this is (slightly) beside the point. The lemma we would
prove about this should look like Lemma 5, but it is not state and proven here.
g2: move r3 pc
lea r3 . . .
crtcls [] r3
rclear RegisterName \ {pc, r0, r1}
2g: jmp r0
f5: reqglob r1
prepstack rstk
scall r1([],[r0, renv ])
mclear rstk
rclear RegisterName \ {r0, pc}
5f: jmp r0
4.5 Variant of the “awkward” example
Assembly variant of the “awkward” example from [Dreyer et al., 2010, p. 11] which roughly was:
g = fun _ => let x = 0 in
fun f =>
x := 0;
f();
x := 1;
f();
assert(x == 1)
Our translation of the example:
g1: malloc r2 1
store r2 0
move r3 pc
lea r3 . . .
crtcls [(x, r2)] r3
rclear RegisterName \ {pc, r0, r1}
38
1g: jmp r0
f4: reqglob r1
prepstack rstk
store x 0
scall r1([],[r0, r1, renv ])
store x 1
scall r1([],[r0, renv ])
load r1 x
assert r1 1
mclear rstk
rclear RegisterName \ {r0, pc}
4f: jmp r0
Where the . . . is the appropriate offset to make the capability point to f4.
Lemma 5 (Correctness of g1). For all n ∈ N let
cadv
def
= ((rwx,global), baseadv , endadv , baseadv + offsetLinkFlag)
cg1
def
= ((e,global), g1− offsetLinkFlag , 4f, g1)
cstk
def
= ((rwlx, local), basestk , end stk , basestk − 1)
cmalloc
def
= ((e,global), basemalloc, endmalloc, basemalloc + offsetLinkFlag)
clink
def
= ((ro,global), link , link , link)
m
def
= msg1 ⊎msflag ⊎ms link ⊎msadv ⊎msmalloc ⊎msstk ⊎msframe
where
• cmalloc satisfies the specification for malloc with ιmalloc,0
dom(msg1) = [g1− offsetLinkFlag , 4f]
dom(msflag) = [flag ,flag]
dom(ms link ) = [link , link ]
dom(msstk ) = [basestk , end stk ]
dom(msadv ) = [baseadv , endadv ]
msmalloc :n [0 7→ ιmalloc,0]
and
• msg1(g1 − offsetLinkFlag) = ((ro,global), link , link , link), msg1(g1 − offsetLinkFlag +
1) = ((rw,global),flag ,flag ,flag), the rest of msg1 contains the code of g1 immediately
followed by the code of f4.
• msflag = [flag 7→ 0]
• ms link = [link 7→ cmalloc]
• msadv (baseadv ) = clink and all other addresses of msadv contain instructions.
• ∀a ∈ dom(msstk ).msstk (a) = 0
39
if
(reg0[pc 7→ cadv ][rstk 7→ cstk ][r1 7→ cg1],m)→n (halted,m
′),
then
m′(flag) = 0

In the proof of Lemma 5, we will use the following region
Definition 2.
ιx = (perm , 0, φpub, φ,Hx)
φpub = {(0, 1)}
∗
φ = (1, 0) ∪ φpub
Hx s Wˆ = {(n,ms) | ms(x) = s ∧ n > 0} ∪ {(0,ms)}

Lemma 6. Definition 2 defines a region. 
Proof of Lemma 6.
• φpub is defined as the reflexive transitive closure, so it is immediately well formed.
• φ adds a transition to φpub and is also reflexive and transitive.
• Hx is trivially non-expansive in the state.
• Hx does not depend on the Wˆ , so it also becomes trivially non-expansive and (privately)
monotone in Wˆ .
Proof of Lemma 5 (using scall lemma). Let n be given and make the assumptions of the lemma.
Define
W =[0 7→ ιmalloc,0]
[1 7→ ιsta,u(perm,ms link )]
[2 7→ ιpwlbasestk ,endstk ]
[3 7→ ιnwl ,pbaseadv ,endadv ]
[4 7→ ιsta (perm,msg1 ⊎msflag)]
and
ms = msg1 ⊎msflag ⊎ms link ⊎msadv ⊎msmalloc
If we can show
(n, (reg0[pc 7→ cadv ][rstk 7→ cstk ][r1 7→ cg1],ms ⊎msstk )) ∈ O(W ) (5)
then the termination assumption gives us that part of m satisfies a private future world of W .
Region 4 is permanent, so
m(flag) = 0
So it suffices to show Eq. 5. To this end use the FTLR to show (n, cadv ) ∈ E(W ), so show
40
1. (n, (baseadv , endadv )) ∈ readCondition(global)(W )
Simple using region 3 in W and Lemma 22.
2. (n, (baseadv , endadv )) ∈ writeCondition(ιnwl ,global)(W )
Simple using region 3 in W , using Lemma 15.
in conclusion (n, cadv ) ∈ E(W ). We get Eq. 5 if we show 3. and 4.:
3. ms ⊎msstk :n W
3.1. msg1 ⊎msflag :n [4 7→ ι
sta (perm,msg1 ⊎msflag)]
Lemma 67.
3.2. msstk :n [2 7→ ι
pwl
basestk ,endstk
]
Lemma 68 and assumption that msstk is all 0.
3.3. msmalloc⊎ms link⊎msadv :n [0 7→ ιmalloc,0][1 7→ ιsta ,u(perm,ms link )][3 7→ ι
nwl ,p
baseadv ,endadv
]
For convenience define
Wmini = [0 7→ ιmalloc,0][1 7→ ι
sta ,u(perm,ms link )][3 7→ ι
nwl ,p
baseadv ,endadv
]
Partitioning the memory segment in the components of the disjoint union, the malloc
part follows from assumption msmalloc :n [0 7→ ιmalloc,0] and the malloc specification.
The linking table part of memory amounts to showing:
(n,ms link ) ∈ H
sta,u(ms link )(1)(ξ
−1(Wmini ))
which in turn amounts to showing
(n− 1, cmalloc) ∈ V(Wmini)
which follows from Lemma 50.
Showing
(n,msadv ) ∈ H
sta
baseadv ,endadv
(1)(ξ−1(Wmini ))
is a bit more involved. It amounts to
∀a ∈ dom(msadv ). (n− 1,msadv (a)) ∈ V(Wmini)
which in turn is trivial for everything but
(n− 1, clink ) ∈ V(Wmini)
This amounts to showing
(n− 1, (link , link)) ∈ readCondition(global)(Wmini )
which amounts to
ιsta ,u(perm,ms link )
n−1
⊂∼ ι
pwl
link ,link
which follows from Lemma 23.
Using Lemma 66 repeatedly with 3.1., 3.2., and 3.3. gives the desired memory satisfaction.
41
4. (n, reg0[rstk 7→ cstk ][r1 7→ cg1]) ∈ R(W )
This amounts to showing
4.1. (n, cstk ) ∈ V(W )
The assumptions on cstk and msstk in the lemma entail
• reg0[rstk 7→ cstk ][r1 7→ cg1] points to stack with ∅ used and msstk unused
and further there is a ιpwl region for msstk inW , so the result follows from Lemma 62.
4.2. (n, cg1) ∈ V(W )
Let n1 < n and W1 ⊒
priv W and show
(n1, updatePcPerm(cg1)) ∈ E(W1)
To this end assume n2 ≤ n1, ms1 :n2 W1, and (n2, reg1) ∈ R(W1) and show
(n2, (reg1[pc 7→ updatePcPerm(cg1)],ms1)) ∈ O(W1)
Using Lemma 59, Lemma 60, Lemma 8 (and some others), it suffices to show
(n′2, (reg2,ms2 ⊎ms
′
malloc ⊎mscls ⊎msx)) ∈ O(W2)
where
W2 =W1[0 7→ ιmalloc][i1 7→ ι
sta (perm ,mscls)][i2 7→ ιx]
where i1, i2 6∈ dom(W1) and i1 6= i2 and ιx is the region in Definition 2 which is a
region by Lemma 6. Also
• ιmalloc ⊒
priv ι′malloc
• cx = ((rwx,global), x, x, x)
• msx = [x 7→ 0]
• ms2 ⊎ms ′malloc ⊎mscls ⊎msx :n′2 W2
• cenv = ((rwx,global, env , env , env))
• msenv = [env 7→ cx]
• cf4 = ((rwx,global), g1− offsetLinkFlag , 4f, f4)
• mscls = msenv ⊎msact
•
reg2(r) =


updatePcPerm(reg1(r0)) r = pc
reg1(r0) r = r0
ccls r = r1
0 otherwise
Finally assume Hyp-Act:
∀reg ,ms. reg(pc) = ccls ⇒
∃j. ∀msf . (reg ,ms⊎mscls⊎msf )→j (reg [pc 7→ updatePcPerm(cf4)][renv 7→ cenv ],ms⊎mscls⊎msf )
(6)
Show
(n2 − i, (reg2,ms2 ⊎ms
′
malloc ⊎msenv ⊎msx ⊎mscls)) ∈ O(W2) (7)
If reg1(r0).perm 6∈ {e,rx,rwx,rwlx}, then the execution fails after the jump and is
thus trivially true.
42
If reg1(r0).perm ∈ {e,rx,rwx,rwlx}, then either executeCondition or enterCondition
holds for the capability in reg1(r0). Now use W2 ⊒
pub W1 with the appropriate con-
dition to get
(n2 − i, updatePcPerm(reg1(r0))) ∈ E(W2)
which in turn gives us 4.2. if we can show the following
4.2.1. ms2 ⊎ms ′malloc ⊎msenv ⊎msx ⊎mscls :n2−i W2
We first show the following:
• ms2 ⊎ms ′malloc :n2−i W1[0 7→ ιmalloc ]: we already know this.
• msenv ⊎mscls :n2−i [i1 7→ ι
sta (perm,msenv ⊎mscls)]: By Lemma 67.
• msx :n2−i i2 7→ ιx: ms(x) = 0, so okay.
4.2.2. (n2 − i, reg2) ∈ R(W2)
Amounts to showing
4.2.2.1. (n2 − i, reg2(r0)) ∈ V(W2) by assumption (n2, reg1) ∈ R(W1) and V mono-
tonicity wrt. ⊒pub
4.2.2.2. (n2 − i, ccls) ∈ V(W2)
Let n3 < n2 − i and W3 ⊒
priv W2 be given and show
(n3, updatePcPerm(ccls)) ∈ E(W3)
To this and let n4 ≤ n3, ms3 :n4 W3, and (n4, reg3) ∈ R(W3) and show
(n4, (reg3[pc 7→ updatePcPerm(ccls)],ms3)) ∈ O(W3) (8)
Let msp3 and ms
t
3 be memory segments such that ms3 = ms
p
3 ⊎ ms
t
3 and
msp3 :n4 revokeTemp(W3) (using Lemma 64). Byms3 :n4 W3 andW3⊒
privW2,
we know mscls ⊆ ms
p
3, so using Hyp-Act(6), we get j such that
∀msf . (reg3[pc 7→ updatePcPerm(ccls)],ms
p
3 ⊎ms
t
3 ⊎msf )→j
(reg3[pc 7→ updatePcPerm(ccls)][renv 7→ cenv ],ms
p
3 ⊎ms
t
3 ⊎msf ) (9)
Using Lemma 8 it suffices to show(
n4, (reg3[pc 7→ updatePcPerm(ccls)][renv 7→ cenv ],ms
p
3 ⊎ms
t
3)
)
∈ O(W3)
Use Lemma 8 again. This time let ms ′′f be given and take msr to be the
part of mst3 that reg3(rstk ) does not govern. By the operational semantics,
we know3
(reg3[pc 7→ updatePcPerm(ccls)][renv 7→ cenv ],ms
p
3⊎ms
t
3⊎ms
′′
f )→j′ (reg4,ms4⊎ms
t
3⊎ms
′′
f )
where
• (reg4,ms4) is looking at scall r1([], [r0, r1, renv ]) followed by cnext
– cnext is the capability pointing to the next instruction.
• reg4 points to stack with ∅ used and msunused unused
– prepstack did not fail, so the stack capability must be rwlx and follow
the stack convention.
3the execution may fail, but then the configuration is trivially in the observation relation.
43
• reg4(r1) is a global capability.
– reqglob did not fail
• ms4(x) = 0
• reg4(renv ) = cenv
region i2 (the ιx region) can be in either state 0 or 1, so to make sure it is
in state 0, we use a private transition. So let W4 be revokeTemp(W3) with
region i2 in state 0. We then have
ms4 :n4−j−j′ W4
Now we can use Lemma 58 to show:
(n4 − j − j
′, (reg4,ms4 ⊎msr ⊎ ∅ ⊎msunused)) ∈ O(W4)
where msr is the local frame of the scall lemma.
4.2.2.2.1. ms4 :n4−j−j′ revokeTemp(W4): follows from W4 = revokeTemp(W4)
4.2.2.2.2. Hyp-Callee
We know (n4, reg3(r1)) ∈ V(W3). If this is not a capability that becomes
executable when jumped to, then the execution fails, so the register mem-
ory segment pair is trivially in the observation relation. If it is executable,
then either the executeCondition or the enterCondition holds for appropri-
ate values. We also know that it is a global capability, so we can use it
with private future worlds. We have W5 = revokeTemp(W4)[ι
sta (temp, ∅ ⊎
msact ⊎msr), ιpwl (dom(ms ′unused))]⊒
priv W3, for some msact and ms
′
unused .
By the execute/enter condition, we have
(n4 − j − j
′, updatePcPerm(reg3(r1))) ∈ E(W5)
Now it suffices to show
4.2.2.2.2.1. ms5 :n4−j−j′−1 W5 for some ms5 which is one of the assumptions of
Hyp-Callee.
4.2.2.2.2.2. (n4 − j − j′ − 1, reg5) ∈ R(W5) where reg5 is as described in the scall
lemma Hyp-callee premise.
Amounts to showing:
1) (n4 − j − j′ − 1, reg3(r1)) ∈ V(W5), use Lemma 79 with (n4 − j − 1, reg3(r1)) ∈
V(W3), the capability is global, andW5⊒
privW3. 2) The protected return
pointer and the stack capability are in the value relation by Hyp-callee
assumptions.
which gives us
(n4 − j − j
′ − 1, (reg5,ms5)) ∈ O(W5)
4.2.2.2.3. Hyp-Cont
Assume
• n5 ≤ n4 − j − j′ − 2
• W6 ⊒
pub revokeTemp(W4)
• ms6 :n5 revokeTemp(W6)
• reg6(pc) = cnext , reg6(r0) = reg3(r0), reg6(r1) = reg3(r1), reg(renv ) =
cenv
44
• reg6 points to stack with ∅ used and ms
′′
unused unused
Show
(n5, (reg6,ms6 ⊎msr ⊎ ∅ ⊎ms
′′
unused)) ∈ O(W6)
Use the O-anti-reduction lemma (Lemma 8) followed by the scall lemma
(Lemma 58). Given ms ′′′f , we know by the operational semantics and the
fact that the program hasn’t changed that
(reg6,ms6⊎msr⊎ms
′′
unused⊎ms
′′′
f )→k (reg7,ms6[x 7→ 1]⊎msr⊎ms
′′
unused⊎ms
′′′
f )
where
• (reg7,ms6[x 7→ 1]) is looking at scall r([], [r0, renv ]) followed by c
′
next
c′next is the current pc capability but looking at load r1 x.
• reg7(r0, r1, renv , rstk ) = reg6(r0, r1, renv , rstk )
In revokeTemp(W6), we don’t know which state the ιx region is in, but
state 1 is reachable via a public transition, so let W7 be revokeTemp(W6)
with region i2 in state 1. It follows easily that
ms6[x 7→ 1] :n5−k W7
We continue the proof in item 5.
5. At this point, we apply the scall lemma, to get
(n5 − k, (reg7,ms6[x 7→ 1] ⊎msr ⊎ms
′′′
unused)) ∈ O(W7)
show
5.1. ms6[x 7→ 1] :n5−k revokeTemp(W7), follows from W7 = revokeTemp(W7).
5.2. Hyp-Callee: Goes like the first Hyp-Callee (4.2.2.2.2.).
5.3. Hyp-Cont
Assume:
• n6 ≤ n5 − k − 2
• W8 ⊒
pub revokeTemp(W7)
• ms7 :n6 revokeTemp(W8)
• reg8(r0, renv ) = reg7(r0, renv )
• reg8(pc) = c
′
next
• reg8 points to stack with ∅ used and ms
(6)
unused unused for some ms
(6)
unused
Show: (
n6, (reg8,ms7 ⊎msr ⊎ ∅ ⊎ms
(5)
unused)
)
∈ O(W8)
Use Lemma 8. Let ms
(4)
f be given, then
(reg8,ms7 ⊎msr ⊎ ∅ ⊎ms
(5)
unused ⊎ms
(4)
f )→l (reg9,ms7 ⊎msr ⊎ ∅ ⊎ms0 ⊎ms
(4)
f )
where
• reg9(pc) = updatePcPerm(reg3(r0)) (note reg8(r0) = reg3(r0))
• reg9(r0) = reg3(r0)
• For all r 6∈ {pc, r0}, reg9(r) = 0.
45
• dom(ms0) = dom(ms
(5)
unused) and ∀a ∈ dom(ms0).ms0(a) = 0
The execution proceeds as above because ιx in W8 is in state 1, so ms7(x) = 1 which
causes the assertion to succeed. Subsequently the stack and most of the registers are
cleared.
Now take W10 to be W9 with all the regions in dom(⌊W3⌋{temp}) reinstated. Now we
show the following:
5.3.1. W10 ⊒
pub W3
We have
∀r ∈ dom(W3).W3(r) =W10(r)
if the region was permanent in W3, then it is there because W10 ⊒
priv W3. If it
was temporary, then it is there because it was just reinstated. If it was revoked
in W3, then it is still there because the only reinstated region were the temporary
ones in W3.
All the future worlds we have been given have been public, so the regions can only
have made public transitions. In W3 region ιx is in state 0 or 1. In W10 region
ιx is in state 1. State 1 can be reached from 0 and 1 using a public transition, so
the ιx in W10 is a public future region of the ιx in W3.
In other words, all the regions in W3 have only taken public transitions compared
to the corresponding regions in W10.
The relation between the relevant worlds is sketched out in Figure 4.5.
5.3.2. ms7 ⊎msr ⊎ ∅ ⊎ms0 :n6−l W10
First notice that from
• (n4, reg3) ∈ R(W3)
• ms3 :n4 W3
• reg(rstk ).perm = rwlx
using Lemma 9 we get that there exists a region, radvstk such that
W3(radvstk )
n
= ιpwlstka,stkb
and dom(msunused) ⊆ [stka, stkb]. Now take msadvstk = msr|[stka,stkb] (notice this
not all of [stka, stkb] is in the domain of msr). We know
ms7 :n6 revokeTemp(W8) (10)
and
ms3 :n4 W3 (11)
which gives us two partitions say P8 and P3 respectively. Now define the partition
P as follows:
P (r) =


P8(r) r ∈ dom(⌊W8⌋{perm})
msadvstk ⊎ms0 r = radvstk
P3(r) otherwise
Now let r ∈ flW , n7 < n6 − l, and W (r) = ( , s, , , H) and show
(n7, P (r)) ∈ H(s)(ξ
−1(W10)).
Consider the following cases
46
5.3.2.1. r ∈ dom(⌊W8⌋{perm})
Use 10, the fact that W10⊒
priv revokeTemp(W8) and that permanent regions
respect future private world.
5.3.2.2. r = radvstk
In this case we know the region is ιpwlstka,stkb , so we need to show
(n7,msadvstk ⊎ms0) ∈ H
pwl
stka,stkb
(1)(ξ−1(W10))
which amounts to showing
∀a ∈ dom(ms0). (n7 − 1,ms0(a)) ∈ V(W10),
which is trivial, and
∀a ∈ dom(msadvstk ). (n7 − 1,msadvstk (a)) ∈ V(W10)
here we use that 11 entails
∀a ∈ dom(msadvstk ). (n4 − 1,msadvstk (a)) ∈ V(W3)
and the fact that V is monotone w.r.t ⊒pub , W10 ⊒
pub W3, and V(W10) is
downwards-closed.
5.3.2.3. otherwise
Use 11, W10⊒
pubW3, and the fact that for a temporary region H(s) is mono-
tone w.r.t. ⊒pub .
5.3.3. (n6 − l, reg9) ∈ R(W10)
Most registers are cleared. The only interesting register is r0, so show:
(n6 − l, reg9(r0)) ∈ V(W10)
This follows from reg9(r0) = reg3(r0), (n4, reg3) ∈ R(W3), V monotone w.r.t
⊒pub , W10 ⊒
pub W3.
As we were using Lemma 8, we need to show
(n6 − l, (reg9,ms7 ⊎msr ⊎ ∅ ⊎ms0)) ∈ O(W10)
To this end the use reg3(r0) = reg9(r0) and (n4, reg3(r0)) ∈ V1(W3). Assuming
that reg9(r0).perm ∈ {e,rx,rwx,rwlx} (if this is not the case, then it is trivial
to show the above as the execution fails), then either the executeCondition or the
enterCondition hold for appropriate values. Now use that n6−l < n4 andW10⊒
pubW3
(5.3.1.)4 to get
(n6 − l, updatePcPerm(reg9(r0))) ∈ E(W10)
now using 5.3.2. and 5.3.3., we get the desired result.
4We don’t know whether the capability is local or global, but it does not matter as we have a public future
world relation between the two worlds.
47
W3
f4 called
Given:
W4
first callback
Constructed:
W6
callback returns
W7
second callback
W8
callback returns
W10
f4 returns
⊑
pr
iv ⊑ pub
⊑
pr
iv ⊑ pub
⊑
pr
iv
5 Logical Relation
5.1 Worlds
Assume a sufficiently large set of states State that at least contains the states used in this
document.
Definition 3.
Rels = {(φpub , φ) ∈ P(State
2)× P(State2) | φpub , φ is reflexive and transitive and φpub ⊆ φ}

Theorem 1. There exists a c.o.f.e. Wor and preorders ⊒priv and ⊒pub such that (Wor,⊒priv )
and (Wor,⊒pub) are preordered c.o.f.e.’s and there exists an isomorphism ξ such that
ξ : Wor ∼= ◮(N
fin
−⇀ ({revoked}+
{temp} × State× Rels× (State→ (Wor
mon, ne
−−−−→
⊒pub
UPred(MemSegment)))+
{perm} × State× Rels× (State→ (Wor
mon, ne
−−−−→
⊒priv
UPred(MemSegment)))))
and for W,W ′ ∈Wor
W ′ ⊒priv W ⇔ ξ(W ′)⊒priv ξ(W )
and
W ′ ⊒pub W ⇔ ξ(W ′)⊒pub ξ(W )

We now define the regions to be
Region ={revoked}⊎
{temp} × State× Rels× (State→ (Wor
mon, ne
−−−−→
⊒pub
UPred(MemSegment)))⊎
{perm} × State× Rels× (State→ (Wor
mon, ne
−−−−→
⊒priv
UPred(MemSegment)))
Let ι.v be the projection of the view of a region.
And the worlds are
World = RegionName
fin
−⇀ Region
where RegionName = N.
48
The two private future region relations satisfies the following properties:
(s, s′) ∈ φ (v, φpub , φ,H) = (v
′, φ′pub , φ
′, H ′)
(v′, s′, φ′pub , φ
′, H ′)⊒priv (v, s, φpub , φ,H)
r ∈ Region
r ⊒priv (temp, s, φpub , φ,H)
r ∈ Region
r ⊒priv revoked
The two public future region relations satisfies the following properties:
(s, s′) ∈ φpub (v, φpub , φ,H) = (v
′, φ′pub , φ
′, H ′)
(v′, s′, φ′pub , φ
′, H ′)⊒pub (v, s, φpub , φ,H)
(temp, s, φpub , φ,H) ∈ Region
(temp, s, φpub , φ,H)⊒
pub revoked
revoked⊒pub revoked
The two future world relations satisfy the following properties: They allow for any extension
of the current world and all existing worlds are allowed to move to an appropriate future region.
That is
dom(W ′) ⊇ dom(W ) ∀r ∈ dom(W ).W ′(r)⊒pub W (r)
W ′ ⊒pub W
dom(W ′) ⊇ dom(W ) ∀r ∈ dom(W ).W ′(r) ⊒priv W (r)
W ′ ⊒priv W
Proof of Theorem 1. The theorem follows from a more general solution theorem for the category
of P preordered c.o.f.e.’s, see Birkedal et al. [2010], Birkedal and Bizjak [2014] and Bizjak [2017].
We define two functors F1 and F2 from P
op × P op to P .
F1((X,⊒
priv ′), (Y,⊒pub
′
)) =
(◮(N
fin
−⇀ ({revoked}+
{temp} × State× Rels× (State→ ((Y,⊒pub
′
)
mon, ne
−−−−→ UPred(MemSegment)))+
{perm} × State× Rels× (State→ ((X,⊒priv
′
)
mon, ne
−−−−→ UPred(MemSegment))))),⊒priv )
and
F2((X,⊒
priv ′), (Y,⊒pub
′
)) =
(◮(N
fin
−⇀ ({revoked}+
{temp} × State× Rels× (State→ ((Y,⊒pub
′
)
mon, ne
−−−−→ UPred(MemSegment)))+
{perm} × State× Rels× (State→ ((X,⊒priv
′
)
mon, ne
−−−−→ UPred(MemSegment))))),⊒pub)
The orderings ⊒priv and ⊒pub used in the definition of F1 and F2 are defined by the properties
given above. Note that the image of F1 and F2 only differ in the ordering relation, i.e., letting U
denote the forgetful functor from the category of preordered c.o.f.e.’s to the category of c.o.f.e.’s,
we have U ◦ F1 = U ◦ F2. From Bizjak [2017] it then follows that there exists a c.o.f.e. Wor
and two preorderings ⊒priv and ⊒pub and an isomorphism ξ satisfying the properties claimed in
theorem. (Here, in the proof, we have written the ordering explicitly on the c.o.f.e. when using
monotone non-expansive functions; in the theorem formulation we have instead annotated the
arrow to indicate which ordering is used.)
49
Erase all but a set of views:
⌊W ⌋S
def
= λr.
{
W (r) W (r).v ∈ S
⊥ otherwise
Define the function active(·) as follows
active : World→ 2RegionName
active(W )
def
= dom(⌊W ⌋{perm,temp})
Memory segment satisfaction:
ms :n W iff
{
∃P : active(W )→ MemSegment.
ms :n,P W
ms :n,P W iff


ms =
⊎
r∈active(W )
P (r)∧
∀r ∈ active(W ).
∃H, s.
W (r) = ( , s, , , H)∧
(n, P (r)) ∈ H(s)(ξ−1(W ))
Standard regions for when writing locally is permitted:
ιpwl : P → Region
ιpwl A
def
= (temp, 1,=,=, Hpwl A)
Hpwl : P(Addr)→ State→ (Wor
mon, ne
−−−−→
⊒pub
UPred(MemSegment))
Hpwl A s Wˆ
def
=
{
(n,ms)
∣∣∣∣ dom(ms) = A∧∀a ∈ A. (n− 1,ms(a)) ∈ V(ξ(Wˆ ))
}
∪ {(0,ms)}
Revoking all temporary regions:
revokeTemp : World→World
revokeTemp(W )
def
= λr.
{
revoked if W (r) = (temp, s, φpub , φ,H)
W (r) otherwise
Further define
ι
pwl
base,end
def
= ιpwl ([base , end ])
50
Standard regions for when write local is not allowed:
ιnwl : P(Addr)→ Region
ιnwl A
def
= (temp, 1,=,=, Hnwl A)
ιnwl ,p : P(Addr)→ Region
ιnwl ,p A
def
= (perm, 1,=,=, Hnwl A)
Hnwl : P(Addr)→ State→ (Wor
mon, ne
−−−−→
⊒priv
UPred(MemSegment))
Hnwl A s Wˆ
def
=


(n,ms)
∣∣∣∣∣∣∣∣∣
dom(ms) = A∧
∀a ∈ A.
ms(a) is non-local∧
(n− 1,ms(a)) ∈ V(ξ(Wˆ ))


∪ {(0,ms)}
Further define
ιnwlbase,end
def
= ιnwl ([base, end ])
ι
nwl ,p
base,end
def
= ιnwl ,p([base, end ])
For convenience define
localityReg(g,W )
def
=
{
dom(⌊W ⌋{perm,temp}) if g = local
dom(⌊W ⌋{perm}) if g = global
localityReg(local,W ) are the regions that local capabilities may govern - that is permanent and
temporary regions. localityReg(global,W ) are the regions that global capabilities may govern
- that is permanent regions. Now define the following function
We need a notion of subset between regions that is almost n-subset, but not quite. The only
difference is that the view part of a region is disregarded. Define “semi n-subset” and “semi
n-supset” as:
(s, φpub , φ) = (s
′, φ′pub , φ
′) ∀Wˆ .H s Wˆ
n
⊆ H ′ s′ Wˆ
(v, s, φpub , φ,H)
n
⊂∼ (v
′, s′, φ′pub , φ
′, H ′)
5.2 The logical relation
The logical relation is defined by several mutual recursive definitions. In order to handle this mu-
tual recursion and show that this definitions are well-defined, Banach’s fixed-point theorem can
be used. We have omitted the details of this construction here, but it is done by parameterising
all the definitions by the value relation.
51
ι = (v, s, φpub , φ,H) is address-stratified iff
∀s′, Wˆ , n,ms,ms ′.
(n,ms) , (n,ms ′) ∈ H s′ Wˆ ⇒
dom(ms) = dom(ms ′)∧
∀a ∈ dom(ms). (n,ms[a 7→ ms ′(a)]) ∈ H s′ Wˆ
writeCondition : (((Addr ×Addr)→ Region)×Global)→World
mon, ne
−−−−→ UPred(Addr2)
writeCondition(ι, g)(W ) =
{(n, (base, end)) | ∃r ∈ localityReg(g,W ).
∃[base ′, end ′] ⊇ [base, end ].
W (r)
n−1
⊃∼ ιbase′,end′ and
W (r) is address-stratified }
readCondition : Global→World
mon, ne
−−−−→ UPred(Addr2)
readCondition(g)(W ) =
{(n, (base, end)) | ∃r ∈ localityReg(g,W ).
∃[base ′, end ′] ⊇ [base, end ].
W (r)
n
⊂∼ ι
pwl
base′,end ′
}
executeCondition(g)(W ) =
{(n, (perm , base, end)) |∀n′ < n.
∀W ′ ⊒W.
∀a ∈ [base ′, end ′] ⊆ [base, end ].(
n′, ((perm , g), base ′, end ′, a)
)
∈ E(W ′)}
where g = local⇒ ⊒ = ⊒pub
and g = global⇒ ⊒ = ⊒priv
enterCondition(g)(W ) =
{(n, (base, end , a)) |∀n′ < n.
∀W ′ ⊒W.
(n′, ((rx, g), base , end , a)) ∈ E(W ′)}
where g = local⇒ ⊒ = ⊒pub
and g = global⇒ ⊒ = ⊒priv
52
Now define the value relation as follows:
V : World
mon, ne
−−−−→
⊒pub
UPred(Word)
V
def
= λ W. {(n, i) | i ∈ Z ∪ {∞}}∪
{(n, ((o, g), base , end , a))}∪
{(n, ((ro, g), base, end , a)) |
(n, (base, end)) ∈ readCondition(g)(W )}∪
{(n, ((rw, g), base, end , a)) |
(n, (base, end)) ∈ readCondition(g)(W )∧
(n, (base, end)) ∈ writeCondition(ιnwl , g)(W )}∪
{(n, ((rwl, g), base , end , a)) |
(n, (base, end)) ∈ readCondition(g)(W )∧
(n, (base, end)) ∈ writeCondition(ιpwl , g)(W )}∪
{(n, ((rx, g), base, end , a)) |
(n, (base, end)) ∈ readCondition(g)(W )∧
(n, (rx, base, end)) ∈ executeCondition(g)(W )}∪
{(n, ((e, g), base, end , a)) |
(n, (base, end , a)) ∈ enterCondition(g)(W )}∪
{(n, ((rwx, g), base, end , a)) |
(n, (base, end)) ∈ readCondition(g)(W )∧
(n, (base, end)) ∈ writeCondition(ιnwl , g)(W )∧
(n, (rwx, base, end)) ∈ executeCondition(g)(W )∧
(n, (rx, base, end)) ∈ executeCondition(g)(W )}∪
{(n, ((rwlx, g), base , end , a)) |
(n, (base, end)) ∈ readCondition(g)(W )∧
(n, (base, end)) ∈ writeCondition(ιpwl , g)(W )∧
(n, (rwlx, base, end)) ∈ executeCondition(g)(W )∧
(n, (rwx, base, end)) ∈ executeCondition(g)(W )∧
(n, (rx, base, end)) ∈ executeCondition(g)(W )}
O :World
ne
−→ UPred(Reg ×MemSegment)
O
def
=λW. {(n, (reg,ms)) | ∀msf ,mem
′, i ≤ n.
(reg,ms ⊎msf )→i (halted,mem
′)
⇒ ∃W ′ ⊒priv W. ∃msr,ms
′.
mem ′ = ms ′ ⊎msr ⊎msf∧
ms ′ :n−i W
′}
53
R :World
mon, ne
−−−−→
⊒pub
UPred(Reg)
R
def
=λW. {(n, reg) | ∀r ∈ RegisterName \ {pc}.
(n, reg(r)) ∈ V(W )}
E :World
ne
−→ UPred(Word)
E
def
=λW. {(n, pc) | ∀n′ ≤ n.
∀ (n′, reg) ∈ R(W ).
∀ms :n′ W.
(n′, (reg[pc 7→ pc],ms)) ∈ O(W )}
5.3 Useful regions
Static region used for parts of memory that should not change.
ιsta (v,ms) = (v, 1,=,=, Hsta ms)
Hsta ms s Wˆ ={(n,ms) | n > 0} ∪ {(0,ms ′) | ms ′ ∈Mem}
Static region used for parts of memory that should not change and where you pass control
to untrusted code.
ιsta ,u(v,ms) = (v, 1,=,=, Hsta,u ms)
Hsta,u ms s Wˆ =


(n,ms ′)
∣∣∣∣∣∣∣∣∣∣
ms ′ = ms∧
∀a ∈ dom(ms).
ms(a) is non-local∧
(n− 1,ms(a)) ∈ V(ξ(Wˆ ))


∪ {(0,ms ′) | ms ′ ∈Mem}
ιcnst (v, n) = (v, 1,=,=, Hcnst n)
Hcnst n′ s Wˆ ={(n,ms) | n > 0 ∧ ∀a ∈ dom(ms).ms(a) = n′} ∪ {(0,ms ′) | ms ′ ∈ Mem}
5.4 Lemmas
5.4.1 Anti-reduction for the observation relation
Lemma 7 (Failing terms are in O and E). If (reg,ms ⊎ msf ) →∗ failed for all msf , then
(n, (reg ,ms)) ∈ O(W ) for any W .
If (reg[pc 7→ w ],ms)→∗ failed for all reg ,ms, then (n,w) ∈ E(W ) for any W . 
Proof. Follows from the definitions of O(W ) and E(W ) using an (omitted) determinacy result.
54
Lemma 8 (Anti-reduction for O).
∀n, n′, i, reg, reg ′,ms ,ms ′,msr,W,W
′.
n′ ≥ n− i ∧W ′ ⊒priv W∧
(∀msf . (reg,ms ⊎msr ⊎msf )→i (reg
′,ms ′ ⊎msr ⊎msf ))∧
(n′, (reg ′,ms ′)) ∈ O(W ′)
⇒ (n, (reg,ms ⊎msr)) ∈ O(W )

Proof of Lemma 8. Assume
1. n′ ≥ n− i
2. W2 ⊒
priv W1
3. ∀msf . (reg ,ms ⊎msr ⊎msf )→i (reg
′,ms ′ ⊎msr ⊎msf )
4. (n′, (reg ′,ms ′)) ∈ O(W2)
Show
(n, (reg,ms ⊎msr)) ∈ O(W1)
To this end let ms frame , m
′ and j be given and assume
(reg ,ms ⊎msr ⊎ms frame)→j (halted,m
′) (12)
From 3. instantiated with ms frame we know
(reg ,ms ⊎msr ⊎ms frame)→i (reg
′,ms ′ ⊎msr ⊎ms frame) (13)
Using 12 and 13, we get
(reg ′,ms ′ ⊎msr ⊎msframe)→j−i (halted,m
′)
Using this with 4. and msr ⊎ms frame as frame, we get W3 ⊒
priv W2, ms
′′ and msrev such that
5. m′ = ms ′′ ⊎msrev ⊎ (msr ⊎ms frame)
6. ms ′′ :n′−(j−i) W3
Now usemsr⊎msrev as the “revoked” memory, ms ′′ as the memory that satisfies some invariants,
and W3 as the desired world, then 5. gives us the split and by downwards closure 6. gives us the
desired memory satisfaction.
5.4.2 Standard regions
Lemma 9. For all W , base, end, n, ms if
• ms :n W
• (n, ((perm , g), base, end , a)) ∈ V(W )
• base ≤ end
55
• perm ∈ {rwlx,rwx}
then
∃r, base ′, end ′. [base, end ] ⊆ [base ′, end ′] ∧W (r)
n
= ιpwl
base′,end′

Proof of Lemma 9. Assume
1. (n, ((rwlx, g), b, e, a)) ∈ V(W )
2. ms :n W
From Assumption 1., we get r1, r2, b1, b2, e1 and e2 such that
3. r1 ∈ localityReg(g,W )
4. r2 ∈ localityReg(g,W )
5. [b, e] ⊆ [b1, e1]
6. [b, e] ⊆ [b2, e2]
7. W (r1)
n
⊂∼ ι
pwl
b1,e1
8. W (r2)
n
⊃∼ ι
pwl
b2,e2
9. W (r2) is address-stratified.
From Assumption 2., we get partitionen P s.t.
ms :n,p W
Say P (r1) = ms1 and P (r2) = ms2. First from (n,ms1) ∈ W (r1).H W (r1).s ξ(−1)(W ) using ,
we get (n,ms1) ∈ H
pwl
b1,e1
1 ξ(−1)(W ) which means dom(ms1) = [b1, e1].
Second we know (n, [b2 7→ 0, . . . , e2 7→ 0]) ∈ H
pwl
b2,e2
1 ξ(−1)(W ) and (n,ms2) ∈ W (r2).H W (r2).s ξ(−1)(W )
which by Assumption 8. and 9. means dom(ms2) = [b2, e2].
Now assume for contradition r1 6= r2, then we have a contradiction with ms :n,p W because
ms1 and ms2 are not disjoint (by Assumptions 5. and 6.). So r1 = r2 which also means
[b1, e1] = [b2, e2], so from Assumption 5.4.2 and 8., we get W (r1)
n
≃ ιpwlb1,e1 which by Lemma 24
means W (r1)
n
= ιpwlb1,e1
Lemma 10. H
pwl
base,end s is monotone w.r.t ⊒
pub for all s ∈ State and base and end 
Proof of Lemma 10. Let Wˆ ′ ⊒pub Wˆ be given and let
(n,ms) ∈ Hpwlbase,end s Wˆ (14)
and show
(n,ms) ∈ Hpwlbase,end s Wˆ
′
From 14, we get dom(ms) = [base, end ]. Now let a ∈ [base, end ] be given and show
(n− 1,ms(a)) ∈ V(ξ(Wˆ ′))
now this follows from Lemma 77, Wˆ ′ ⊒pub Wˆ , Theorem 1, and Assumption 14.
56
Lemma 11. ι
pwl
base,end is a region for all base and end. 
Proof of Lemma 11. Follows from Lemma 10.
Lemma 12. ι
pwl
base,end is address-stratified. 
Proof. Easy unfolding of definitions.
Lemma 13. Hnwlbase,end s is monotone w.r.t ⊒
priv for all s ∈ State and base and end 
Proof of Lemma 13. Let Wˆ ′ ⊒priv Wˆ be given and let
(n,ms) ∈ Hnwlbase,end s Wˆ (15)
and show
(n,ms) ∈ Hnwlbase,end s Wˆ
′
From 15, we get dom(ms) = [base, end ]. Now let a ∈ [base, end ] be given and show
1. ms(a) is non-local
2. (n− 1,ms(a)) ∈ V(ξ(Wˆ ′))
1. follows trivially from 15. 1. follows from Assumption 14, 1. (which we just argued), Wˆ ′⊒priv
Wˆ , Theorem 1, and Lemma 80.
Lemma 14. ιnwlbase,end is a region for all base and end. 
Proof of Lemma 14. Follows from Lemma 13 and Lemma 71.
Lemma 15. ιnwlbase,end is address-stratified. 
Proof. Easy unfolding of definitions.
Lemma 16. ι
nwl ,p
base,end is a region for all base and end. 
Proof of Lemma 16. Follows from Lemma 13.
Lemma 17. ιsta (v,ms) is a region for all v ∈ {perm, temp} and ms. 
Proof of Lemma 17. Hsta does not depend on Wˆ , so it is trivial to show the necessary non-
expansive and monotonicity requirements.
Lemma 18. Hsta,u(ms) s is monotone w.r.t ⊒priv for all s ∈ State and ms. 
Proof of Lemma 18. Let Wˆ ′ ⊒priv Wˆ be given and let
(n,ms ′) ∈ Hsta ,u(ms) s Wˆ (16)
and show
(n,ms ′) ∈ Hsta,u(ms) s Wˆ ′
From 16, we get ms ′ = ms . Now let a ∈ dom(ms) be given and show
1. ms(a) is non-local
2. (n− 1,ms(a)) ∈ V(ξ(Wˆ ′))
57
1. follows trivially from 16. 1. follows from Assumption 16, 1. (which we just argued), Wˆ ′⊒priv
Wˆ , Theorem 1 and Lemma 80.
Lemma 19. ιsta ,u(v,ms) is a region for all v ∈ {perm, temp} and ms. 
Proof of Lemma 19. Follows from Lemma 18 and Lemma 71.
Lemma 20.
Hnwlbase,end s Wˆ
n
⊆ Hpwlbase,end s Wˆ

Proof of Lemma 20. Trivial. Let
(n,ms) ∈ Hnwlbase,end s Wˆ
and show
(n,ms) ∈ Hpwlbase,end s Wˆ
From the assumption, we get dom(ms) = [base, end ]. We further need to show
∀a ∈ dom(ms). (n− 1,ms(a)) ∈ V(ξ(Wˆ ))
Given a, we know from the assumption that
(n− 1,ms(a)) ∈ V(ξ(Wˆ ))
Lemma 21.
∀n ∈ N. ∀base, end ∈ Addr.
ιnwlbase,end
n
⊂∼ ι
pwl
base,end

Proof of Lemma 21. Let n, base, end be given and show
ιnwlbase,end
n
⊂∼ ι
pwl
base,end
They agree on the state and transition systems, so given Wˆ it suffices to show
Hnwlbase,end 1 Wˆ
n
⊆ Hpwlbase,end 1 Wˆ
which is true by Lemma 20.
Lemma 22.
∀n ∈ N. ∀base, end ∈ Addr.
ι
nwl ,p
base,end
n
⊂∼ ι
pwl
base,end

Proof of Lemma 22. Follows from Lemma 20 (see proof of Lemma 21).
58
Lemma 23.
∀n ∈ N. ∀base, end ∈ Addr. ∀v ∈ {perm, temp}.
dom(ms) = [base, end ]⇒
ι
sta,u
base,end (v,ms)
n
⊂∼ ι
pwl
base,end

Proof of Lemma 23. Essentially the same as the proof of Lemma 21 and Lemma 20.
Lemma 24.
∀n ∈ N. ∀base, end , b ∈ Addr. ∀ι ∈ Region
ι
n
≃ ιpwlbase,end ∧ base ≤ end ⇒ ι
n
= ιpwlbase,end

Proof of Lemma 24. For n = 0 it is trivial, so assume n > 0. Say ι = (v, s, φpub , φ,H), then by
n
≃, we know s = 1, φpub ≡ φ ≡=, and H = H
pwl
base,end . It remains to show that v = temp. To do
so, we show that it cannot be the case that v = perm. If v = perm, then H must be monotone
with respect to ⊒priv . If we can show that this is not the case, then for ι to be a region it must
be the case that v 6= perm and thus v = temp.
To this end let b 6∈ [base, end ] and define the worlds:
ξ(W ) =[0 7→ ιpwlbase,end ]
[1 7→ ιpwlb,b ]
ξ(W ′) =[0 7→ ιpwlbase,end ]
[1 7→ revoked]
For these two worlds, we have ξ(W ′) ⊒priv ξ(W ) and from mono. of ξ−1, we have W ′ ⊒priv W .
Now define the following memory segment:
ms = [base 7→ ((ro, local), b, b, b), base + 1 7→ 0, . . . , end 7→ 0]
It is the case that
(n,ms) ∈ H 1 W
but
(n,ms) 6∈ H 1W ′
as it is not the case that
(n− 1, ((ro, local), b, b, b)) ∈ V(ξ(W ′)).
The only other option that remains is v = temp.
5.4.3 Observation relation
Lemma 25 (Observation relation (O) non-expansive).
W
n
= W ′ ⇒ O(W )
n
= O(W ′)

Proof of Lemma 25.
59
5.4.4 Register-file relation
Lemma 26 (Register-file relation (R) non-expansive).
W
n
= W ′ ⇒R(W )
n
= R(W ′)

Proof of Lemma 26.
Lemma 27 (Register-file relation (R) monotone wrt ⊒pub).
W ′ ⊒pub W ⇒R(W ′)
n
⊇ R(W )

Proof of Lemma 27.
5.4.5 Expression relation
Lemma 28 (Expression relation (E) non-exapansive).
W
n
= W ′ ⇒ E(W )
n
= E(W ′)

Proof of Lemma 28.
5.4.6 Permission based conditions
Lemma 29. If
(n, (base, end)) ∈ readCondition(g)(revokeTemp(W ))
then
(n, (base, end)) ∈ readCondition(g)(W )

Proof of Lemma 29.
(n, (base, end)) ∈ readCondition(g)(revokeTemp(W ))
Gives r ∈ localityReg(g, revokeTemp(W )) such that
∀[base ′, end ′] ⊆ [base, end ]. revokeTemp(W )(r)
n
⊂∼ ι
pwl
[base′,end ′]
Notice revokeTemp(W )(r) is a perm region, so revokeTemp(W )(r) = W (r). Using r as witness,
the result is immediate.
Lemma 30. If
(n, (base, end)) ∈ writeCondition(ι, g)(revokeTemp(W ))
then
(n, (base, end)) ∈ writeCondition(ι, g)(W )

60
Proof of Lemma 30.
(n, (base, end)) ∈ writeCondition(ι, g)(revokeTemp(W ))
Gives r ∈ localityReg(g, revokeTemp(W )) such that
∀[base ′, end ′] ⊆ [base, end ]. revokeTemp(W )(r)
n−1
⊃∼ ι[base′,end′]
and
revokeTemp(W )(r) is address-stratified
Notice revokeTemp(W )(r) is a perm region, so revokeTemp(W )(r) = W (r). Using r as witness,
the result is immediate.
Lemma 31. If
• (n, (perm , base, end)) ∈ executeCondition(g)(revokeTemp(W ))
then
(n, (perm, base, end)) ∈ executeCondition(g)(W )

Proof of Lemma 31. Use Lemma 69.
Lemma 32. If
• (n, (a, base, end)) ∈ executeCondition(g)(revokeTemp(W ))
then
(n, (a, base, end)) ∈ executeCondition(g)(W )

Proof of Lemma 32. Use Lemma 69.
Lemma 33. If
(n, (base, end)) ∈ writeCondition(ιpwl , local)(W )
then
(n, (base, end)) ∈ writeCondition(ιnwl , local)(W )

Proof of lemma 33. Follows from Lemma 22.
Lemma 34 (readCondition monotone w.r.t ⊒pub). If
• W ′ ⊒pub W
• (n, (base, end)) ∈ readCondition(g)(W )
then
(n, (base, end)) ∈ readCondition(g)(W ′)

Proof of Lemma 34.
61
Lemma 35 (readCondition global monotonicity w.r.t ⊒priv ). If
• W ′ ⊒priv W
• (n, (base, end)) ∈ readCondition(global)(W )
then
(n, (base, end)) ∈ readCondition(global)(W ′)

Proof of Lemma 35. readCondition(global)(W ) picks a perm region fromW . perm regions are
persistent over ⊒priv , so we can use the region that the assumption gives us.
Lemma 36 (readCondition downwards-closed). If
• n′ ≤ n
• (n, (base, end)) ∈ readCondition(g)(W )
then
(n′, (base, end)) ∈ readCondition(g)(W )

Proof of Lemma 36.
Lemma 37 (writeCondition monotone w.r.t ⊒pub). If
• W ′ ⊒pub W
• ι ∈ {ιpwl , ιnwl , ι(nwl ,p)}
• (n, (base, end)) ∈ writeCondition(ι, g)(W )
then
(n, (base, end)) ∈ writeCondition(ι, g)(W ′)

Proof of Lemma 37.
Lemma 38 (writeCondition global monotonicity w.r.t ⊒priv ). If
• W ′ ⊒priv W
• ι ∈ {ιnwl , ι(nwl ,p)}
• (n, (base, end)) ∈ writeCondition(ι,global)(W )
then
(n, (base, end)) ∈ writeCondition(ι,global)(W ′)

Proof of Lemma 38. writeCondition(ι,global)(W ) picks a perm region from W . perm regions
are persistent over ⊒priv , so we can use the region that the assumption gives us.
Lemma 39 (writeCondition downwards-closed). If
62
• n′ ≤ n
• ι ∈ {ιpwl , ιnwl , ι(nwl ,p)}
• (n, (base, end)) ∈ writeCondition(ι, g)(W )
then
(n′, (base, end)) ∈ writeCondition(ι, g)(W )

Proof of Lemma 39.
Lemma 40 (execCondition monotone w.r.t ⊒pub). If
• W ′ ⊒pub W
• perm ∈ {rx,rwx,rwlx}
• (n, (perm , base, end)) ∈ executeCondition(g)(W )
then
(n, (perm, base, end)) ∈ executeCondition(ι, g)(W ′)

Proof of Lemma 40.
Lemma 41 (execCondition global monotonicity w.r.t ⊒priv ). If
• W ′ ⊒priv W
• perm ∈ {rx,rwx}
• (n, (perm , base, end)) ∈ executeCondition(global)(W )
then
(n, (perm, base, end)) ∈ executeCondition(global)(W ′)

Proof of Lemma 41. Assume W2 ⊒
priv W1, perm ∈ {rx,rwx} and (n, (perm, base, end)) ∈
executeCondition(global)(W1). Now let W3 ⊒
priv W2, a ∈ [base
′, end ′] ⊆ [base, end ], and
n′ < n, and show (
n, ((perm ,global), base ′, end ′, a)
)
∈ E(W3)
by transitivity we haveW3⊒
privW1, so the result follows from (n, (perm , base, end)) ∈ executeCondition(global)(W1).
Lemma 42 (execCondition downwards-closed). If
• n′ ≤ n
• perm ∈ {rx,rwx,rwlx}
• (n, (perm , base, end)) ∈ executeCondition(g)(W )
63
then
(n′, (perm , base, end)) ∈ executeCondition(g)(W )

Proof of Lemma 42. Follows easily from definition.
Lemma 43 (enterCondition monotone w.r.t ⊒pub). If
• W ′ ⊒pub W
• (n, (a, base, end)) ∈ enterCondition(g)(W )
then
(n, (a, base, end)) ∈ enterCondition(ι, g)(W ′)

Proof of Lemma 43. Follows easily from definition.
Lemma 44 (enterCondition global monotonicity w.r.t ⊒priv ). If
• W ′ ⊒priv W
• (n, (a, base, end)) ∈ enterCondition(global)(W )
then
(n, (a, base, end)) ∈ enterCondition(global)(W ′)

Proof of Lemma 44. AssumeW2⊒
privW1 and (n, (a, base , end)) ∈ enterCondition(global)(W1).
Now let W3 ⊒
priv W2, n
′ < n, and show
(n, ((rx,global), base, end , a)) ∈ E(W3)
by transitivity we haveW3⊒
privW1, so the result follows from (n, (a, base , end)) ∈ enterCondition(global)(W1).
Lemma 45 (enterCondition downwards-closed). If
• n′ ≤ n
• (n, (a, base, end)) ∈ enterCondition(g)(W )
then
(n′, (a, base , end)) ∈ enterCondition(g)(W )

Proof of Lemma 45.
64
5.4.7 LR Sanity lemmas
Lemma 46.
∀ms, n,W
n
= W ′.
ms :n W ∧W
n
=W ′ ⇒ ms :n W
′

Proof of Lemma 46.
Lemma 47 (Heap satisfaction downwards closure).
∀ms , n′ ≤ n,W.
ms :n W ⇒ ms :n′ W

Proof of Lemma 47. Let ms , n′ ≤ n, and W be given and assume
ms :n W
This assumption gives us P : active(W )→ MemSegment such that
1. ms =
⊎
r∈active(W ) P (r)
2.
∀r ∈ active(W ).
∃H, s.
W (r) = ( , s, , , H)∧
(n′, P (r)) ∈ H(s)(ξ−1(W ))
Using P as witness, 1. is the first condition we need. Now let r be given and use 2. to get H
and s such that
3. W (r) = ( , s, , , H)
4. (n, P (r)) ∈ H(s)(ξ−1(W ))
We now need to show
(n′, P (r)) ∈ H(s)(ξ−1(W ))
which follows from 4., n′ ≤ n, and H(s)(ξ−1(W )) is a UPred(MemSegment).
Lemma 48. If
• ms :n W
• (n, ((perm , g), base, end , a)) ∈ V(W )
• base ≤ end
• perm ∈ {rwlx,rwl}
then
g = local

Proof of Lemma 48. It follows as a consequence of Lemma 9. The n-equality forces the region
to be temp, so for the region name to be in localityReg(g,W ), the locality must be local.
65
5.4.8 Malloc safe to pass to adversary
Lemma 49 (Safe values are safe to invoke.). If (n+ 1, w) ∈ V(W ), then (n, updatePcPerm(w)) ∈
E(W ). 
Proof. 1. Casew = ((perm , g), base, end , a) and base ≤ a ≤ end and perm ∈ {rx,rwx,rwlx}:
1.1. (n+ 1, (perm, base, end)) ∈ executeCondition(g)(W ).
By: definition of V(W ) using the fact that perm ∈ {rx,rwx,rwlx}.
1.2. (n, ((perm , g), base, end , a)) ∈ E(W ): By definition of executeCondition using the fact
that base ≤ a ≤ end .
2. Case w = ((perm , g), base, end , a) and base ≤ a ≤ end and perm = e:
2.1. (n+ 1, (base, end , a)) ∈ enterCondition(g)(W ).
By: definition of V(W ) using the fact that perm = e.
2.2. (n, ((rx, g), base, end , a)) ∈ E(W ): By definition of enterCondition using the fact that
base ≤ a ≤ end .
2.3. updatePcPerm(w) = ((rx, g), base , end , a):
By definition of updatePcPerm(·)
3. Otherwise: (n, updatePcPerm(w)) ∈ E(W ):
By Lemma 7.
Lemma 50 (Malloc is safe to pass to adversary). For cmalloc that satisfies the specification for
malloc with region ιmalloc,0, if W (r) ⊒
priv ιmalloc,0, then (n, cmalloc) ∈ V(W ) for all n. 
Proof. 1. cmalloc = ((e,global), base, end , a).
By: the malloc specification (Specification 1).
2. Suffices: (n, (base, end , a)) ∈ enterCondition(global)(W ).
By definition of V(W ).
3. Assume: n′ < n, W ′ ⊒priv W .
Suffices: (n′, ((rx,global), base, end , a)) ∈ E(W ′).
By: definition of the enterCondition
4. Assume: n′′ ≤ n′, (n′′, reg) ∈ R(W ′), ms :n′′ W ′
Suffices: (n′′, (reg [pc 7→ ((rx,global), base, end , a)],ms)) ∈ O(W ′)
By: definition of E(W ′)
5. Assume: i < n′′, (reg[pc 7→ ((rx,global), base, end , a)],ms ⊎msf )→i (halted,mem
′)
Suffices: ∃W ′′ ⊒priv W ′,msr,ms ′. mem ′ = ms ′ ⊎msr ⊎msf and ms ′ :n′′−i W ′′
By: definition of O(W ′)
6. W ′(r) ⊒priv ιmalloc,0
Easy from: W ′ ⊒priv W and W (r) ⊒priv ιmalloc,0 using transitivity of ⊒
priv .
7. ∃P : active(W ′) → MemSegment. ms :n′′,P W
′, i.e. ms =
⊎
r∈active(W ′) P (r) and ∀r ∈
active(W ′). ∃H, s. W ′(r) = ( , s, , , H) and (n′′, P (r)) ∈ H(s)(ξ−1(W ′))
By: definition of ms :n′′ W
′.
66
8. Define ms frame =
(⊎
r′∈active(W ′),r′ 6=r P (r
′)
)
⊎msf . Then ms ⊎msf = P (r)⊎ms frame and
(n′′, P (r)) ∈W ′(r).H (W ′(r).s) (ξ−1(W ′)). Easy from the previous point.
9. (n′′, P (r)) ∈W ′(r).H (W ′(r).s) (ξ−1([r 7→W ′(r)])), i.e. P (r) :n′′ [r 7→W ′(r)].
By: the malloc specification (Specification 1) from the previous point.
10. Case: reg(r1) ∈ Z and reg(r1) ≥ 0
10.1. Define size = reg(r1)
10.2. ∃Φ′ ∈ ExecConf,ms ′footprint ,msalloc ∈ MemSegment, j ∈ N, j > 0∧b
′, e′ ∈ Addr, ι′malloc ∈
Region. (reg[pc 7→ ((rx,global), base, end , a)],ms ⊎ msf ) →j Φ′ and Φ′.mem =
ms ′footprint⊎msalloc⊎ms frame and ι
′
malloc⊒
pubW ′(r) andms ′footprint :n′′−j [r 7→ ι
′
malloc]
and dom(msalloc) = [b
′, e′] and ∀a ∈ [b′, e′].msalloc(a) = 0 and Φ′.reg = Φ.reg[pc 7→
updatePcPerm(wret )][r1 7→ ((rwx,global), b′, e′, b′)] and size − 1 = e′ − b′) with
wret = Φ.reg(r1).
By: the malloc specification (Specification 1).
10.3. Define W ′′ = W ′[r 7→ ι′malloc ][i 7→ ι
nwl
b′,e′ ] for i 6∈ dom(W
′). We have that W ′′⊒pub [r 7→
ι′malloc ] and W
′′ ⊒pub W ′.
By: definition of ⊒pub , using the fact that ι′malloc ⊒
pub W (r).
10.4.
(
n′′′, (base ′, end ′)
)
∈ readCondition(global)(W ′′) for all n′′′:
By: definition of readCondition , using the region W ′′(i) and Lemma 21.
10.5.
(
n′′′, (base ′, end ′)
)
∈ writeCondition(ιnwl ,global)(W ′′) for all n′′′:
By: definition of writeCondition , using the region W ′′(i).
10.6.
(
n′′′, (p, base ′, end ′)
)
∈ executeCondition(ιnwl ,global)(W ′′) for all n′′′, p ∈ {rwx,rx}:
By: the definition of executeCondition , the FTLR (Theorem 2) using Lemmas 38, 35
and the previous two points.
10.7. (n′′, ((rwx,global), b′, e′, b′)) ∈ V(W ′′):
By: definition of V(W ′′) and the above three points.
10.8. (n′′ − j,Φ.reg[r1 7→ ((rwx,global), b′, e′, b′)]) ∈ R(W ′′):
By Lemma 76, Lemma 27 using the fact that W ′′ ⊒pub W ′ and (n′′,Φ.reg) ∈ V(W ′),
together with the previous point.
10.9. (n′′′,msalloc) ∈ ιnwlb′,e′ .H ι
nwl
b′,e′ .s W
′′ for any n′′′:
By definition of ιnwl , Hnwl and V(·) and the facts that dom(msalloc) = [b′, e′] and
∀a ∈ [b′, e′].msalloc(a) = 0.
10.10. Define ms ′ =
(⊎
r′∈active(W ′),r′ 6=r P (r
′)
)
⊎ ms ′footprint ⊎ msalloc . Then Φ
′.mem =
ms ′ ⊎msf and ms ′ :n′′−j W ′′:
By the facts that Φ′.mem = ms ′footprint⊎msalloc⊎ms frame , msframe =
(⊎
r′∈active(W ′),r′ 6=r P (r
′)
)
⊎
msf , the previous point, the facts thatms
′
footprint :n′′−j [r 7→ ι
′
malloc] andW
′′⊒pub [r 7→
ι′malloc ], the facts that (∀r ∈ active(W
′). ∃H, s. W ′(r) =, ( , s, , , H) and (n′′, P (r)) ∈
H(s)(ξ−1(W ′))) andW ′′⊒pubW ′ and the public monotonicity and downwards closed-
ness of all regions, and finally the definition of W ′′.
10.11. (n′′ − j + 1, wret) ∈ V(W ′′):
By Lemma 77, the fact that W ′′ ⊒pub W ′, Lemma 75, and the fact that (n′′, wret) ∈
V(W ′), which follows from wret = Φ.reg(r1) and (n′′, reg) ∈ R(W ′).
10.12. (n′′ − j, updatePcPerm(wret )) ∈ E(W ′′):
By Lemma 49 from the previous point.
67
10.13. (n′′ − j, (Φ.reg[r1 7→ ((rwx,global), b′, e′, b′)][pc 7→ updatePcPerm(wret )],ms ′)) ∈ O(W ′′):
By: definition of E(W ′′), using the previous point and the facts that
(n′′ − j,Φ.reg[r1 7→ ((rwx,global), b′, e′, b′)]) ∈ R(W ′′), ms ′ :n′′−j W ′′
10.14. i > j and Φ′ →i−j (halted,mem ′).
By combining (reg [pc 7→ ((rx,global), base, end , a)],ms ⊎ msf ) →i (halted,mem ′)
with (reg [pc 7→ ((rx,global), base, end , a)],ms ⊎msf )→j Φ′ using Lemma 1.
10.15. ∃W ′′′ ⊒priv W ′′,msr,ms ′′. mem ′ = ms ′′ ⊎msr ⊎msf and ms ′′ :n−i W ′′′.
By: definition of O(W ′′′) from the two previous points.
10.16. W ′′′ ⊒priv W ′:
By Lemma 72, using the previous point and the fact that W ′′ ⊒pub W ′.
11. Case: reg(r1) 6∈ Z ∨ reg(r1) < 0
11.1. ∃j. (reg [pc 7→ ((rx,global), base, end , a)],ms ⊎msf )→j failed
By: the malloc specification (Specification 1).
11.2. Contradiction with (reg [pc 7→ ((rx,global), base, end , a)],ms⊎msf )→i (halted,mem ′)
5.4.9 Fundamental theorem of logical relations
Lemma 51 (Conditions for load instruction are sufficient). If
• Φ.mem :n W
• c = ((perm , g), base , end , a)
• (n, c) ∈ V(W )
• readAllowed(perm)
• withinBounds(c)
then (n− 1,Φ.mem(a)) ∈ V(W ) 
Proof. 1. (n, (base, end)) ∈ readCondition(g)(W ): follows by definition of V· from (n, c) ∈
V(W ).
2. ∃r ∈ localityReg(g,W ), [base ′, end ′] ⊇ [base, end ]. W (r)
n
⊂∼ ι
pwl
base′,end′
. By definition of
readCondition(g)(W ).
3. ∃P : active(W )→ MemSegment.Φ.mem :n,P W . By definition of Φ.mem :n W .
4. Φ.mem =
⊎
r∈active(W ) P (r) and ∀r ∈ active(W ), ∃H, s. W (r) = ( , s, , , H) and (n, P (r)) ∈
H(s)(ξ−1(W )). By definition of Φ.mem :n,P W .
5. r ∈ localityReg(g,W ) ⊆ active(W ). By definition of localityReg(·) and active(·).
6. ∃H, s. W (r) = ( , s, , , H) and (n, P (r)) ∈ H(s)(ξ−1(W )). By specializing the result from
Step 4. to the r from Step 2..
7. (n, P (r)) ∈ Hpwl
base′,end ′
(s)(ξ−1(W )). Follows by combining (n, P (r)) ∈ H(s)(ξ−1(W )) with
W (r)
n
⊂∼ ι
pwl
base′,end′
from Step 2..
68
8. dom(P (r)) = [base ′, end ′] and for all a′ ∈ [base ′, end ′]. (n− 1, P (r)(a′)) ∈ V(ξ(ξ−1(W ))).
By definition of Hpwl
base′,end ′
.
9. a ∈ [base, end ] ⊆ [base ′, end ′]. By combining withinBounds(c) with the fact that [base ′, end ′] ⊇
[base, end ]. from Step 2..
10. In particular, we get: Φ.mem(a) = P (r)(a) and (n− 1, P (r)(a)) ∈ V(W ).
Lemma 52 (Conditions for lea instruction are sufficient). If
• (n, ((perm , g), base, end , a)) ∈ V(W )
• perm 6= e
then (n, ((perm, g), base , end , a′)) ∈ V(W ) 
Proof. Follows by inspection of the cases in the definition of V(W ): a is ignored in all cases
except where perm = e.
Lemma 53 (pwl writecond implies nwl). If (n, (base, end)) ∈ writeCondition(ιpwl , g)(W ) then
(n, (base, end)) ∈ writeCondition(ιnwl , g)(W )}. 
Proof. 1. ∃r ∈ localityReg(g,W ). ∃[base ′, end ′] ⊇ [base, end ]. W (r)
n−1
⊃∼ ι
pwl
base′,end′
and W (r)
is address-stratified: by definition of writeCondition .
2. Suffices: W (r)
n−1
⊃∼ ι
nwl
base′,end ′ . By definition of writeCondition
3. W (r)
n−1
⊃∼ ι
pwl
base′,end ′
n−1
⊃∼ ι
nwl
base′,end′ : follows by Lemma 21.
Lemma 54 (execCond implies entryCond). If (n, (rx, base, end)) ∈ executeCondition(g)(W )
then (n, (base, end , a)) ∈ enterCondition(g)(W ). 
Proof. 1. Assume: n′ < n, W ′ ⊒W where g = local⇒ ⊒ = ⊒pub and g = global⇒ ⊒ =
⊒priv
Suffices: (n′, ((rx, g), base , end , a)) ∈ E(W ′)
2. Case a ∈ [base, end ]: Follows from the definition of executeCondition .
3. Case a 6∈ [base, end ]: Follows by Lemma 7.
Lemma 55 (Conditions for restrict instruction are sufficient). If
• (n, ((perm , g), base, end , a)) ∈ V(W )
• (perm ′, g ′) ⊑ (perm , g)
then (n, ((perm ′, g ′), base, end , a)) ∈ V(W ) 
Proof. By inspection of the definition of V(W ), everything follows trivially except the following.
1. If (n, (base, end)) ∈ writeCondition(ιpwl , g)(W ) then (n, (base, end)) ∈ writeCondition(ιnwl , g)(W ):
holds by lemma 53.
69
2. If (n, (rx, base, end)) ∈ executeCondition(g)(W ) then (n, (base, end , a)) ∈ enterCondition(g)(W ).
Lemma 56 (Conditions for subseg instruction are sufficient). If
• (n, ((perm , g), base, end , a)) ∈ V(W )
• base ≤ base ′
• end ′ ≤ end
• perm 6= e
then
(
n, ((perm , g), base ′, end ′, a)
)
∈ V(W ) 
Proof. Follows easily from the definitions of V(W ), readCondition , writeCondition , executeCondition .
Lemma 57 (Conditions for store instruction are sufficient). If
• ms = ms ′ ⊎msf
• ms ′ :n W
• ((perm , g), base, end , a) = c
• (n, c) ∈ V(W )
• writeAllowed(perm)
• withinBounds(c)
• (n,w) ∈ V(W )
• if w = (( , local), , , ), then perm ∈ {rwlx,rwl}
then a ∈ dom(ms ′) (i.e. ms [a 7→ w] = ms ′[a 7→ w] ⊎msf ) and ms ′[a 7→ w ] :n W 
Proof. 1. (n, (base, end)) ∈ writeCondition(ι, g)(W ) where ι = ιpwl or ι = ιnwl and (if w =
(( , local), , , ), then ι = ιpwl ).
By definition of V(W ) and writeAllowed , from (n, c) ∈ V(W ), ((perm , g), base, end , a) =
c and writeAllowed(perm) and the fact that (if w = (( , local), , , ), then perm ∈
{rwlx,rwl})
2. ∃r ∈ localityReg(g,W ). ∃[base ′, end ′] ⊇ [base, end ]. W (r)
n−1
⊃∼ ιbase′,end′ and W (r) is
address-stratified. By definition of writeCondition .
3. ∃P : active(W )→ MemSegment. ms ′ :n,P W . By definition of ms ′ :n W .
4. ms ′ =
⊎
r∈active(W ) P (r) and ∀r ∈ active(W ). ∃H, s. W (r) = ( , s, , , H) and (n, P (r)) ∈
H(s)(ξ−1(W )). By definition of ms ′ :n,P W .
5. ∃H, s. W (r) = ( , s, , , H) and (n, P (r)) ∈ H(s)(ξ−1(W )). By instantiating the previous
point to the r from the writeCondition .
70
6. (n,w) ∈ ι.H (ι.s) (ξ−1(W )) by definition of ιpwl , ιnwl and the fact that (if w = (( , local), , , ),
then ι = ιpwl ).
7. Define ms ′w such that dom(ms
′
w) = [base
′, end ′], ms ′w(a) = w and ms
′
w(a
′) = 0 for a′ 6= a.
It’s easy to show from the previous point that (n,ms ′w) ∈ H(s)(ξ
−1(W )).
8. dom(P (r)) = dom(ms ′w) = [base
′, end ′] ∋ a and (n, P (r)[a 7→ w]) ∈ H(s)(ξ−1(W )) by
applying the fact that W (r) is address-stratified, combined with the previous point.
9. Define P ′(r) = P (r)[a 7→ w] and P ′(r′) = P (r′) for r′ 6= r.
10. ms ′[a 7→ w] =
⊎
r∈active(W ) P
′(r) and ms ′[a 7→ w] :n,P ′ W . By definition of ms ′ :n,P W
and the previous two points.
Theorem 2 (Fundamental theorem of logical relations). For all n, perm, base, end, a, g, W
If one of the following holds:
•
perm = rx∧
(n, (base, end)) ∈ readCondition(g)(W )
•
perm = rwx∧
(n, (base, end)) ∈ readCondition(g)(W )∧
(n, (base, end)) ∈ writeCondition(ιnwl , g)(W )
•
perm = rwlx∧
(n, (base, end)) ∈ readCondition(g)(W )∧
(n, (base, end)) ∈ writeCondition(ιpwl , g)(W ),
then
(n, ((perm , g), base, end , a)) ∈ E(W )

Proof. 1. By induction on n. In other words, assume that the theorem already holds for all
n′ < n.
2. Assume: n′ ≤ n, (n′, reg) ∈ R(W ), ms :n′ W .
Suffices: (n′, (reg[pc 7→ ((perm , g), base , end , a)],ms)) ∈ O(W ).
By: definition of E(W ).
3. Assume: msf , mem
′, i ≤ n′, Φ = (reg[pc 7→ ((perm , g), base , end , a)],ms ⊎ msf ) and
Φ→i (halted,mem ′),
Suffices: ∃W ′ ⊒priv W , msr, ms ′. mem ′ = ms ′ ⊎msr ⊎msf and ms ′ :n′−i W ′
By: definition of O(W )
4. i 6= 0, since (reg [pc 7→ ((perm , g), base , end , a)],ms ⊎msf ) 6= (halted,mem ′) for any mem ′.
Therefore, assume w.l.o.g. that i = 1 + i′,
Φ→ conf ′ →i′ (halted,mem
′)
71
5. n ≥ n′ > 0, since otherwise i = 0 (because i ≤ n′ ≤ n) and this is impossible by the
previous point.
6. (n′,Φ.reg(pc)) ∈ V(W ). Proof:
6.1. Assume: perm ′ ∈ {rx,rwx,rwlx} with perm ′ ⊑ perm
Suffices: (n′, (perm ′, base, end)) ∈ executeCondition(g)(W )
By: the definition of V(·) using the assumptions
6.2. Assume: n′′ < n′, W ′⊒W , a′ ∈ [base, end ], g = local⇒ ⊒ = ⊒pub , g = global⇒
⊒ = ⊒priv .
Suffices: (n′′, ((perm , g), base , end , a′)) ∈ E(W ′). By: definition of executeCondition(g)(W )
6.3. By induction, using the assumptions and Lemmas 36 and 39.
7. For all r ∈ RegisterName, (n′,Φ.reg(r)) ∈ V(W ).
7.1. Case r 6= pc: follows from (n′, reg) ∈ R(W ) by definition of R(W ).
7.2. Case r = pc: by step 6..
8. By inspection of the definitions of Φ→ conf ′ and Jdecode(Φ.mem(a))K and updatePcPerm(·)
and updatePc(·), it is easy to see that one of the following cases must hold:
9. Case conf ′ = failed: contradiction, since it is not possible that failed→i′ (halted,mem ′).
10. Case conf ′ = (halted,mem):
10.1. Then i′ = 0 and mem ′ = mem
Follows from (halted,mem)→i′ (halted,mem)
10.2. For W ′ = W , msr = ∅ and ms ′ = ms, we have that mem = ms ′ ⊎ msr ⊎ msf and
ms ′ :n′−1 W
′ (using Lemma 47).
11. Case conf ′ = Φ′′[reg.pc 7→ newPc], and additionally, one of the following holds:
• Φ′′.mem = Φ.mem
• Φ′′.mem = Φ.mem[a′ 7→ w ], with Φ.reg(r1) = ((perm
′, g ′), base ′, end ′, a′) = c and
writeAllowed (perm ′) and withinBounds(c) and w = Φ.reg(r2) and if w = (( , local), , , ),
then perm ′ ∈ {rwlx,rwl}
and also one of the following holds:
• newPc = updatePcPerm(Φ.reg(lv ))
• newPc = ((perm ′, g ′), base ′, end ′, a′ + 1) and Φ.reg(pc) = ((perm ′, g ′), base ′, end ′, a′)
and finally, for all r ∈ RegisterName, one of the following holds:
• Φ′′.reg(r) = Φ.reg(r)
• Φ′′.reg(r) = z for some z ∈ Z
• Φ′′.reg(r) = w and Φ.reg(r2) = ((perm ′, g ′), base
′, end ′, a′) = c and readAllowed(perm ′)
and withinBounds(c) and w = Φ.mem(a′)
• Φ′′.reg(r) = c and Φ.reg(r1) = ((perm ′, g ′), base
′, end ′, a′) and perm ′ 6= e and c =
((perm ′, g ′), base ′, end ′, a′ + z) for some z ∈ Z
72
• Φ′′.reg(r) = c and Φ.reg(r) = ((perm ′, g ′), base ′, end ′, a′) and (perm ′′, g ′′) ⊑ (perm ′, g ′)
and c = ((perm ′′, g ′′), base ′, end ′, a′)
• Φ′′.reg(r) = c and Φ.reg(r) = ((perm ′, g ′), base ′, end ′, a′) and base ′ ≤ base ′′ and
end ′′ ≤ end ′ and c = ((perm ′, g ′), base ′′, end ′′, a′) and perm ′ 6= e
In this case, we have:
11.1. Φ′′.mem = ms ′′ ⊎msf and ms ′′ :n′−1 W .
11.1.1. Case Φ′′.mem = Φ.mem: Then Φ′′.mem = ms ⊎msf and ms :n′−1 W follows by
Lemma 47.
11.1.2. Case Φ′′.mem = Φ.mem[a′ 7→ w ], with Φ.reg(r1) = ((perm ′, g ′), base
′, end ′, a′) =
c and writeAllowed (perm ′) and withinBounds(c) and w = Φ.reg(r2) and if w =
(( , local), , , ), then perm ′ ∈ {rwlx,rwl}.
The facts that Φ′′.mem = ms ′′ ⊎ msf and ms ′′ :n′−1 W follow by Lemmas 57
and 47 using the fact thatms :n′ W and (n
′,Φ.reg(r1)) ∈ V(W ) and (n′,Φ.reg(r2)) ∈
V(W ) which follows from Step 7..
11.2. For all r ∈ RegisterName, (n′ − 1,Φ′′.reg(r)) ∈ V(W ).
11.2.1. Case Φ′′.reg(r) = Φ.reg(r): (n′ − 1,Φ′′.reg(r)) ∈ V(W ) follows from Step 7. using
Lemma 75.
11.2.2. Φ′′.reg(r) = z for some z ∈ Z. (n′ − 1,Φ′′.reg(r)) ∈ V(W ) follows by definition of
V(·)
11.2.3. Φ′′.reg(r) = w and Φ.reg(r2) = ((perm
′, g ′), base ′, end ′, a′) = c and readAllowed(perm ′)
and withinBounds(c) and w = Φ.mem(a′):
(n′ − 1,Φ′′.reg(r)) ∈ V(W ) follows by Lemmas 51 using the fact that Φ.mem :n′
W and (n′,Φ.reg(r2)) ∈ V(W ) which we have from step 7..
11.2.4. Φ′′.reg(r) = c and Φ.reg(r1) = ((perm
′, g ′), base ′, end ′, a′) and perm ′ 6= e and
c = ((perm ′, g ′), base ′, end ′, a′ + z) for some z ∈ Z:
(n′ − 1,Φ′′.reg(r)) ∈ V(W ) follows by Lemmas 52 and 75 using the fact that
(n′,Φ.reg(r1)) ∈ V(W ) which we have from step 7..
11.2.5. Φ′′.reg(r) = c and Φ.reg(r) = ((perm ′, g ′), base ′, end ′, a′) and (perm ′′, g ′′) ⊑
(perm ′, g ′) and c = ((perm ′′, g ′′), base ′, end ′, a′):
(n′ − 1,Φ′′.reg(r)) ∈ V(W ) follows by Lemmas 55 and 75 using the fact that
(n′,Φ.reg(r)) ∈ V(W ) which follows from (n′,Φ.reg) ∈ R(W ) by definition.
11.2.6. Φ′′.reg(r) = c and Φ.reg(r) = ((perm ′, g ′), base ′, end ′, a′) and base ′ ≤ base ′′ and
end ′′ ≤ end ′ and c = ((perm ′, g ′), base ′′, end ′′, a′) and perm ′ 6= e:
(n′ − 1,Φ′′.reg(r)) ∈ V(W ) follows by Lemmas 56 and 75 using the fact that
(n′,Φ.reg(r)) ∈ V(W ) which follows from (n′,Φ.reg) ∈ R(W ) by definition.
11.3. (n′ − 1,Φ′′.reg) ∈ R(W ): Follows from the previous point by definition of R(W ).
11.4. (n′ − 1, newPc) ∈ E(W ):
11.4.1. Case newPc = updatePcPerm(Φ.reg(lv )): We distinguish the following cases:
11.4.1.1. Case Φ.reg(lv) = ((e, g ′), base ′, end ′, a′):
11.4.1.1.1. (n′,Φ.reg(lv )) ∈ V(W ). Follows from Step 7..
11.4.1.1.2.
(
n′, (base ′, end ′, addr′)
)
∈ enterCondition(g ′)(W ). By definition of V(W )
from the previous point.
11.4.1.1.3.
(
n′ − 1, ((rx, g ′), base ′, end ′, a′)
)
∈ E(W ): By definition of enterCondition(·)
and taking n′ = n′ − 1 and W ′ = W
73
11.4.1.1.4. updatePcPerm(Φ.reg(lv)) = ((rx, g ′), base ′, end ′, a′): by definition of updatePcPerm(·).
11.4.1.2. Case Φ.reg(lv) = ((perm ′, g ′), base ′, end ′, a′) with perm ′ ∈ {rx,rwx,rwlx}
and withinBounds(Φ.reg(lv)):
11.4.1.2.1. (n′,Φ.reg(lv )) ∈ V(W ). Follows from Step 7..
11.4.1.2.2.
(
n′, (perm ′, base ′, end ′, a′)
)
∈ executeCondition(g ′)(W ). By definition of
V(W ) from the previous point.
11.4.1.2.3.
(
n′ − 1, ((perm ′, g ′), base ′, end ′, a′)
)
∈ E(W ): By definition of executeCondition(·),
taking n′ = n′−1,W ′ = W and a = a′. Note that a′ ∈ [base ′, end ′] because
we have withinBounds(Φ.reg(lv)).
11.4.1.2.4. updatePcPerm(Φ.reg(lv)) = ((perm ′, g ′), base ′, end ′, a′): by definition of
updatePcPerm(·).
11.4.1.3. Case not (Φ.reg(lv ) = ((e, g ′), base ′, end ′, a′)) and not (Φ.reg(lv) = ((perm ′, g ′), base ′, end ′, a′)
with perm ′ ∈ {rx,rwx,rwlx} and withinBounds(Φ.reg(lv ))):
11.4.1.3.1. updatePcPerm(Φ.reg(lv)) = Φ.reg(lv): by definition of updatePcPerm(·).
11.4.1.3.2. (reg[pc 7→ Φ.reg(lv)],ms) → failed for any reg,ms : by definition of the
evaluation relation.
11.4.1.3.3. (n′ − 1, newPc) ∈ E(W ): by Lemma 7 using the previous point.
11.4.2. Case newPc = ((perm ′, g ′), base ′, end ′, a′+1) and Φ′′.reg(pc) = ((perm ′, g ′), base ′, end ′, a′):
11.4.2.1. Case perm ′ ∈ {rx,rwx,rwlx} and base ′ ≤ a′ + 1 ≤ end ′:
11.4.2.1.1. (n′ − 1,Φ′′.reg(pc)) ∈ V(W ): by Step 11.2..
11.4.2.1.2.
(
n′ − 1, ((perm ′, g ′), base ′, end ′, a′ + 1)
)
∈ V(W ): by Lemma 52 from the
previous point.
11.4.2.1.3. One of the following holds:
•
perm ′ = rx∧(
n′ − 1, (base ′, end ′)
)
∈ readCondition(g)(W )
•
perm ′ = rwx∧(
n′ − 1, (base ′, end ′)
)
∈ readCondition(g)(W )∧(
n′ − 1, (base ′, end ′)
)
∈ writeCondition(ιnwl , g)(W )
•
perm ′ = rwlx∧(
n′ − 1, (base ′, end ′)
)
∈ readCondition(g)(W )∧(
n′ − 1, (base ′, end ′)
)
∈ writeCondition(ιpwl , g)(W ),
This follows from the previous point by definition of V(W )
11.4.2.1.4.
(
n′ − 1, ((perm ′, g ′), base ′, end ′, a′ + 1)
)
∈ E(W ): By the induction hypoth-
esis of this lemma using the previous point.
11.4.2.2. Case not (perm ′ ∈ {rx,rwx,rwlx} and base ′ ≤ a′ + 1 ≤ end ′): The result
follows by Lemma 7.
11.5. (n′ − 1, (Φ′′.reg[pc 7→ newPc],ms ′′)) ∈ O(W ): by definition of E(W ) using the above
three points.
11.6. ∃W ′ ⊒priv W , msr, ms ′. mem = ms ′ ⊎msr ⊎msf and ms ′ :n′−i W ′
By: definition ofO(W ) using the previous step and the evaluation conf ′ →i′ (halted,mem ′)
from Step 4..
74
5.4.10 Scall macro-instruction correctness
Definition 4. We say that (reg,ms) is looking at [i0, · · · , in] followed by cnext iff
• reg(pc) = ((p, g), b, e, a)
• p = rwx, p = rx, or p = rwlx
• a+ n ≤ e, b ≤ a ≤ e
• ms(a+ 0, · · · , a+ n) = [i0, · · · , in]
• cnext = ((p, g), b, e, a+ n+ 1)

Definition 5. We say that reg points to stack with msstk used and msunused unused iff
• reg(rstk ) = ((rwlx, local), bstk , estk , astk )
• dom(msunused) = [astk + 1, · · · , estk ]
• dom(msstk ) = [bstk , · · · , astk ]
• bstk − 1 ≤ astk

Lemma 58 (scall works). If
• ms :n revokeTemp(W )
• dom(msf ) ∩ (dom(msstk ⊎msunused ⊎ms)) = ∅
• (reg,ms) is looking at scall r(rarg , rpriv ) followed by cnext
• reg points to stack with msstk used and msunused unused
Hyp-Callee If
– dom(msunused) = dom(msact ⊎ms ′unused),
– W ′ = revokeTemp(W )[ιsta (temp,msstk ⊎msact ⊎msf ), ιpwl (dom(ms ′unused))],
– ms ′′ :n−1 W
′
– reg ′ points to stack with ∅ used and ms ′unused unused
– reg ′ = reg0[pc 7→ updatePcPerm(reg(r)), rarg 7→ reg(rarg), r0 7→ cret , rstk 7→ cstk , r 7→
reg(r)]
– (n− 1, cret) ∈ V(W ′)
– (n− 1, cstk ) ∈ V(W ′)
then we have that (n− 1, (reg ′,ms ′′)) ∈ O(W ′)
Hyp-Cont If
– n′ ≤ n− 2
– W ′′ ⊒pub revokeTemp(W )
75
– ms ′′ :n′ revokeTemp(W
′′)
– for all r, we have that:
reg ′(r)


= cnext if r = pc
= reg(r) if r ∈ rpriv
∈ V(revokeTemp(W ′′)) if reg ′(r) is a global capability and r 6∈ {pc, rpriv , rstk}
– reg ′ points to stack with msstk used and ms
′′
unused unused for some ms
′′
unused
then we have that (n′, (reg ′,ms ′′ ⊎msf ⊎msstk ⊎ms ′′unused)) ∈ O(W
′′)
Then
• (n, (reg,ms ⊎msf ⊎msstk ⊎msunused)) ∈ O(W )

Proof. Assume n is sufficiently large to execute all the steps up to and including the jump of
scall r(rarg , rpriv ). If this is not the case, then in any given memory frame the execution will
not halt successfully fast enough.
Further assume
1. ms :n revokeTemp(W )
2. dom(msf ) ∩ (dom(msstk ⊎msunused ⊎ms)) = ∅
3. (reg,ms) is looking at scall r(rarg , rpriv ) followed by cnext
4. reg points to stack with msstk used and msunused unused
5. Hyp-Callee
6. Hyp-Cont
Now we wish to apply Lemma 8. To this end let ms frame be given. Executing the scall gives us
(reg ,ms⊎msf⊎msstk⊎msunused⊎ms frame)→i (reg1,ms⊎msf⊎msstk⊎msact⊎ms
′
unused⊎ms frame)
where
7. i ≤ n
8. msact contains activation record, reg(rpriv ), the code return capability, and the full stack
capability (reg(rstk ) with the pointer adjusted).
9. ∀a ∈ dom(ms ′unused).ms
′
unused(a) = 0
10. dom(msunused) = dom(msact ⊎ms ′unused )
11. reg1(r0) = cret = ((e, local), , , ) where the range of authority is the same as reg(rstk )
and it points to the first instruction of the activation code.
12. reg1 points to stack with ∅ used and ms
′
unused unused
13. reg1(pc) = updatePcPerm(reg(pc))
76
14. reg1(r) = reg(r)
15. reg1(rargs) = reg(rargs)
16. ∀r′ ∈ RegisterName \ {pc, rstk , r, rargs}. reg1(r
′) = 0
In order to use Lemma 8, we now need to show
(n1, (reg1,ms ⊎msf ⊎msstk ⊎msact ⊎ms
′
unused)) ∈ O(W1)
where
W1 = revokeTemp(W )[ι
sta (temp,msstk ⊎msact ⊎msf ), ι
pwl (dom(ms ′unused))]
to this end use Hyp-Callee (5.). To use this everything is satisfied directly by assumptions but
the following:
17. ms ⊎msf ⊎msstk ⊎msact ⊎ms ′unused :n−1 W1
Here we apply Lemma 66. By assumption 1. we have ms :n revokeTemp(W ). So it suffices
to show
msf ⊎msstk ⊎msact ⊎ms
′
unused :n−1 [ι
sta (temp,msstk ⊎msact ⊎msf ), ι
pwl (dom(ms ′unused))]
This turns out to be trivial as msf , msstk , and msact match the static region. ms
′
unused is
all zeroes, to it trivially satisfies the ιpwl region.
18. (n− 1, reg ′(rstk )) ∈ V(W1)
Use Lemma 62 with 12. and that W1 has region ι
pwl (dom(ms ′unused).
19. (n− 1, cret) ∈ V(W1)
To this end let
19.1. n′ < n− 1
19.2. W2 ⊒
pub W1
be given and show
(n′, updatePcPerm(cret)) ∈ E(W2)
To this assume
19.3. n′′ ≤ n′
19.4. (n′′, reg2) ∈ R(W2)
19.5. ms ′ :n′′ W2
be given and show
(n′′, (reg2[pc 7→ updatePcPerm(cret)],ms
′)) ∈ O(W2) (17)
From 19.2. and 19.5., we can deduce that the memory can be split in the following way:
ms ′ = ms ′′ ⊎msr ⊎msstk ⊎msact ⊎ms
′′
unused ⊎msf
where ms ′′ is the ”permanent” part of memory we get from Lemma 63, msr is the part ”re-
voked” of memory from the same lemma that is not otherwise specified, and dom(ms ′unused) =
dom(ms ′′unused). From Lemma 63 we also get
77
19.6. ms ′′ :n′′ revokeTemp(W2)
Assume n′′ is large enough to execute the rest of the scall instructions. If n′′ is not large
enough, then 17 is trivial to show. To show 17 apply Lemma 8 again where msr is the
revoked part. Let ms ′frame be given, the execution until just after the scall proceeds as
follows:
(reg2[pc 7→ updatePcPerm(cret)],ms
′ ⊎ms ′varframe)→j (reg3,ms
′ ⊎ms ′frame)
where
19.7.
reg3(r) =


cnext r = pc
cstk r = rstk
reg(r) r ∈ {rpriv}
reg2(r) otherwise
19.8. reg3 points to stack with msstk used and msact ⊎ms
′′
unused unused
At this point, we use Hyp-Cont (6.) to show the observation predicate condition of
Lemma 8:
(n′′, (reg3,ms
′′ ⊎msstk ⊎msact ⊎ms
′′
unused ⊎msf )) ∈ O(W2)
which
• n′′ ≤ n− 2
Follows from (19.1.)
• W2 ⊒
pub revokeTemp(W )
We have
W1 ⊒
pub revokeTemp(W )
and assumption 19.2. we get this by transitivity of ⊒pub .
• ms ′′ :n′′ revokeTemp(W2)
Exactly 19.6..
• for all r, we have that:
reg3(r)


= cnext if r = pc
= reg(r) if r ∈ rpriv
∈ V(revokeTemp(W2)) if reg3(r) is a global capability and r 6∈ {pc, rpriv , rstk}
The two first cases follows from 19.7.. The third follow from assumption 19.4. and
79.
• reg ′ points to stack with msstk used and msact ⊎ms
′′
unused unused
Exactly 19.8..
78
5.4.11 Malloc macro-instruction correctness
Definition 6. We say that “(reg,ms) links key as j to cmalloc” iff
• reg(pc) = ((perm , g), base, end , a)
• ms(base) = (( , ), base link , , )
• ms(base link + j) = c

Lemma 59 (malloc works). If
• (reg,ms) is looking at malloc r k followed by cnext
• k ≥ 0
• (reg,ms) links malloc as k to cmalloc
• cmalloc satisfies the malloc specification with ιmalloc,0
• W ⊒priv [i 7→ ιmalloc,0]
• ms :n W
• ms = ms ′ ⊎ms footprint
• msfootprint :n [i 7→W (i)]
Hyp-Cont If
– n′ ≤ n− 1
– ιmalloc ⊒
pub W (i)
– ms ′footprint ⊎ms
′ :n′ W [i 7→ ιmalloc]
– ms ′footprint :n′ [i 7→ ιmalloc ]
reg ′(r′) =


cnext r
′ = pc
((rwx,global), base, end , a) r′ = r
reg(r) r′ 6∈ RegisterNamet ∪ {pc, r, r1}
– end − base = k − 1
– dom(msalloc) = [base, end ]
– ∀a ∈ [base, end ].msalloc(a) = 0
Then we have
(
n′, (reg ′,ms ′ ⊎ms ′footprint ⊎msalloc)
)
∈ O(W [ιmalloc ])
Then
(n, (reg,ms)) ∈ O(W )

79
5.4.12 Create closure macro-instruction correctness
Lemma 60 (crtcls works). If
• (reg,ms) is looking at crtcls (x, r) r followed by cnext
• (reg,ms) links malloc as k to cmalloc
• cmalloc satisfies the malloc specification with ιmalloc,0
• W ⊒priv [i 7→ ιmalloc,0]
• ms :n W
• ms = ms ′ ⊎ms footprint
• msfootprint :n [i 7→W (i)]
Hyp-Cont If
– n′ ≤ n
– ιmalloc ⊒
pub W (i)
– ms ′ ⊎ms ′footprint :n′ W [i 7→ ιmalloc]
– ms ′footprint :n [i 7→ ιmalloc ]
–
reg ′(r′) =


cnext r
′ = pc
ccls = ((e,global), base, end , base + 2) r
′ = r1
reg(r) r′ 6∈ {pc, r1} ∪RegisterNamet
– mscls = msact ⊎msenv
– ccls = ((e,global), . . . )
– cenv = ((rw,global), baseenv , endenv , baseenv )
– dom(msenv ) = [baseenv , endenv ]
– msenv (baseenv , . . . , endenv ) = reg(r)
– Hyp-act
If
∗ reg ′′(pc) = updatePcPerm(ccls)
Then ∃k. ∀msf . (reg ′′,ms ′′ ⊎mscls ⊎msf )→k (reg ′′′,ms ′′ ⊎mscls ⊎msf ) where
reg ′′′(r′) =


cenv r
′ = cenv
updatePcPerm(reg(r)) r′ = pc
reg ′′(r′) r′ 6∈ RegisterNamet
Then we have (n′, (reg ′,ms ′ ⊎ms footprint ⊎mscls)) ∈ O(W [i 7→ ιmalloc])
Then
(n, (reg,ms)) ∈ O(W )

80
5.4.13 Stack helper lemmas
Lemma 61. If
• perm ∈ {rx,rwx,rwlx}
• (n, (base, end)) readCondition(local)(W )
• (n, (base, end))writeCondition(ιpwl , local)(W )
then
(n, perm, base, end) ∈ executeCondition(local)(W )

Proof of Lemma 61. Assume
1. perm ∈ {rx,rwx,rwlx}
2. (n, (base, end)) readCondition(local)(W )
3. (n, (base, end))writeCondition(ιpwl , local)(W )
Let W ′ ⊒pub W , a, and n′ ≤ n be given and show
(n′, ((perm , local), base, end , a)) ∈ E(W ′)
Consider each of the three cases for perm :
4. perm = rwlx
In this case ι = ιpwl . If we use the FTLR (Theorem 2), then we are done. It suffices to
show:
4.1. (n′, (base, end)) ∈ readCondition(local)(W ′)
Follows from Lemma 34, Lemma 36, and assumption 2..
4.2. (n′, (base, end)) ∈ writeCondition(ιpwl , local)(W ′)
Follows from Lemma 37, Lemma 36, and assumption 3..
5. perm = rx
In this case ι = ιnwl . If we use the FTLR (Theorem 2), then we are done. It suffices to
show:
5.1. (n′, (base, end)) ∈ readCondition(local)(W ′)
Follows from Lemma 34, Lemma 36, and assumption 2..
5.2. (n′, (base, end)) ∈ writeCondition(ιnwl , local)(W ′)
Follows from Lemma 33, Lemma 37, Lemma 36, and assumption 3..
6. perm = rwx
In this case ι = ιnwl . If we use the FTLR (Theorem 2), then we are done. It suffices to
show:
6.1. (n′, (base, end)) ∈ readCondition(local)(W ′)
Follows from Lemma 34, Lemma 36, and assumption 2..
81
Lemma 62 (Stack capability in value relation). If
• reg points to stack with ∅ used and ms unused
• ∃r.W (r) = ιpwl (dom(ms))
then
(n, reg(rstk )) ∈ V(W )

Proof of Lemma 62. Say
reg(rstk ) = cstk = ((rwlx, local), base, end , )
Show
1. (n, (base, end)) ∈ readCondition(local)(W ) :
Amounts to
ιpwl (dom(ms))
n
⊂∼ ι
pwl
base,end
which is true as they are even equal.
2. (n, (base, end)) ∈ writeCondition(ιpwl , local)(W ) :
Using Lemma 12, this amounts to
ιpwl (dom(ms))
n
⊃∼ ι
pwl
base,end
which is true as they are even equal.
3. (n, (rwlx, basestk , endstk )) ∈ executeCondition(local)(W )
Using 2. and 1., we can use Lemma 61.
4. (n, (rwx, basestk , end stk )) ∈ executeCondition(local)(W )
Using 2. and 1., we can use Lemma 61.
5. (n, (rx, basestk , end stk )) ∈ executeCondition(local)(W )
Using 1. and 2., we can use Lemma 61.
5.4.14 Memory Segment Satisfaction
We expect the following lemmas to hold true:
Lemma 63 (Revoke temporary memory satisfaction).
∀ms, n,W,W ′.
ms :n W ⇒
∃ms ′,msr.
ms = ms ′ ⊎msr ∧ms
′ :n revokeTemp(W )

Proof of Lemma 63.
82
Lemma 64 (Revoke temporary memory satisfaction 2).
∀ms , n,W,R : active(W )→ MemSegment.
ms :n,P W ⇒
∃ms ′,msr.
ms = ms ′ ⊎msr∧
ms ′ :n,P |dom(⌊W⌋{perm})
revokeTemp(W )∧
msr =
⊎
r∈⌊W⌋{temp}
P (r)∧
ms ′ =
⊎
r∈⌊W⌋{perm}
P (r)

Proof of Lemma 64.
Lemma 65 (Revoke temporary memory with stack).
∀n,ms,W, reg, rstk , g, base, end , a.
ms :n W ∧ (n, reg) ∈ R(W )∧
reg(rstk ) = ((rwlx, g), base, end , a) ∧ b ≤ e
∃ms ′,msr.
ms ′ :n revokeTemp(W ) ∧ms = ms
′ ⊎msr

Proof of Lemma 65.
Lemma 66 (Disjoint memory satisfaction).
∀n. ∀ms,ms ′,ms ′′. ∀W,W ′,W ′′.
ms ′′ = ms ⊎ms ′ ∧W ′′ =W ⊎W ′ ∧ms :n W ∧ms
′ :n W
′ ⇒
ms ′′ :n W
′′

Proof of Lemma 66.
Lemma 67 (Memory satisfaction and static regions).
ms :n [i 7→ ι
sta(v,ms)]

Proof of Lemma 67.
Lemma 68 (Data only memory and standard regions). If
• ∀a ∈ dom(ms).ms(a) ∈ N
• ι ∈ {ιpwl , ιnwl , ιnwl ,p}
83
then
ms :n [i 7→ ι(dom(ms))]

Proof of Lemma 68.
5.4.15 Future worlds
Lemma 69 (World public future world of revoked world).
∀W. revokeTemp(W )⊒pub W

Proof of Lemma 69. For all r where W (r) = (temp, s, φpub , φ,H), we have revokeTemp(W ) =
revoked. By the public future region relation we have
W (r) = (temp, s, φpub , φ,H)⊒
pub revokeTemp(W )(r) = revoked
all other regions remain unchanged, so this follows by reflexivity of the public future region
relation.
Lemma 70 (World private future world of revoked world).
∀W. revokeTemp(W )⊒priv W

Proof of Lemma 70.
Lemma 71 (Public future world relation included in private future world relation).
W ′ ⊒pub W ⇒W ′ ⊒priv W

Proof of Lemma 71.
Lemma 72 (Transitivity proberties between private and public future worlds).
W ′′ ⊒priv W ′ ∧W ′ ⊒pub W ⇒ W ′′ ⊒priv W
and
W ′′ ⊒pub W ′ ∧W ′ ⊒priv W ⇒ W ′′ ⊒priv W

Proof of Lemma 72.
Lemma 73.
∀n,W1,W2,W
′
1. W1
n
= W2 ∧W
′
1 ⊒
pub W1 ⇒ ∃W
′
2.W
′
2
n
=W ′1 ∧W
′
2 ⊒
pub W2

84
Proof of Lemma 73. Construct W ′2 as follows:
W2(r) =


(v′1, s
′
1, φpub2, φ2, H2) if r ∈ dom(W2) and W
′
1(r) = (v
′
1, s
′
1, , , )
and W2(r) = ( , , φpub2, φ2, H2)
W ′1(r) otherwise
Notice dom(W ′2) = dom(W
′
1).
Lemma 74.
∀n,W1,W2,W
′
1. W1
n
=W2 ∧W
′
1 ⊒
priv W1 ⇒ ∃W
′
2.W
′
2
n
= W ′1 ∧W
′ ⊒priv W2

Proof of Lemma 74. Construct W ′2 as follows:
W2(r) =


(v′1, s
′
1, φpub2, φ2, H2) if r ∈ dom(W2) and W
′
1(r) = (v
′
1, s
′
1, , , )
and W2(r) = ( , , φpub2, φ2, H2)
W ′1(r) otherwise
5.4.16 Value relation
Lemma 75 (Value relation downwards closed).
n′ ≤ n ∧ (n,w) ∈ V(W )⇒ (n′, w) ∈ V(W )

Proof. By definition of V(W ) using Lemma 36, 39, 42 and 45.
Lemma 76 (Register relation downwards closed).
n′ ≤ n ∧ (n,w) ∈ R(W )⇒ (n′, w) ∈ R(W )

Proof. By definition of R(W ) using Lemma 75.
Lemma 77 (Value relation monotone wrt ⊒pub).
W ′ ⊒pub W ∧ (n,w) ∈ V(W )⇒ (n,w) ∈ V(W ′)

Proof of lemma 77. Follows from Lemma 34, Lemma 37, Lemma 40, and Lemma 43.
Lemma 78. If
(n,w) ∈ V(revokeTemp(W ))
then
(n,w) ∈ V(W )

85
Proof of Lemma 78. Follows from Lemma 29, Lemma 30, Lemma 31, and Lemma 32.
Lemma 79 (Global capabilities monotone wrt ⊒priv ).
∀n, perm , base, end , a,W,W ′.
(n, ((perm ,global), base, end , a)) ∈ V(W ) ∧W ′ ⊒priv W
⇒ (n, ((perm ,global), base, end , a)) ∈ V(W ′)

Proof of Lemma 79. Assume
1. perm 6∈ {rwl,rwlx}
2. W ′ ⊒priv W
3. (n, ((perm ,global), base, end , a)) ∈ V(W )
and show
(n, ((perm ,global), base, end , a)) ∈ V(W ′)
to this end consider the possible cases of perm and show that each of the necessary conditions
hold:
1. perm = o
Trivial
2. perm = ro
Follows from Lemma 35.
3. perm = rw
Follows from Lemma 35 and Lemma 38.
4. perm = rx
Follows from Lemma 35 and Lemma 41.
5. perm = rwx
Follows from Lemma 35, Lemma 38, and Lemma 41.
6. perm = e
Lemma 44
Lemma 80 (Non local words monotone wrt ⊒priv ).
∀n, perm, base, end , a,W,W ′, w.
w is non-local∧
(n,w) ∈ V(W ) ∧W ′ ⊒priv W
⇒ (n,w) ∈ V(W ′)

Proof of Lemma 80. If w = ((perm ,global), base, end , a), then let follows from Lemma 79.
If w ∈ Z, then it follows from the fact that i ∈ V(W ′′) for all i ∈ Z and W ′′ ∈World.
86
6 Other examples and applications
This section contains some ideas about other examples and applications than the ticket dispenser
example.
6.1 Stack and return pointer handling without OS involvement using
local capabilities
The idea of this example would be to work out and prove a calling convention that enforces
well-bracketed control flow and encapsulation of local variables using CHERI’s local capabilities.
When one function invokes another function, the essential idea is that:
• Stack pointer is passed as a local and store-local capability.
• Return pointer is passed as a local capability.
Since local pointers cannot leave the registers except into regions for which a store-local
capability is available, this basic idea seems to enforce a number of useful properties: well-
bracketedness of control flow and encapsulation of private state stored on the stack. On the
other hand, it also seems to validate the standard C treatment of the stack: the stack can be
reused after a function returns, even between distrusting parties. However, safety/security of
this design is very non-trivial and seems to rely on some non-trivial reasoning:
Only stack is store-local? A critical assumption is that adversary code has no way to store
local capabilities except on the stack. The reason that it is fine to store local capabilities on
the stack is that the adversary only has a local capability to the stack and cannot usefully store
that capability anywhere. However, this means that we need to rely on the runtime system of
our programming language to be careful when handing out store-local capabilities: only the libc
startup code should initialise the stack as store-local and malloc should not produce them. This
basically means that the libc initialisation code (or whatever component produces the initial
stack pointer) is part of our TCB.
Requirement for clearing the stack Imagine the following trusted C function:
void myfunction(){
advfunction1();
advfunction2();
}
where advfunction1() and advfunction2() are adversary functions. In the standard C treat-
ment of the stack, advfunction2() would get the same stack pointer as advfunction1(). This is
supposed to be safe since advfunction1() cannot have kept capabilities for the stack after its
execution. But what if we require that the two functions have no way of communicating with
each other? Concretely, advfunction1() has access to some secrets that must not be leaked to
advfunction2(). How can we prevent advfunction1() from storing the secret somewhere on the
stack and relying on advfunction2() from receiving the same stack pointer where it can read the
secret? The most obvious solution seems to be that we should fully clear the stack (overwrite
it with zeros) after the return of any adversary function, but this could cause an important
overhead. Perhaps the processor should accommodate this with a special instruction that can
zero the entire array that a capability points to?
87
What do return pointers look like? An important question is what return pointers look
like? Since we want to protect the caller from the callee, it’s important that the return pointer
is opaque, i.e. an entry pointer. The entry pointer will point to a closure that contains the next
instruction to execute, as well as the previous stack pointer. But since stack pointers are local,
this means that the return pointer closure should be stored in a region of memory for which we
have store-local permission, i.e. on the stack. This means we need the following in our calling
convention: before invoking a function, we push the stack pointer and the instruction pointer
after invocation on the stack, we construct a return pointer by copying the stack pointer, limiting
it to these two entries and making it an entry pointer. Then we shrink the stack pointer to the
unused part of the stack and jump.
Only one-way protection in higher-order settings? Another important point is that,
in a sense, local capabilities provide only one-way protection: the caller is protected from the
callee but not vice-versa. Concretely: when invoking a function with some arguments marked
as local, the caller is guaranteed that the callee will not have been able to store the capabilities
anywhere (except perhaps on the stack, see above). However, the callee seems to have more
limited guarantees: Particularly, the caller may have kept its own stack capability and this stack
capability may (and typically will) also cover the part of the stack that is “owned” by the callee.
In this sense, the guarantees are more limited than in a linear language.
So what does this mean? In a first-order language, this is all fine, but what if we are in a
higher-order language. Imagine the following (in some ML-like language):
let f = fun callback =>
let ... in
let ret = callback() in
...
//adversary top function
let advtop = f( (fun y => ...) )
Our trusted function f is invoked by the adversary (from function advtop()) and wants to
invoke an untrusted callback received from the adversary. When invoking the closure, we don’t
want it to be able to access f’s local variables which it has stored on the stack. To achieve this,
we only give it a stack pointer that covers the part of the stack that is unused by f. However,
the callback may be implemented as an entry pointer that carries capabilities, particularly the
capability to advtop’s stack pointer, which includes the part of the stack that is now used by f
and contains f’s local variables.
So how do we deal with this? Perhaps we should use the fact that this is only possible when
f’s callback argument is allocated to some part of the memory to which advtop has store-local
permissions (since the callback contains a reference to the stack to which advtop only has a
local capability). I see basically three ways to do this, all based on the idea of enforcing that
the callback should be constructed in a part of memory for which no store-local permissions are
available:
• One way to exclude the scenario is to require that callbacks are provided as non-local
capabilities. The downside of this is that local callbacks can be useful for the caller to
prevent the callee from storing them.
• Another way to exclude the scenario is to require that the stack is allocated in a fixed part
of the address space and to check that callbacks point outside of this region before invoking
them.
88
• Perhaps we should require that store-local permissions cannot be removed from a capability
and simply require that callback pointers do not have store-local set. Perhaps we can allow
store-local permissions to be given up, but only if the corresponding part of memory is
fully zeroed in the process (or at least all local capabilities stored in the region).
6.2 A result to prove...
The simplest thing that comes to mind as a formal result for all of the above is to look at a concrete
program that clearly relies on properties like well-bracketed control flow and encapsulation of
local variables and prove it correct. As a concrete example: we might show an assembly program
that corresponds to the following (a higher-order program that crosses trust boundaries and
relies on local variable encapsulation and well-bracketed control flow):
let trustedCode = fun adversary =>
let x = ref 0 in
let callback = fun adv2 =>
x := !x + 1;
let y = ref (!x) in
adv2 unit;
assert (!x == !y);
x := !x - 1)
let _ = adversary callback
assert (!x == 0)
7 Related reading
This is a list of related work that might be interesting to read in the context of this project.
7.1 Capability machines
7.1.1 M-Machine
More than 20 years ago, Carter et al. [1994] have described the use of capabilities in the M-
Machine. They do seem to have a reference for the instruction set after all [Dally et al., 1995];
it seems like the server was just temporarily down when we were looking for this the first time...
7.1.2 CHERI
The CHERI processor is a much more recent capability machine, described by Woodruff et al.
[2014], Watson et al. [2015].
Another result of this project is also CheriBSD: an adaptation of FreeBSD to the CHERI
processor.5 It is not separately described in a published paper, but mentioned in the papers
cited above and in some tech reports (see url). This work includes a pure-capability ABI that
could provide some interesting examples.
The CHERI team also has a webpage with all of their CHERI-related publications (including
TRs and such)6.
5http://www.cl.cam.ac.uk/research/security/ctsrd/cheri/cheribsd.html
6http://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
89
7.2 Logical Relations
Some papers on logical relations that are relevant for this work are the following:
Hur and Dreyer [2011] describe a logical relation between ML and a (standard) assembly
language for expressing compiler correctness. Relevant because they target an assembly language,
and they use biorthogonality.
Dreyer et al. [2010] describe a logical relation for a ML-like language and use public/private
transitions to reason about well-bracketed control flow. Relevant because we are considering to
cover an example of enforcing well-bracketed control flow in a capability machine.
Devriese et al. [2016] describe a logical relation for a JavaScript-like language with object
capabilities. Relevant because it treats object capabilities, albeit in a JavaScript-like lambda
calculus. It also deals with an untyped language, using a semantic unitype.
References
Lars Birkedal and Alesˇ Bizjak. A Taste of Categorical Logic — tutorial notes.
http://cs.au.dk/~birke/modures/tutorial/categorical-logic-tutorial-notes.pdf,
2014.
Lars Birkedal, Kristian Støvring, and Jacob Thamsborg. The category-theoretic solution of
recursive metric-space equations. Theoretical Computer Science, 411(47):4102 – 4122, 2010.
ISSN 0304-3975.
A. Bizjak. Some theorems about mutually recursive domain equations
in the category of preordered COFEs. Unpublished note. Available at
http://cs.au.dk/~abizjak/documents/notes/mutually-recursive-domain-eq.pdf,
2017.
Nicholas P. Carter, Stephen W. Keckler, and William J. Dally. Hardware support for fast
capability-based addressing. In Proceedings of the Sixth International Conference on Architec-
tural Support for Programming Languages and Operating Systems, ASPLOS VI, pages 319–327,
New York, NY, USA, 1994. ACM. ISBN 0-89791-660-3. doi: 10.1145/195473.195579. URL
http://doi.acm.org/10.1145/195473.195579.
William J. Dally, Stephen W. Keckler, Nick Carter, Andrew Chang, Marco Fillo, and Whay S.
Lee. The m-machine instruction set reference manual v1.55. Technical Report Memo 59, CVA,
Stanford, 1995. URL http://cva.stanford.edu/publications/1997/isa-1.55.ps.Z.
Dominique Devriese, Lars Birkedal, and Frank Piessens. Reasoning about object capabilities
using logical relations and effect parametricity. In IEEE European Symposium on Security and
Privacy. IEEE, 2016.
Derek Dreyer, Georg Neis, and Lars Birkedal. The impact of higher-order state and control
effects on local relational reasoning. In International Conference on Functional Programming,
pages 143–156. ACM, 2010. doi: 10.1145/1863543.1863566.
Chung-Kil Hur and Derek Dreyer. A kripke logical relation between ml and assembly. In
ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages 133–
146. ACM, 2011. doi: 10.1145/1926385.1926402.
R. N. M. Watson, J. Woodruff, P. G. Neumann, S. W. Moore, J. Anderson, D. Chisnall, N. Dave,
B. Davis, K. Gudka, B. Laurie, S. J. Murdoch, R. Norton, M. Roe, S. Son, and M. Vadera.
90
Cheri: A hybrid capability-system architecture for scalable software compartmentalization. In
IEEE Symposium on Security and Privacy, pages 20–37, 2015. doi: 10.1109/SP.2015.9.
JonathanWoodruff, Robert N.M. Watson, David Chisnall, SimonW. Moore, Jonathan Anderson,
Brooks Davis, Ben Laurie, Peter G. Neumann, Robert Norton, and Michael Roe. The cheri
capability model: Revisiting risc in an age of risk. In International Symposium on Computer
Architecuture, pages 457–468, Piscataway, NJ, USA, 2014. IEEE Press.
91
