Compositional and Scheduler-Independent Information Flow Security by Sudbrock, Henning
Compositional and
Scheduler-Independent
Information Flow Security
Vom Fachbereich Informatik
der Technischen Universita¨t Darmstadt
genehmigte
Dissertation
von Diplom-Mathematiker Henning Sudbrock
aus Darmstadt
zur Erlangung des akademischen Grades eines
Doctor rerum naturalium (Dr. rer. nat.)
Referenten der Arbeit: Prof. Dr. Heiko Mantel
Prof. Dr. Peter H. Schmitt
Tag der Einreichung: 24. Ma¨rz 2013
Tag der mu¨ndlichen Pru¨fung: 12. Juni 2013
Darmstadt, 2014
Hochschulkennziffer D 17
ii
Hiermit erkla¨re ich, dass ich die vorliegende Arbeit ohne unzula¨ssige Hilfe Dritter
und ohne Benutzung anderer als der angegebenen Hilfsmittel angefertigt habe. Die aus
anderen Quellen u¨bernommenen Konzepte sind unter Angabe der Quelle gekennzeichnet.
Die Arbeit wurde bisher weder im In- noch im Ausland in gleicher oder a¨hnlicher Form
in anderen Pru¨fungsverfahren vorgelegt.
Darmstadt, im Ma¨rz 2013
iii
Abstract
Software pervades our society deeper with every year. This trend makes software security
more and more important. For instance, software systems running critical infrastructures
like power plants must withstand criminal or even terrorist attacks, but also smartphone
apps used by consumers in their daily routine are usually expected to operate securely.
In particular, before entrusting a program with confidential information (such as, e.g.,
image or audio data recorded by a smartphone), one wants to be sure that the program is
trustworthy and does not leak the secrets to untrusted sinks (such as, e.g., an untrusted
server on the Internet). Information flow properties characterize such confidentiality
requirements by restricting the flow of confidential information, and an information flow
analysis permits to check that a program respects those restrictions.
The problem of information flow in multi-threaded programs is particularly challenging,
because information flows can originate in subtle ways from the interplay between threads.
Moreover, the existence of such information flows depends on the scheduler, which might
not even be known when analyzing a program. To obtain high assurance that no leak
is overlooked in an information flow analysis, formally well-founded analyses provide a
rigorous solution. Such analyses are proven sound with respect to formal information flow
properties that specify precisely what restrictions on information flow mean.
In this thesis, we develop two novel information flow properties for multi-threaded
programs, FSI-security and SIFUM-security. These properties are scheduler-independent,
i.e., they characterize secure information flow for different schedulers simultaneously.
Moreover, they are compositional, i.e., they permit to break down the analysis of a
multi-threaded program to single threads. For both properties we develop a security
analysis based on a security type system that is proven sound with respect to the property.
Compared to existing scheduler-independent information flow properties, FSI-security
is less restrictive. In particular, FSI-security is the first scheduler-independent information
flow property that permits programs with nondeterministic behavior and programs whose
control flow depends on secrets. The security analysis based on SIFUM-security is the first
provably sound flow-sensitive information flow analysis for multi-threaded programs in
the form of a security type system. Flow-sensitivity results in increased analysis precision
by taking the order of program statements into account. The key in our development of
SIFUM-security and the corresponding flow-sensitive analysis for multi-threaded programs
was to adopt assumption-guarantee style reasoning to information flow security.
We integrate FSI-security and SIFUM-security into the novel property FSIFUM-
security, and we integrate the security analyses for FSI- and SIFUM-security into a
security analysis for FSIFUM-security. Thereby, FSIFUM-security and the corresponding
analysis inherit the advantages of both FSI- and SIFUM-security.
In addition to developing novel type-based information flow analyses we also explore
information flow analysis for multi-threaded programs with program dependence graphs
(PDGs) which is used successfully to analyze sequential programs. To this end, we develop
a formal connection between PDG-based and type-based information flow analysis for
sequential programs. We exploit the connection to transfer concepts from our type-based
analysis for multi-threaded programs to PDGs, resulting in a provably sound PDG-based
information flow analysis for multi-threaded programs. Beyond this, we also use the
connection to transfer concepts from PDGs to type systems and to precisely compare the
precision of a type-based and a PDG-based information flow analysis.
Our results provide foundations for more precise and more widely applicable informa-
tion flow analysis for multi-threaded programs, and we hope that they contribute to a
more wide-spread certification of information flow security for concurrent programs.
iv
Zusammenfassung
Software durchdringt unsere Gesellschaft immer tiefer. Dadurch wird Softwaresicherheit
immer wichtiger. Beispielsweise mu¨ssen Softwaresysteme in kritischen Infrastrukturen
kriminellen oder gar terroristischen Attacken standhalten, aber auch von Smartphone-
Apps wird ein bestimmtes Sicherheitsniveau erwartet.
Bevor man einem Programm vertrauliche Informationen wie beispielsweise Telefonats-
Daten anvertraut mo¨chte man insbesondere sicher sein, dass das Programm die Ge-
heimnisse nicht ungefragt an Dritte beispielsweise im Internet weitergibt. Informations-
flusseigenschaften beschreiben solche Vertraulichkeitsanforderungen, indem sie den Fluss
vertraulicher Informationen einschra¨nken. Informationsflussanalysen ermo¨glichen die
U¨berpru¨fung von Programmen bezu¨glich dieser Einschra¨nkungen.
Die Informationsflussanalyse nebenla¨ufiger Programme ist besonders schwierig, da
durch das Zusammenspiel nebenla¨ufiger Programmteile auf subtile Art und Weise In-
formationsflu¨sse entstehen ko¨nnen. Daru¨ber hinaus ha¨ngt die Existenz solcher Flu¨sse
vom Scheduler ab, der bei der Analyse mo¨glicherweise unbekannt ist. Um Gewissheit zu
erlangen, dass kein Fluss u¨bersehen wird, bieten formal fundierte Analysen eine rigorose
Lo¨sung. Solche Analysen garantieren beweisbar sicher, dass Programme einer formalen
Informationsflusseigenschaft genu¨gen welche Informationsfluss pra¨zise spezifiziert.
In dieser Arbeit entwickeln wir zwei neue Informationsflusseigenschaften fu¨r ne-
benla¨ufige Programme, FSI-Security und SIFUM-Security. Diese Eigenschaften sind
scheduler-unabha¨ngig, d.h., sie beschreiben Informationsflusssicherheit fu¨r verschiedene
Scheduler gleichzeitig. Außerdem sind sie kompositional, d.h., sie erlauben es, die Analyse
eines Programms auf kleinere Teilprogramme herunterzubrechen. Fu¨r beide Eigenschaften
entwickeln wir eine Sicherheitsanalyse basierend auf einem Sicherheitstypsystem und
beweisen die Korrektheit der Analyse gegenu¨ber der jeweiligen Sicherheitseigenschaft.
FSI-Security ist die erste scheduler-unabha¨ngige Informationsflusseigenschaft die
nicht-deterministische Programme sowie Programme mit geheimen Kontrollbedingungen
erlaubt. Die Analyse fu¨r SIFUM-Security ist die erste beweisbar sichere flusssensitive
Informationsflussanalyse fu¨r nebenla¨ufige Programme in Form eines Sicherheitstypsystems.
Flusssensitivita¨t ermo¨glicht ho¨here Pra¨zision indem die Reihenfolge von Programmanwei-
sungen beru¨cksichtigt wird. Der Schlu¨ssel fu¨r die Entwicklung von SIFUM-Security war
die Verwendung von “Annahmen und Garantien” (“assumptions and guarantees“).
Wir integrieren FSI-Security und SIFUM-Security zur neuen Eigenschaft FSIFUM-
Security, und wir integrieren die Sicherheitsanalysen fu¨r FSI-Security und SIFUM-Security
zu einer Sicherheitsanalyse fu¨r FSIFUM-Security. Dadurch erben FSIFUM-Security und
die zugeho¨rige Analyse die Vorteile von sowohl FSI- als auch SIFUM-Security.
Neben der Entwicklung typ-basierter Analysen betrachten wir auch Analysen fu¨r ne-
benla¨ufige Programme mittels Programmabha¨ngigkeitsgraphen (PDGs), die erfolgreich zur
Analyse sequentieller Programme eingesetzt werden. Wir entwickeln eine formale Verbin-
dung zwischen PDG-basierter und typ-basierter Informationsflussanalyse fu¨r sequentielle
Programme. Darauf basierend u¨berfu¨hren wir Konzepte der typ-basierten Analysen fu¨r
nebenla¨ufige Programme in die Welt der PDGs, was in einer beweisbar korrekten PDG-
basierten Informationsflussanalyse fu¨r nebenla¨ufige Programme resultiert. Wir nutzen die
Verbindung auch, um Konzepte von PDGs in einer typ-basierten Analyse zu verwenden,
und um die Pra¨zision einer typ- und einer PDG-basierten Analyse pra¨zise zu vergleichen.
Unsere Resultate bieten die formalen Grundlagen fu¨r pra¨zisere und weitreichender
einsetzbare Informationsflussanalysen fu¨r nebenla¨ufige Programme. Wir hoffen, damit
zu einer weiter verbreiteten Zertifizierung von Informationsflusssicherheit nebenla¨ufiger
Programme beizutragen.
vPublications
We have published excerpts from this thesis as follows.
The scheduler-independent security property FSI-security and the corresponding
security type system (Chapter 3) were presented in [MS10]. The scheduler independence
result in [MS10] is with respect to a slightly simpler scheduler-dependent security property
than in this thesis which does not take inputs and outputs into account. The investigation
of the probabilistic Lottery schedulers was not included in [MS10].
The flow-sensitive security type system and the underlying assumption-guarantee
based security property, SIFUM-security (Chapter 4), were presented in [MSS11]. The
article did not yet contain the scheduler-independence result for SIFUM-security presented
in this thesis. Moreover, the article did not contain a security type system that exploits
assumptions for tracking values in single threads (developed in Section 4.5.4). The
combination of FSI-security and SIFUM-security (Chapter 5) is published in this thesis
for the first time.
The investigation of the relation between type-based and PDG-based information flow
analyses, comprising the extension of PDG-based analyses to multi-threaded programs
(Chapter 6), was presented in [MS13].
Additional refereed publications produced during my PhD studies have not been incor-
porated into this thesis. One article ([MSK07]) investigates the combination of different
information flow analyses for analyzing the information flow security of multi-threaded
programs to increase analysis precision, resulting in the idea and an instantiation of the
Combining Calculus. Other works [MS07, MS09] are concerned with quantitative informa-
tion flow control in operating systems, investigating formal models of and countermeasures
against interrupt-related covert channels.
vi
Acknowledgments
First and foremost, I am very grateful to Heiko Mantel and Peter H. Schmitt, the two
reviewers of this thesis. They need to spend both their time and their energy for the
review, and I cannot thank them enough for this.
Besides reviewing this thesis, Heiko was also my PhD supervisor. I was lucky to have
the opportunity to work in his research group for several years. In particular, many,
many fruitful discussions with Heiko and his valuable feedback helped to drive the work
presented in this thesis forward. Moreover, Heiko provided a never-ending stream of new
and interesting ideas as well as research questions that, on the one hand, provided starting
points for new research and, on the other hand, helped to lift existing work to higher
levels. This was particularly helpful for the work on scheduler-independent security and
on rely-guarantee based security analysis presented in this thesis, which started based
on ideas from and evolved in close collaboration with Heiko. In addition to guiding,
participating in, and supporting the research Heiko also provided general guidance and
support, going beyond my role as research assistant during my time in his research group.
I am also very grateful to David Sands from Chalmers University, Sweden. It was great
working together with him and Heiko, developing novel security properties and analyses
that are based on rely-guarantee style reasoning. Especially the intense discussions during
his visits in Darmstadt resulted in very good progress. David also provided valuable
feedback on the work on scheduler-independent information flow security.
Martin Hofmann at LMU Mu¨nchen, Peter H. Schmitt, and Gregor Snelting from
Karlsruhe Institute of Technology gave me the opportunity to present and discuss results
during visits at their chairs, followed by interesting discussions and good feedback.
I thank all my colleagues from the time at RWTH Aachen and TU Darmstadt for
lots of interesting discussions about our respective research topics: Markus Aderhold,
A. Baskar, Sarah Ereth, Richard Gay, Sylvia Grewe, Jinwei Hu, Tina Kraußer, Alexander
Lux, Matthias Perner, Jens Sauer, Dieter Schuster, Heiko Spies, Barbara Sprick, and
Artem Starostin. Special thanks go to Alexander, Baskar, and Matthias for proof-reading
parts of this thesis. I am especially grateful to Alexander, long-time office mate, with
whom I had many good discussions both on a scientific and a personal level. I am also
deeply indebted to Artem for his constant yet positive pressure during the last months of
this thesis’ creation.
Furthermore, I had many interesting contacts with students at RWTH Aachen and
TU Darmstadt. Among them, I had good discussions with Daniel Schoepe on proofs of
some results of this thesis which Daniel comprehended using the theorem prover Isabelle.
I also thank Gudrun Harris, Elisabeth Johannes, Miriam Rifai-Scho¨n, and Heide
Rinnert for their support during their time as secretary of Heiko’s research group.
Finally, thanks go to the DFG (German research foundation), which provided funding
for parts of the research results that are presented in this thesis under the project
FM-SecEng in the Computer Science Action Program (MA 3326/1-2).
Contents
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii
Zusammenfassung . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv
Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi
1 Introduction 1
1.1 Language-based Information Flow Security . . . . . . . . . . . . . . . . . 2
1.2 Information Flow in Multi-threaded Programs . . . . . . . . . . . . . . . . 4
1.3 Improving Information Flow Control for Multi-threaded Programs . . . . 6
1.4 Organization of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2 Execution Model and Security Model 11
2.1 Mathematical Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.1.1 Basic Concepts and Notation . . . . . . . . . . . . . . . . . . . . . 11
2.1.2 Probability Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Execution Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.1 Snapshots during Program Execution . . . . . . . . . . . . . . . . 14
2.2.2 Execution Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.3 Program Executions . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.4 Program Input and Program Output . . . . . . . . . . . . . . . . . 18
2.3 A Multi-threaded Programming Language . . . . . . . . . . . . . . . . . . 18
2.3.1 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.4 Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5 Security Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.5.1 Security Policy and Attacker Model . . . . . . . . . . . . . . . . . 25
2.5.2 Formal Security Characterization . . . . . . . . . . . . . . . . . . . 26
2.5.3 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3 A More Flexible Scheduler-independent Security Analysis 31
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2 Scheduler-independent Information Flow Security . . . . . . . . . . . . . . 32
3.3 A Novel Scheduler-independent Security Property . . . . . . . . . . . . . . 33
3.3.1 The Per Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.2 FSI-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.3.3 Robust Schedulers . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
3.3.4 Scheduler-independence Result . . . . . . . . . . . . . . . . . . . . 42
3.4 A Type-based Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . 43
vii
viii Contents
3.5 Example Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.6 Summary and Comparison to Related Work . . . . . . . . . . . . . . . . . 48
4 A Flow-sensitive Security Analysis 51
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
4.2 Flow-sensitive Analysis and Multi-threading . . . . . . . . . . . . . . . . . 52
4.3 Assumptions and Guarantees . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.4 A Security Property with Assumptions and Guarantees . . . . . . . . . . 54
4.4.1 Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
4.4.2 SIFUM-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.4.3 Sound Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4.4.4 Compositionality and Scheduler-independence Result . . . . . . . . 60
4.5 A Type-based Flow-sensitive Security Analysis . . . . . . . . . . . . . . . 63
4.5.1 Annotations for Specifying Assumptions and Guarantees . . . . . . 64
4.5.2 The Security Type System . . . . . . . . . . . . . . . . . . . . . . 65
4.5.3 Enforcing Sound Use of Modes . . . . . . . . . . . . . . . . . . . . 70
4.5.4 Extending the Type System with Value Tracking . . . . . . . . . . 70
4.6 Benefits of the Flow-sensitive Analysis . . . . . . . . . . . . . . . . . . . . 74
4.7 Summary and Comparison to Related Work . . . . . . . . . . . . . . . . . 77
5 Integrating Flexible Scheduler Independence and Flow-sensitivity 79
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.2 Integration of FSI-Security and SIFUM-Security . . . . . . . . . . . . . . 79
5.3 Integration of the Security Type Systems . . . . . . . . . . . . . . . . . . 82
5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
6 A Bridge to PDG-based Information Flow Analysis 85
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.2 Type-based Analysis for Sequential Programs . . . . . . . . . . . . . . . . 86
6.3 PDG-based Analysis for Sequential Programs . . . . . . . . . . . . . . . . 88
6.3.1 Control Flow Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . 88
6.3.2 PDG-based Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 90
6.4 Relating Type-based and PDG-based Analysis . . . . . . . . . . . . . . . 92
6.5 Context-sensitive Interprocedural Analysis . . . . . . . . . . . . . . . . . . 93
6.5.1 Programs and Control Flow Graphs with Procedures . . . . . . . . 94
6.5.2 PDG-based Interprocedural Analysis . . . . . . . . . . . . . . . . . 95
6.5.3 Type-based Interprocedural Analysis . . . . . . . . . . . . . . . . . 98
6.6 A PDG-based Analysis for Multi-threaded Programs . . . . . . . . . . . . 99
6.7 Summary and Comparison to Related Work . . . . . . . . . . . . . . . . . 102
7 Conclusions and Outlook 105
7.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
7.2 Outlook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
A Detailed Proofs 109
A.1 Properties of Low Bisimulation Modulo Low Matching . . . . . . . . . . . 109
A.2 Scheduler Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
A.3 Scheduler-independence of FSI-security . . . . . . . . . . . . . . . . . . . . 115
A.4 Security Type System for FSI-Security . . . . . . . . . . . . . . . . . . . . 121
A.5 Properties of Strong Low Bisimulation Modulo Modes . . . . . . . . . . . 127
Contents ix
A.6 Compositionality and Scheduler-independence Result for SIFUM-security 129
A.7 Security Type System for SIFUM-security . . . . . . . . . . . . . . . . . . 138
A.8 Integration of FSI-security and SIFUM-security . . . . . . . . . . . . . . . 151
A.9 Security Type System for FSIFUM-security . . . . . . . . . . . . . . . . . 156
A.10 Relation between Type-based and PDG-based Information Flow Analysis 158
B Type System for Sound Modes 173
C Semantics for Procedure Calls 177
Bibliography 179
Symbols and Notation 189
Index 193

C
H
A
P
T
E
R
1
Introduction
Private information is practically
the source of every large modern
fortune.
Oscar Wilde
As computer systems become ever more pervasive, people entrust more and more informa-
tion to them. This includes, in particular, sensitive private information like, for instance,
credit card numbers and bank account details, personal messages and photos, or passwords.
Moreover, with the growing proliferation of mobile computers like smart phones or tablet
PCs, sensible sensor data like GPS-based location information is increasingly entrusted
to computer systems. Simultaneously, the number of programs that misuse entrusted
information is growing (see, e.g., [Jun11] or [Sop11]).
But how can one be sure that a program is trustworthy enough to be entrusted with
confidential information? How can one, for instance, be sure that a program does not
leak information about the location of one’s smart phone to an untrusted server on the
Internet? An analysis of the information flow within an application permits to answer
such questions. For instance, one might check that a program that is granted access to
both GPS sensor data and to the Internet is implemented in such a way that the program
does not send location information to the Internet.
Information flow security has been investigated already since the seventies [Lam73,
Den76, Coh77], resulting in the first provably sound information flow analyses for sequen-
tial programs in the nineties [VSI96]. For multi-threaded programs, it has turned out that
subtle information leaks that do not occur in sequential programs complicate the infor-
mation flow analysis (e.g., [SS00]). In fact, information flow analyses for multi-threaded
programs are usually less satisfactory than such analyses for sequential programs, consid-
ering, e.g., precision and efficiency. Even more, already the semantic characterizations
of information flow security that provide a basis for modular analyses of multi-threaded
programs are less satisfactory, which hinders the improvement of the analyses.
1
2 Chapter 1. Introduction
The goal of this thesis is to improve the formal foundations of information flow analysis
for multi-threaded programs. This includes improving the state of the art of semantic
characterizations of information flow as well as the development of novel information
flow analyses. In the remainder of this introduction, we discuss information flow security
in more detail, with a focus on information flow security for multi-threaded programs
(Sections 1.1 and 1.2). Moreover, we concretize the goal of this thesis and give an overview
of the contributions and the organization of this thesis in Sections 1.3–1.4.
1.1 Language-based Information Flow Security
Confidential information processed by computer systems needs to be protected from
attackers that try to gain knowledge about this information. Given a computer system,
the protection of information can be, roughly, categorized into three parts: (a) protection
outside the system when communicating with other systems, (b) protection at the system
border when information enters or leaves the system, and (c) protection inside the
system when information is processed. Protection outside the system is usually based on
cryptography. For instance, if information is transmitted between two systems over an
untrusted channel, encryption can be employed to ensure that the information remains
confidential. Access control is used to ensure protection at the system border. This
includes, for instance, password-based mechanisms ensuring that system interfaces are
only accessed by authorized entities. Protecting information inside the system means
ensuring that the system treats secret information in an appropriate way. For instance, a
system with legitimate access to confidential information and with access to the Internet
should never leak the confidential information to untrusted servers on the Internet.
Traditionally, the focus has been primarily on protecting information at the border
of the system and outside the system, which was quite successful using access control
and cryptography. However, the need to also ensure a secure treatment of information
within a system is illustrated by frequent reports about programs that provide useful
functionality and are therefore permitted to access confidential information, but that
abuse their permissions to maliciously leak confidential information [Sym11, Bun11]. In
allusion to Greek mythology [HomBC], such malicious programs are called Trojan Horses.
Information flow control is an approach to ensure that secret information is appropri-
ately treated within a system. To this end, one controls where confidential information
flows within a system, restricting, for instance, the flow to untrusted information sinks.1
Semantic Characterization of Secure Information Flow. Some information flows
in a system are rather obvious from looking at the system’s implementation or a more
abstract system specification, for instance, when information is directly copied from one
variable to another variable. However, information flows may also be quite subtle, for
instance, if it depends on some piece of information whether another piece of information
is copied. In particular, systems often contain channels over which information might flow
that are not intended for communication, called covert channels [Lam73]. In consequence,
there is danger to overlook information flows when inspecting a system. Semantically
well-founded information flow analyses contribute to mitigate this danger. Such analyses
1Besides confidentiality, information flow control is also useful for ensuring integrity of information
by controlling the flow of untrusted information, ensuring that trusted data is not “contaminated” by
untrusted information. The third aspect of the traditional “CIA triad” of information security, availability,
is to our knowledge not approached with information flow control.
1.1. Language-based Information Flow Security 3
are based on semantic characterizations of secure information flow that provide a precise
reference point for what secure information flow means.
To our knowledge, the first semantical characterization of secure information flow
is Cohen’s Strong Dependency [Coh77], whereas the probably best known semantical
characterization is Noninterference by Goguen and Meseguer [GM82]. Noninterference
expresses the absence of information flow from secrets to publicly observable outputs by
a lack of dependency of these outputs on the secrets. A system satisfies noninterference if
public outputs do not differ for system executions with different secret inputs. Based on
the idea of noninterference, various semantical characterizations of information flow as
well as analyses for these characterizations were developed, both on the level of concrete
implementations of programs as well as on the level of more abstract system specifications
(see, e.g., [SM03] for an overview concerning concrete implementations and [FG95, Man00]
for overviews concerning more abstract specifications).
Language-based Security. In this thesis, we investigate information flow security for
confidentiality properties on the level of program implementations. This is part of the
area of language-based security, where information security is characterized, analyzed, and
enforced using techniques from the area of programming languages. A benefit of language-
based security is that program code provides a rather clear specification of a program’s
behavior. This specification can be used as a basis both for the characterization of
security and for the program security analysis. Moreover, language-based security benefits
from existing technology for programming languages, comprising program semantics and
analysis techniques like, e.g., type systems. Language-based techniques can be applied for
different aspects of information security (see [SMH01] for an overview); for instance, Java’s
byte-code verification is a language-based mechanism for enforcing integrity properties.
For information flow security, one identifies how information flows through a program
based on the program’s implementation (given, e.g., as source code, byte code, or assembly
code) and, thereby, to detect possible information leakage.
A program may leak secret information in many ways, which are also referred to as
different channels. The simplest way to leak information is by direct leaks (also referred to
as explicit leaks or leakage via direct channels) where information is leaked, for instance, by
copying a secret value directly to an output channel. Such leakage is quite easy to detect
(for instance, at runtime using dynamic taint propagation [SAB10]). Slightly more subtle
are indirect leaks (implicit leaks, leakage via indirect channels). Such leakage occurs when
the program decides which action to execute based on secret information, as, for instance,
in the simple program ”if (secret > 0) then output(1) else output(0)”. Multi-threaded
programs may leak secret information in even more subtle ways, which we illustrate
separately in Section 1.2. What constitutes a leak depends on the observational power of
the attacker. Usually, one assumes that the attacker knows the program implementation
and can at least see public inputs and public outputs of a program. One might also
consider more powerful attackers that can observe, for instance, program execution time,
memory consumption, program termination, the number of concurrent threads, power
consumption, etc. For example, the program ”if (secret > 0) then {wait(5 sec); output(0)}
else output(0)” is insecure if an attacker can measure execution time (the corresponding
channel is referred to as a timing channel).
Semantic characterizations of secure information flow that capture all possible leaks
for a given attacker model are usually specified with “noninterference-like” properties. A
“noninterference-like” property follows the idea of noninterference, but does not coincide
with the original noninterference definition by Goguen and Meseguer that is defined on
the level of system specifications rather than on the level of programs. Stated informally,
4 Chapter 1. Introduction
noninterference-like properties are usually as follows:
“A program has secure information flow if any two program executions with
equal public inputs result in the same observations for an attacker (even if the
secret inputs to the program differ for the two executions).“
There are many variants of such characterizations, for instance, to capture different
attackers (e.g., [Aga00, GM05, AHSS08]), or to enable controlled declassification of
secrets (e.g., [MS04, MSZ04, MR07, AS07]).
A semantic characterization of secure information flow sets a standard against which
one can check the information flow security of a program. Checking a program against
such a characterization by hand is time-consuming and error-prone. Hence, it is desirable
to automate the check with a reliable analysis. While noninterference-like information
flow properties are usually undecidable, it has turned out that they can be approximated
quite well using program analysis techniques like, e.g., type systems (e.g., [VSI96, SS00]),
program logics (e.g., [AR80, AB04]), or program dependence graphs (e.g., [HUM92,
HS09]). The probably most popular approach have been security type systems, starting
with Volpano, Smith, and Irvine [VSI96], who were the first to present a semantic
noninterference-like security property together with a corresponding analysis technique
linked by a soundness result.
Considering sequential languages, security type systems were implemented for rather
complex languages, for instance, in the Jif system [Mye99, MNZZ01] (for a Java-like
imperative language) or in the Flow Caml system [PS02, Sim03] (for a functional language).
Moreover, analyses based on program dependence graphs were implemented for a subset
of Java in the Joana system [GH08]. For multi-threaded languages the situation is
less satisfactory. We discuss the particular challenges of information flow control for
multi-threaded programs in the following section.
1.2 Information Flow in Multi-threaded Programs
The conceptual complexity of concurrent programs makes it particularly desirable to
obtain reliable security guarantees. However, securing the information flow in programs
with multiple threads has proven non-trivial. One challenge is that, in addition to the
various possibilities to leak information in a sequential program, subtle information leaks
may be caused by the interplay between the interleaved executions of multiple threads.
Example 1.1. Consider a program with two threads that are implemented as follows,
where x and y are Boolean variables and skip denotes a program statement that performs
one execution step, but has no effect on the values of any variables.
if (x = true) then
skip; skip else
skip fi;
y :=true
skip;
skip;
y :=false
Assume that all variables are shared between the threads. Moreover, assume that the
program is executed under a scheduler that selects the threads alternately starting with
the left thread, switching to the other thread after each execution step (assignments and
the evaluation of control conditions each take, like skip-statements, one execution step).
If initially x = true then the left thread assigns true to y in its fourth execution step,
after the right thread assigns false to y in its third execution step. Hence, the final value
of y is true. However, if initially x = false then the left thread assigns true to y in its
1.2. Information Flow in Multi-threaded Programs 5
third execution step, prior to the assignment of false to y in the right thread. Hence, the
final value of y is false. In consequence, the program copies the value of x into y . ♦
Intuitively, there is information flow from variable x to variable y in Example 1.1, because
information stored in x influences the number of execution steps in the left thread, which,
in turn, influences the order in which the assignments to y are executed. Such information
leaks are usually called internal timing leaks, indicating that the execution time of threads
plays a role in the information flow.
Example 1.1 illustrates two further challenges, concerning the treatment of schedulers
and the compositionality of information flow properties.
Scheduling. The program in Example 1.1 does not leak information about the value of
variable x into variable y if the scheduler is a Round-Robin scheduler that reschedules after
every 50 execution steps. Under such a scheduler, the first thread completes execution
before the second thread begins execution, and, hence, the final value of y will be true
independently of the information stored in x . This illustrates that the information flow
security of multi-threaded programs depends on the scheduler. It turns out that, unlike
for many other properties of programs, for information flow security it does not suffice
to simply consider nondeterministic scheduling, i.e., to assume for the analysis that all
conceivable program executions under any scheduler are possible. The underlying reason is
that the scheduler dependence of information flow security is an instance of the refinement
paradox [Jac89] that states that refinements of a system specification (like, e.g., removing
impossible schedules) in general does not preserve information flow security.
One solution to the problem of scheduler dependence is to provide different information
flow analyses for different schedulers. However, if the scheduler is not known at analysis
time this means that one must perform multiple, potentially numerous, information flow
analyses. This problem led to the development of scheduler-independent information flow
properties that are adequate for a whole class of schedulers (e.g., [SS00, ZM03]). However,
this led to rather restrictive properties and, in consequence, to restrictive information
flow analyses, forbidding, for instance, that the values of control conditions depend on
secret information, or forbidding nondeterministic public program output.
Compositionality. Neither of the threads in Example 1.1, each considered as a program
with a single thread, leaks information about the value of variable x into variable y . I.e.,
since both threads together copy the value of x to y under some schedulers, information
flow security is not necessarily compositional with respect to the parallel composition of
threads. Such compositionality is, however, desirable, because it permits to reduce the
complexity of an information flow analysis. Moreover, compositionality results can be
exploited in the development of automated information flow analyses.
The advantages of compositionality motivated the development of compositional
information flow properties (e.g., [SS00, BC02, ZM03, BPR07]). However, existing
approaches have two shortcomings: In some developments, the compositionality results
are restrictive. For instance, [ZM03] requires that the composition of threads does not
result in nondeterministic output. In other developments, the information flow properties
are restrictive. For instance, the properties in [SS00, BC02, BPR07] are too restrictive
for flow-sensitive analyses, a type of analyses that has resulted in improved precision for
the information flow analysis of sequential programs, (e.g., [HS06, HS09]).
6 Chapter 1. Introduction
universe of all programs
universe of programs with
secure information flow
state-of-the-art information flow
property (comp. & sched.-ind.)
desired novel information flow property
(comp. & sched.-ind.)
state-of-the-art infor-
mation flow analysis
desired novel information flow analysis
Figure 1.1: Two-step approach to improve information flow analysis
1.3 Improving Information Flow Control for Multi-threaded
Programs
Due to the additional challenges for information flow analysis in multi-threaded programs
discussed in the previous section, today’s information flow analyses for multi-threaded
programs are not as satisfactory regarding, e.g., precision, as their counterparts for
sequential programs. Moreover, this is not merely a shortcoming of the information flow
analyses, but already of the underlying semantic characterizations of information flow.
To improve the state of the art in information flow analysis for multi-threaded programs
in this thesis, we therefore follow a two-step approach that starts with the semantic
characterization of information flow.
In the first step, we develop novel semantic characterizations of information flow secu-
rity with two characteristics: Firstly, the novel properties classify a class of multi-threaded
programs as secure that is classified as insecure by existing information flow properties
although, intuitively, programs in this class have secure information flow. Secondly, the
novel properties possess the meta-properties of compositionality and scheduler indepen-
dence. Figure 1.1 illustrates this step: The cloud indicates the universe of programs that
have secure information flow (specified, e.g., by an intuitive notion of information flow
security, or by a simple formal notion without the desired meta-properties). The rounded
box with solid border indicates the set of programs classified as secure by state-of-the-
art compositional and scheduler-independent information flow properties, whereas the
rounded box with dashed border indicates this set of programs for the novel properties.
(The figure is optimistic in the sense that the novel properties do not necessarily encompass
the existing properties completely.)
In the second step, we develop novel provably sound information flow analyses that
exploit the improvement in the information flow property from the first step. I.e., the
analysis techniques classify programs as secure that are not classified as secure by state-
of-the-art information flow properties. Soundness is non-negotiable, i.e., we provide a
1.3. Improving Information Flow Control for Multi-threaded Programs 7
soundness result for the novel analysis with respect to the information flow property
developed in the first step. Figure 1.1 illustrates this second step by the rectangles that
represent sets of programs classified as secure by information flow analyses. Note that
the analysis indicated by the larger rectangle is not sound with respect to the property
indicated by the smaller rounded box although the analysis only classifies programs as
secure that have secure information flow. This illustrates the potential of our approach
compared to improving sound analyses based on existing properties.
The remainder of this section sketches how we instantiate these steps in this thesis.
Improving Scheduler-independent Information Flow Analysis. We consider the
challenge of scheduler independence in Chapter 3. While many information flow analyses
assume a particular scheduler (e.g., a uniform scheduler in [VS99], a Round-Robin sched-
uler in [RHNS06], or a possibilistic scheduler in [SV98]), there are two main approaches
to scheduler-independent semantic characterizations of information flow security. The
first approach was introduced by Zdancewic and Myers [ZM03] and adopts the idea of
observational determinism [RWW94, Ros95] to language-based security. Observational
determinism requires that a program’s public output is deterministically determined by
its public input. The second approach, strong security by Sabelfeld and Sands [SS00],
requires that the possible behaviors of a program for identical public inputs are stepwise
indistinguishable to an observer of public program output. Both approaches provide a
semantic basis for an analysis that is independent of the scheduler. However, they are
far from satisfactory. Observational determinism forbids nondeterminism in the public
output, although intuitively secure programs can have nondeterministic public output.
Strong security does not share this deficiency, but implies that a program’s execution
time must not depend on secrets, even if such timing differences do not influence the
program’s public outputs.
We developed a compositional and scheduler-independent semantic characterization
of information flow security, FSI-security, that (a) permits nondeterminism in public
outputs and (b) permits that the execution time of a program depends on secrets (given
that the secrets do not influence the program’s public outputs). Moreover, in contrast to
approaches to scheduler independence by Boudol and Castellani [BC02] and by Russo
and Sabelfeld [RS06a], FSI-security does not require a non-standard interface between
the scheduler and multi-threaded programs. The existence of such a security property
was somewhat surprising in the light of Sabelfeld’s result that strong security is the
weakest compositional property that implies information flow security for a natural class
of schedulers [Sab03]. A key for our development was the identification of a different class
of schedulers, the robust schedulers, that also contains many typical schedulers (including,
e.g., Round-Robin schedulers and probabilistic schedulers like Lottery schedulers).
We exploit FSI-security in the development of a security type system that is provably
sound with respect to FSI-security. The type system successfully exploits the advantages
of FSI-security and does not classify programs as insecure only because they produce
nondeterministic public output or because their execution time depends on secrets.
Flow-sensitive Information Flow Analysis for Multi-threaded programs. In
Chapter 4, we investigate the problem of flow sensitivity for the information flow analysis
of multi-threaded programs. In contrast to flow-insensitive analyses, flow-sensitive analyses
take the order of program statements into account, which has led to more precise informa-
tion flow analyses for sequential programs [AB04, HS06, HS09]. However, as we illustrate
in Chapter 4, for multi-threaded programs there is a conflict between flow sensitivity
and compositionality with respect to the composition of threads. We resolve this conflict
8 Chapter 1. Introduction
by introducing assumption-guarantee style reasoning in the information flow analysis of
multi-threaded programs. To this end, we define a novel semantic characterization of
information flow security, SIFUM-security, that is compatible with assumption-guarantee
style reasoning. SIFUM-security permits the exploitation of assumptions and guarantees
about read and write accesses to shared variables. We show that SIFUM-security is
compositional if all assumptions and guarantees are valid, and we also show that SIFUM-
security is scheduler-independent. Moreover, we use SIFUM-security as the basis for
developing a flow-sensitive information flow analysis in form of a security type system.
The analysis is, to our knowledge, the first flow-sensitive information flow analysis for
multi-threaded programs. We prove soundness of the security type system with respect
to SIFUM-security and illustrate the advantages of the analysis at example programs.
While we consider improvements concerning scheduler independence and composition-
ality separately in Chapters 3 and 4, we base the developments of FSI- and SIFUM-security
on the same approach for defining information flow properties (the “per-approach” [SS99],
which we describe in Section 3.3.1). This enables the integration of FSI- and SIFUM-
security, which we accomplish in Chapter 5. The integration results in the new information
flow property FSIFUM-security and a corresponding security type system that combine
the benefits of FSI- and SIFUM-security and the corresponding security type systems.
Information Flow Analysis with Program Dependence Graphs. While the prob-
ably most popular approach to information flow analysis in the last 15 years has been
the use of security type systems, information flow analyses based on program dependence
graphs (PDGs) have recently received increased attention (e.g., [HS09, WLS09]). One
hope was that PDGs permit more precise analyses, because, for instance, PDGs are
inherently flow sensitive. Considering the information flow analysis of multi-threaded
programs, however, the use of PDGs had not been formally investigated at all until very
recently [GS12]. In particular, no compositional PDG-based analyses for multi-threaded
programs existed so far.
In Chapter 6, we investigate the relation between type-based and PDG-based informa-
tion flow analysis for sequential programs. We exhibit a formal relation between two such
analyses that permits to transfer concepts used in type-based analyses to PDG-based
analyses and vice versa. We illustrate such a transfer in both directions. In particular, we
exploit the relation to develop a provably sound PDG-based information flow analysis for
multi-threaded programs by transferring ideas from the flow-sensitive type-based analysis
from Chapter 4 to PDGs.
1.4 Organization of the Thesis
In Chapter 2, we introduce necessary preliminaries, a formal execution model for multi-
threaded programs, a formal model of schedulers, and a formal security model, as well as
a programming language for multi-threaded programs comprising a formal semantics.
Our contributions are presented in Chapters 3–6.
In Chapter 3, we present the novel scheduler-independent information flow property
FSI-security. We illustrate advantages of FSI-security over other scheduler-independent
information flow properties at examples. Moreover, we introduce the class of robust
schedulers and prove that FSI-security is scheduler-independent with respect to such
schedulers, and show for different schedulers that they belong to this class. Finally, we
present a security type system that provably enforces FSI-security.
1.4. Organization of the Thesis 9
Chapter 4 is devoted to flow-sensitive information flow analysis for multi-threaded
programs. As a basis for such analyses, we develop an assumption-guarantee style
approach to information flow analysis. We present a novel information flow property that
is compatible with assumption-guarantee style reasoning, SIFUM-security. Moreover, we
exploit assumption-guarantee style reasoning to prove the compositionality of SIFUM-
security. Finally, we present a flow-sensitive security type system for multi-threaded
programs and prove its soundness with respect to SIFUM-security.
We illustrate in Chapter 5 how the developments from Chapters 3 and 4 can be
integrated. In a first step, we integrate FSI-security and SIFUM-security, and prove
scheduler independence and compositionality of the resulting security property. In a
second step, we integrate the security type systems for FSI-security and SIFUM-security,
and prove that the resulting type system enforces the integrated information flow property.
In Chapter 6 we consider information flow analysis for multi-threaded programs
beyond security type systems. To this end, we consider analyses based on program
dependence graphs (PDGs), which have successfully been applied in the analysis of
sequential programs. We construct a bridge between type-based and PDG-based analysis
for sequential programs, and investigate how this bridge can be exploited for transferring
ideas from type-based to PDG-based analysis and vice versa. This results, in particular,
in a PDG-based information flow analysis for multi-threaded programs. Moreover, we
exploit the bridge for a precise comparison of the precision of PDG-based and type-based
information flow analysis for sequential programs.
We conclude the thesis in Chapter 7, which contains a summary of the thesis and an
outlook to directions for future investigations in the area of information flow security for
multi-threaded programs.

C
H
A
P
T
E
R
2
Execution Model and Security Model
In this chapter, we introduce the formal execution model for multi-threaded programs
on which we base our developments in the subsequent chapters. The execution model
abstracts from the concrete programming language in which multi-threaded programs
are written. For investigating concrete example programs, we instantiate the model
with multi-threaded programs specified in a simple imperative programming language.
Moreover, the execution model makes the scheduling of threads explicit. The concrete
scheduler is a parameter of the model, and we illustrate that the model is expressive
enough to deal with typical schedulers by instantiating the model with example schedulers.
Moreover, we introduce a formal security property that characterizes information
flow security of programs in the execution model. The security property is defined
in the spirit of Noninterference [GM82], expressing information flow security by the
absence of dependencies of public program outputs on secret program inputs. The formal
security property is conceptually rather simple, which simplifies arguing for the property’s
adequacy. The purpose of this simple information flow security property is to serve as
reference point for conceptually more complex compositional and scheduler-independent
information flow security properties presented in subsequent chapters.
Overview. Section 2.1 introduces basic mathematical concepts and a notion of probability
spaces. Section 2.2 introduces the execution model for multi-threaded programs, which is
instantiated with an example programming language in Section 2.3. Section 2.4 introduces
the scheduler model and Section 2.5 introduces the security model.
2.1 Mathematical Preliminaries
2.1.1 Basic Concepts and Notation
In this section, we introduce the basic mathematical concepts and corresponding notation
used in this thesis.
11
12 Chapter 2. Execution Model and Security Model
Sets
Given a set X, we denote the powerset of X with P(X). Moreover, we denote the
cardinality of X with
∣∣X∣∣.
We denote the set of natural numbers with N. We consider natural numbers starting
with 1, i.e., N = {1, 2, . . .}. Furthermore, we denote the set of integers with Z and the set
of real numbers with R. For a, b ∈ R we denote the interval {x ∈ R | a < x ≤ b} with
]a, b] and the interval {x ∈ R | a ≤ x ≤ b} with [a, b].
Functions
The notation f : X ⇀ Y indicates that f is a partial function that maps each element x
in a subset X ′ ⊆ X to an element f(x) ∈ Y . The set X ′ is the domain of f , which we
denote with dom(f). The set {y | ∃x ∈ dom(f) : f(x ) = y} is the image of f , and we
denote it with img(f).
The notation f : X → Y indicates that f is a total function, that is, a partial function
with domain X. We call total functions simply functions and denote the set of all functions
f : X → Y with X → Y .
For f : X ⇀ Y and a set X ′ ⊆ dom(f) the partial function f |X′ : X ⇀ Y is the
unique partial function with dom(f |X′) = X ′ and f |X′ (x) = f(x) for all x ∈ X ′.
Given partial functions f : X ⇀ Y and g : X ⇀ Y with dom(g) ⊆ dom(f) we define
f [x 7→ g(x) | x ∈ dom(g)] : X ⇀ Y to be the partial function with domain dom(f) and
f [x 7→ g(x) | x ∈ dom(g)](z ) =
{
f(z ) if z 6∈ dom(g),
g(z ) if z ∈ dom(g).
We write f [x 7→ y] for f [x 7→ g(x) | x ∈ dom(g)] if dom(g) = {x} and g(x ) = y .
Lists
Given a set X, we denote the set of finite lists over X with X∗. We denote the empty list
with 〈〉 and the list of the elements x1, x2, . . . , xk ∈ X where k ∈ N with 〈x1, x2, . . . , xk〉.
We denote the set X∗ \ {〈〉} of non-empty finite lists with X+. We refer to elements
of a finite list by their position in the list, and denote the ith element of list l with l[i]
(i.e.,〈x1, x2, . . . , xk〉[i] = xi for all i ∈ {1, . . . , k}). The length of a finite list l, denoted
with ](l), is defined by ](〈〉) = 0 and ](〈x1, x2, . . . , xk〉) = k. We denote the concatenation
of two finite lists l1 and l2 with l1 :: l2. The projection of a finite list l to a set Y ,
denoted with l|Y , is defined recursively by 〈〉|Y = 〈〉, (〈x〉 :: l)|Y = 〈x〉 :: l|Y if x ∈ Y , and
(〈x〉 :: l)|Y = l|Y if x 6∈ Y .
We denote the set of infinite lists over a set X with Xω, and denote the infinite list of
the elements x1, x2, . . . with 〈xi〉i∈N. For i ∈ N we denote the ith element of an infinite
list l ∈ Xω with l[i].
Orders and Lattices
Let X be a set and v ⊆ X × X a binary relation on X. The relation v is a partial
order on X if it is reflexive (i.e., ∀x ∈ X : x v x), antisymmetric (i.e., ∀x, y ∈ X :
(xv y ∧ yvx)⇒ x = y), and transitive (i.e., ∀x, y, z ∈ X : (x v y ∧ y v z)⇒ x v z).
The pair (X,v) is a partially ordered set if the relation v is a partial order on X.
Let (X,v) be a partially ordered set. A least upper bound of x ∈ X and y ∈ X is an
element z ∈ X such that x v z, y v z, and z v w for all w ∈ X with x v w and y v w.
2.1. Mathematical Preliminaries 13
A greatest lower bound of x ∈ X and y ∈ X is an element z ∈ X such that z v x, z v y,
and w v z for all w ∈ X with w v x and w v y.
A partially ordered set (X,v) is a lattice if a least upper bound and a greatest lower
bound exist for all x ∈ X and y ∈ X. Given a lattice (X,v), the least upper bound and
the greatest lower bound for x ∈ X and y ∈ X are unique. We denote the unique least
upper bound and the unique greatest lower bound of x ∈ X and y ∈ X with x unionsq y and
x u y, respectively.
2.1.2 Probability Spaces
We use a standard definition of probability spaces as introduced in, e.g., [Dur10]
and [MS05].
Definition 2.1. Let Ω be a set. A set F ⊆ P(Ω) is a σ-algebra over Ω if Ω ∈ F , Ω\X ∈ F
for each X ∈ F , and ⋃i∈I Xi ∈ F for each countable family of sets (Xi)i∈I in F . ♦
Definition 2.2. A probability measure on a σ-algebra F over Ω is a function ρ : F → [0, 1]
with ρ(Ω) = 1 and ρ(
⋃
i∈I Xi) =
∑
i∈I ρ(Xi) for each countable family of pairwise disjoint
sets (Xi)i∈I in F . ♦
Definition 2.3. A probability space is a triple (Ω,F , ρ), where Ω is a set, F ⊆ P(Ω) is a
σ-algebra over Ω, and ρ : F → [0, 1] is a probability measure. The set Ω is called the set
of outcomes and the set F is called the set of events of the probability space. ♦
Lemma 2.1. Let Ω be a set and E ⊆ P(Ω) be a set of pairwise disjoint subsets of Ω with⋃
E∈E E = Ω. Then the set FE = {
⋃
E∈E′ E | E ′ ⊆ E ∧ E ′ is countable} is the smallest
σ-algebra over Ω that contains E .
Let ζ : E → [0, 1] be a function such that ∑E∈E ζ(E) = 1. Then ρζ : FE → [0, 1]
defined by ρζ(
⋃
E∈E′ E) =
∑
E∈E′ ζ(E) for any countable E ′ ⊆ E is the unique probability
measure on FE that agrees with ζ on E .
Assume that Ω is countable and that E = {{e} | e ∈ Ω}. Then FE = P(Ω). Let
η : Ω → [0, 1] be a function such that ∑e∈Ω η(e) = 1. Then ρη : P(Ω) → [0, 1] defined
by ρη(E) =
∑
e∈E η(e) for any E ⊆ Ω is the unique probability measure on FE with
η(e) = ρη({e}) for all e ∈ Ω. ♦
Definition 2.4. The σ-algebra FE from Lemma 2.1 is the σ-algebra induced by E . The
probability measures ρζ and ρη from Lemma 2.1 are the probability measures induced
by ζ and η, respectively. ♦
Example 2.1. Consider a program that randomly outputs a sequence of the digits 0 and 1,
either stopping eventually or running indefinitely. In this example, we define a probability
space that models probabilities that the program behaves in certain ways.
We model the possible set of behaviors of the program with the set Ω = A∗∪Aω where
A = {0, 1}. Moreover, we model the event that the program outputs a finite sequence with
an even number of digits and then stops with the set EVEN = {l ∈ A∗ | ](l) is even}, the
event that the program outputs a finite sequence with an odd number of digits and then
stops with the set ODD = {l ∈ A∗ | ](l) is odd}, and the event that the program never
14 Chapter 2. Execution Model and Security Model
stops with the event Aω. Then the set FE = {{},EVEN,ODD, A∗,EVEN ∪ Aω,ODD ∪
Aω, Aω, A∗ ∪Aω} is the σ-algebra over Ω induced by the set E = {EVEN,ODD, Aω}.
Assume that the program runs indefinitely in 90% of all runs, and that the program
outputs an even number of digits in all other runs. We model this with the function
ζ : E → [0, 1] defined by ζ(EVEN) = 0.1, ζ(ODD) = 0, and ζ(Aω) = 0.9. Let ρζ be
the probability measure induced by ζ. Then, for instance, ρζ(A
∗) = 0.9 + 0 = 0.9.
This expresses that the probability that the program stops eventually (i.e., the program
behavior is modeled by an element of the set A∗) is 0.9.
Finally, the triple (Ω,FE , ρζ) is a probability space that models probabilities that the
program behaves as specified by the events in the set FE . ♦
2.2 Execution Model
We consider multi-threaded programs, i.e., programs that may have one or more threads
of execution, and assume that the programs are executed on a single processor and that
the executions of the single threads are interleaved. We call the collection of the threads
of a program during its execution thread pool. The size of a thread pool varies during
program execution as threads are removed upon termination and new threads may be
spawned. In particular, the size of a thread pool has no upper bound. We represent thread
pools by finite lists of threads, i.e., the threads are implicitly numbered consecutively by
their position in the thread pool.
We assume that multi-threaded programs access the memory by reading and writing
program variables, and that all program variables are shared by all threads of a program.
Besides the shared memory, we do not model any further means for communication
between the threads of a program.
In the following, we model executions of multi-threaded programs by successively
modeling snapshots during program execution (Section 2.2.1), single execution steps
(Section 2.2.2), and complete program executions (Section 2.2.3). The treatment of input
and output is modeled in Section 2.2.4.
2.2.1 Snapshots during Program Execution
We model the control states of threads by commands in a set Com that represent the
instructions that remain to be executed by a thread. A distinguished command stop ∈
Com models that no instructions remain to be executed, i.e., stop models the control state
of a terminated thread. We model a thread pool by a list thr ∈ Thr = (Com \ {stop})∗,
where ](thr) is the number of threads and thr [i] models the control state of the ith thread
for all i ∈ {1, . . . , ](thr)}. Moreover, we model the shared memory by memories in the
set Mem = Var → Val , where Var is a finite set of variables and Val is a non-empty set
of values. I.e., a memory assigns a value to each variable. Finally, to make scheduling
explicit, we model the state of the scheduler with scheduler states in a set sSt . The
sets Com, Var , Val , and sSt are parameters of the execution model, and we leave them
unspecified for now. We instantiate Com and sSt for a concrete programming language
and for concrete schedulers in Sections 2.3 and 2.4, respectively.
Based on the introduced sets we model three types of snapshots during program execu-
tion. We model snapshots of a single thread during its execution by thread configurations
〈c,mem〉 ∈ Com ×Mem
where c is the current control state of the thread and mem is the current memory.
2.2. Execution Model 15
Multi-threaded configurations are pairs
〈thr ,mem〉 ∈ Thr ×Mem
that model snapshots during the execution of multiple threads, where thr is the current
thread pool and mem is the current shared memory. From the multi-threaded configuration
we can derive the corresponding thread configurations for each thread, 〈thr [i],mem〉.
We model snapshots during the execution of a multi-threaded program under a
scheduler with system configurations. System configurations are triples
〈thr ,mem, sst〉 ∈ Thr ×Mem × sSt
where sst is the current state of the scheduler and the multi-threaded configuration
〈thr ,mem〉 is a snapshot of the execution of the multi-threaded program.
In the following, we denote commands with c, memories with mem, thread pools
with thr , scheduler states with sst , thread configurations with tc, multi-threaded con-
figurations with mc, and system configurations with sc, all possibly with primes and
subscripts. Moreover, we denote the set of thread configurations with ThreadConf , the set
of multi-threaded configurations with MultiConf , and the set of system configurations with
SysConf . Finally, we introduce selector functions getThr , getMem, and getSst to retrieve
the elements of a system configuration, i.e., sc = 〈getThr(sc), getMem(sc), getSst(sc)〉.
2.2.2 Execution Steps
We model single execution steps of a multi-threaded program under a scheduler denoted
with S with judgments of the form
sc
k,p
=⇒S sc′,
where sc, sc′ ∈ SysConf , k ∈ {1, . . . , ](getThr(sc))}, and p ∈ ]0, 1]. The interpretation of
this judgment is that a single execution step under scheduler S may lead from the system
configuration sc to the system configuration sc′, where k is the index of the thread that
was selected by the scheduler in this execution step, and p is the non-zero probability
that this thread was selected by the scheduler.
The rule for deriving judgments of the form sc
k,p
=⇒S sc′ is based on two further
judgments that model single execution steps of single threads and the computations of
the scheduler, respectively. The judgment
〈c,mem〉 α−_ 〈c′,mem ′〉
models that an execution step of a thread with control state c in memory mem results
in control state c′ and memory mem ′. The label α ∈ Lab is an element of the set
Lab = {new(thr) | thr ∈ Thr} that represents the creation of new threads during the
execution step, where new(thr) models that the initial control states of the new threads
are represented by the commands in the list thr . We omit the label new(thr) in the
judgment if thr = 〈〉 is the empty list. We require that the derivation rules for judgments
of the form 〈c,mem〉 α−_ 〈c′,mem ′〉 ensure (a) that the distinguished command stop
models the control state of a terminated thread, and (b) that the execution steps of single
threads are deterministic. This is formalized by the following two requirements:
Requirement 2.1. The judgment 〈stop,mem〉 α−_ 〈c′,mem ′〉 is not derivable for any
c′ ∈ Com, mem,mem ′ ∈ Mem, and α ∈ Lab. ♦
16 Chapter 2. Execution Model and Security Model
Requirement 2.2. If 〈c,mem〉 α−_ 〈c′,mem ′〉 and 〈c,mem〉 α′−_ 〈c′′,mem ′′〉 are derivable
then α = α′, c′ = c′′, and mem ′ = mem ′′. ♦
We introduce derivation rules for the judgments that satisfy the above requirements
together with a concrete programming language in Section 2.3.
The judgment
(sst , sin)
k,p S sst ′
models that the scheduler S selects the thread at the kth position in a thread pool to
proceed its computation in the next execution step of a program, where the probability of
this selection is p > 0. The scheduler’s decision may depend on the scheduler state sst and
additional input to the scheduler represented by an element sin from a set of scheduler
inputs sIn. The scheduler state after the decision is sst ′. We define derivability of the
judgments when introducing our scheduler model in Section 2.4. We require that the
probability of the selection and the resulting scheduler state are determined by the selected
thread position, which is formalized as follows:
Requirement 2.3. If (sst , sin)
k,p1 S sst ′1 and (sst , sin)
k,p2 S sst ′2 are derivable then p1 =
p2 and sst
′
1 = sst
′
2. ♦
We model the interface of multi-threaded programs to the scheduler with an observation
function obs : Thr ×Mem → sIn. This function determines the scheduler input based on
information about the thread pool and the memory. Based on the observation function, the
judgments modeling execution steps of single threads, and the decisions of the scheduler
we model the stepwise execution of multi-threaded programs with the following rule:
(sst , sin)
k,p S sst ′ 〈thr [k],mem〉 new(thr
′′)−−−−−−−_ 〈c′,mem ′〉
sin = obs(thr ,mem) thr ′ = updatek(thr , c
′, thr ′′)
〈thr ,mem, sst〉 k,p=⇒S 〈thr ′,mem ′, sst ′〉
(2.1)
The function updatek in the fourth premise updates the thread pool thr after the execution
step. To make things concrete, we assume in the remainder of this thesis that terminated
threads are removed from the thread pool and that new threads are inserted in the thread
pool directly behind the thread that created the new threads.
Definition 2.5. For k ∈ {1, . . . , ](thr)} we define
updatek(thr , c, thr
′) =
{
replacek(thr , thr
′) if c = stop, and
replacek(thr , 〈c〉 :: thr ′) otherwise,
where the partial function replacek : A
∗×A∗ ⇀ A∗ is defined by replacek(〈a1, . . . , an〉, l) =
〈a1, . . . , ak−1〉 :: l ::〈ak+1, . . . , an〉 for a1, . . . , an ∈ A with 0 < k ≤ n and l ∈ A∗. ♦
In the remainder of this thesis, we use each judgment introduced in this section also
like a predicate that is true if and only if the judgment is derivable. This permits us to
write, for instance, “If 〈c,mem〉 α−_ 〈c′,mem ′〉 then . . . ” instead of the longer version “If
〈c,mem〉 α−_ 〈c′,mem ′〉 is derivable then . . . ”.
2.2. Execution Model 17
2.2.3 Program Executions
We use traces to model runs of multi-threaded programs.
Definition 2.6. A system configuration 〈thr ,mem, sst〉 is final if ](thr) = 0. ♦
Definition 2.7. A terminating trace is a pair tr = (str , dtr) consisting of a terminating
system trace str ∈ SysConf + and a terminating decision trace dtr ∈ N∗ such that ](str) =
](dtr) + 1, str [](str)] is final, and str [i] is not final and dtr [i] ∈ {1, . . . , ](getThr(str [i]))}
for all i ∈ {1, . . . , ](str)− 1}.
We define the length of a terminating trace tr = (str , dtr) as ](str) and denote it
with ](tr). Moreover, we denote the set of terminating traces with T⇓. ♦
Definition 2.8. A nonterminating trace is a pair tr = (str , dtr) consisting of a nontermi-
nating system trace str ∈ SysConf ω and a nonterminating decision trace dtr ∈ Nω such
that str [i] is not final and dtr [i] ∈ {1, . . . , ](getThr(str [i]))} for all i ∈ N.
We denote the set of nonterminating traces with T 6⇓. ♦
Definition 2.9. A trace is a terminating trace or a nonterminating trace. We denote the
set of traces T⇓ ∪ T 6⇓ with T . ♦
A trace tr = (str , dtr) models a run of a multi-threaded program. The system trace
str models the run of the program where str [1] is a snapshot of the program before starting
execution and str [k + 1] is a snapshot of the program after k execution steps. Moreover,
the decision trace dtr models the scheduling decisions during the run, where dtr [k] is the
thread index selected by the scheduler in the kth execution step of the program.
Definition 2.10. Given a set of traces Tr ⊆ T , the subset of terminating traces is defined
as Tr⇓ = Tr ∩ T⇓ and the subset of nonterminating traces is defined as Tr 6⇓ = Tr ∩ T6⇓.
Moreover, the subset of traces terminating in memory mem is defined as
Tr⇓mem = {(str , dtr) ∈ Tr⇓ | getMem(str(](str))) = mem}. ♦
We model the possible executions under scheduler S that start in a given system
configuration with a subset of the set of all traces.
Definition 2.11. Given a scheduler S, the set TS(sc) of possible traces starting in a system
configuration sc is defined by (str , dtr) ∈ TS(sc) if and only if str [1] = sc and one of the
following conditions is satisfied:
− (str , dtr) ∈ T⇓ and for all k ∈ {1, . . . , ](str) − 1} there exists p ∈ ]0, 1] such that
str [k]
dtr [k],p
====⇒S str [k + 1], or
− (str , dtr) ∈ T 6⇓ and for all k ∈ N there exists p ∈ ]0, 1] such that str [k] dtr [k],p====⇒S
str [k + 1]. ♦
We associate a probability with each terminating trace as follows:
Definition 2.12. Let tr = (str , dtr) ∈ T⇓. The probability ρ(tr) is defined by
ρ(tr) =
](dtr)∏
i=1
pi,dtr(i)
where pi,k is the probability p for which str [i]
k,p
=⇒S str [i+ 1] is derivable, and where the
product is defined to be 1 if ](dtr) = 0. ♦
18 Chapter 2. Execution Model and Security Model
The number ρ(tr) for tr = (str , dtr) models the probability that the run of a multi-
threaded program results in the sequence of snapshots modeled by str , and the scheduler
decisions that lead to this sequence of snapshots is modeled by dtr . Note that this
probability is not necessarily equal to the probability that the run of the multi-threaded
program results in the sequence of snapshots modeled by str , because different scheduler
decisions might lead to the same sequence of snapshots. The probability that a program
run results in the sequence of snapshots modeled by str under any sequence of scheduler
decisions is the sum
∑
{tr∈T⇓|∃dtr∈N∗:tr=(str ,dtr)} ρ(tr). We do not define probabilities
on system traces, because the definition on traces is slightly simpler and nevertheless
sufficient for defining the security model in Section 2.5.
We describe in which sense the probabilities defined in Definition 2.12 give rise to a
probability space for each system configuration after defining schedulers in Section 2.4
(cf. Definition 2.15).
2.2.4 Program Input and Program Output
We assume that programs obtain one or more inputs before beginning the execution and
output one or more results after the execution terminates. We model the inputs by the
initial values of variables in a set Varin ⊆ Var , and the outputs by the final values of
variables in a set Varout ⊆ Var , where Varin ∩ Varout = {}. We do not specify which
initial values the variables in the set Var \Varin have. These values could, for instance,
be default values, or be determined nondeterministically.
Remark 2.1 (Input and Output during Program Execution). While we do not model out-
puts during the program execution directly, such intermediate outputs can be en-
coded in our model with a variable out ∈ Varout to which information is only ap-
pended during program execution. I.e., whenever 〈c,mem〉 α−_ 〈c′,mem ′〉 then either
mem ′(out) = mem(out), or mem ′(out) = mem(out )ˆ v for some v ∈ Val (where ˆ denotes
concatenation of values). Moreover, intermediate inputs to a program can be encoded in
the model with a variable in ∈ Varin that stores a sequence of values, and an operation
that reads an input by consuming the first value of this sequence. This captures scenarios
where input is non-interactive, i.e., input provided during program execution does not
depend on earlier program inputs. The treatment of interactive program input in the
context of information flow security is investigated by Clark and Hunt in [CH08]. ♦
2.3 A Multi-threaded Programming Language
To investigate concrete example programs we instantiate the execution model with a
simple multi-threaded programming language. Besides supporting standard programming
constructs (assignments, conditionals, and loops), the programming language features an
operation for dynamic thread creation.
2.3.1 Syntax
We define the syntax of the programming language with the following grammar:
e ::= v
∣∣ x ∣∣ op(e, . . . , e)
c ::= skip
∣∣ x :=e ∣∣ c; c ∣∣ if e then c else c fi ∣∣
while e do c od
∣∣ spawn(c, . . . , c)
2.3. A Multi-threaded Programming Language 19
where v ∈ Val and x ∈ Var . An expression e is constructed from values, variables, and
operators. We do not specify the set of values and the set of operators, and use typical
values like numbers 1, 2, . . . and the Boolean values true and false and operators like +,
−, =, and < using the standard infix notation in examples. We denote the set of all
expressions specified by the grammar with Exp.
The language specified by the grammar for c permits to specify the instructions that are
executed by a single thread, where skip is an instruction that does not modify the memory,
x :=e is an assignment of the value of expression e to variable x , if e then c else c fi permits
conditional execution, while e do c od is for programming loops, and spawn(c, . . . , c)
permits to spawn new threads.
Remark 2.2. The programming language does not feature specific synchronization primi-
tives. Nevertheless, synchronization can be used by programs written in the language
because synchronization primitives can be implemented without leaving the language
fragment. For instance, mutexes can be implemented using Peterson’s algorithm for
mutual exclusion [Pet81]. ♦
2.3.2 Semantics
We assume that expression evaluation is total, atomic, and unambiguous, and model
expression evaluation with a function eval : Exp ×Mem → Val such that eval(e,mem)
is the value of expression e in the memory mem. We denote with vars(e) the set of
variables on which the value of e depends. I.e.,
[∀x ∈ vars(e) : mem1(x ) = mem2(x )]⇒ eval(e,mem1) = eval(e,mem2)
holds for all e ∈ Exp and all mem1,mem2 ∈ Mem.
For the semantics of the programming language, we instantiate the set Com of
commands with the set of all terms that are defined by the above grammar for c which we
extend with c = stop to represent a terminated thread. The intuition is that a command
c 6= stop models the control state of a thread by a specification of the instructions that
remain to be executed by the thread. We define an operational semantics by a set of
derivation rules for the judgments of the form 〈c,mem〉 α−_ 〈c′,mem ′〉 (from Section 2.2.2).
The derivation rules are displayed in Figure 2.1. The first four rules define a standard
semantics for skip-statements, assignments, conditionals, and while loops, and the fifth
rule models the semantics for dynamic thread creation. For the semantics of sequential
composition we use evaluation contexts like, e.g., used by Abadi and Plotkin in [AP09].
Evaluation contexts are defined by the grammar
E ::= • | E ; c
where c ∈ Com \ {stop} is a command. The command E [c] is defined as c if E = • and
as E ′[c]; c′ if E = E ′; c′. I.e., E [c] is obtained from the evaluation context E by “filling the
hole • with c”. Intuitively, c specifies the instructions that shall next be executed when
executing E [c]. This is formalized by the last two derivation rules in Figure 2.1.
Example 2.2. Consider the command c = skip; x :=0 and the evaluation context E = •; x :=0.
Then c = E [skip].
From the first rule in Figure 2.1 we derive 〈skip,mem〉 −_ 〈stop,mem〉, and, hence,
with the last rule in Figure 2.1 that 〈c,mem〉 −_ 〈E [stop],mem〉 = 〈stop; x :=0,mem〉.
Moreover, we derive with the last but one rule in Figure 2.1 that 〈stop; x :=0,mem〉 −_
〈x :=0,mem〉. ♦
20 Chapter 2. Execution Model and Security Model
〈skip,mem〉 −_ 〈stop,mem〉 eval(e,mem) = v〈x :=e,mem〉 −_ 〈stop,mem[x := v ]〉
eval(e,mem) = true
〈if e then c1 else c2 fi,mem〉 −_ 〈c1,mem〉
eval(e,mem) = false
〈if e then c1 else c2 fi,mem〉 −_ 〈c2,mem〉
〈while e do c od,mem〉 −_ 〈if e then c; while e do c od else stop fi,mem〉
〈spawn(thr),mem〉 new(thr)−−−−−−_ 〈stop,mem〉
〈stop; c,mem〉 −_ 〈c,mem〉 〈c,mem〉
α−_ 〈c′,mem ′〉
〈E [c],mem〉 α−_ 〈E [c′],mem ′〉
Figure 2.1: Operational semantics of the programming language
2.4 Scheduling
During the execution of a multi-threaded program the scheduler repeatedly decides which
thread shall next proceed with the computation. Scheduling algorithms differ not only
in how they make this decision, but also in the information on which they base their
decision. For instance, a uniform scheduler needs to know the current number of threads
to randomly choose among the available threads with equal probability. A Round-Robin
scheduler iterates over the list of available threads in a cyclic fashion. Beyond knowing the
number of threads this requires that the scheduler remembers its scheduling decision from
the previous step. A scheduler might even need to know part of the program’s memory,
for instance, in priority-based scheduling if priorities are first-class values that may be
read and modified by the program itself. To cover these and various other possibilities,
we assume that schedulers base their decision on their current internal state and on
information about the current thread pool and program memory that is provided by the
system to the scheduler.
We model the information that schedulers obtain about the thread pool and the
memory by the elements of a set sIn of scheduler inputs. We leave this set unspecified,
and only assume that it is at least possible to retrieve the current number of threads from
an input sin ∈ sIn. We denote this number with ](sin).
We model the behavior of a scheduler with a labeled transition relation on a set sSt of
scheduler states, where the set of labels is sIn × N×]0, 1]. The label (sin, k, p) indicates
that sin is the input to the scheduler, k is the position of the thread selected by the
scheduler, and p is the positive probability of this selection.
Definition 2.13. A scheduler is a tuple (sSt , sst0,→) consisting of a set of states sSt , an
initial state sst0 ∈ sSt , and a transition relation → ⊆ sSt × (sIn × N×]0, 1]) × sSt for
2.4. Scheduling 21
which the following condition is satisfied:
− There exist families of functions (ρsst,sin :N→ [0, 1])(sst,sin)∈sSt×sIn and (nextsst,sin :
N→ sSt)(sst,sin)∈sSt×sIn such that
∗ if ](sin) > 0 then 1 = ∑](sin)k=1 ρsst,sin(k) and ρsst,sin(k) = 0 for all k > ](sin),
and
∗ (sst , (sin, k, p), sst ′) ∈ → if and only if nextsst,sin(k) = sst ′, ρsst,sin(k) = p, and
p > 0. ♦
The properties of the functions ρsst,sin ensure that each of these functions induces
a probability measure on the σ-algebra P(N) over N (cf. Definition 2.4). The value
ρsst,sin(k) models the probability that the scheduler, in state sst and given scheduler
input sin, selects the kth thread. Moreover, the property on the transition relation
ensures that the scheduler selects among the available threads. From the definition
of schedulers it follows that the families of functions (nextsst,sin)(sst,sin)∈sSt×sIn and
(ρsst,sin)(sst,sin)∈sSt×sIn are uniquely determined by the transition relation →. In the
following, we denote the functions nextsst,sin and ρsst,sin for scheduler S with nextSsst,sin
and ρSsst,sin , respectively. Moreover, we define
ρS〈thr ,mem,sst〉 = ρ
S
sst,obs(thr ,mem),
i.e., ρSsc(k) models the probability that scheduler S selects the thread at position k in the
system configuration sc.
This scheduler model is sufficiently expressive for common deterministic schedulers
such as Round-Robin schedulers, and may also be used to model probabilistic schedulers
like, e.g., the uniform scheduler or lottery schedulers.
Example 2.3. A Round-Robin scheduler can be modeled by the tuple
RR = (sStRR, sstRR,0,→RR),
where sStRR is the set of functions {choice, size} → N, and sstRR,0 is the function with
sstRR,0(choice) = 1 and sstRR,0(size) = 1. The scheduler variables choice and size store
from the previous step which thread position was selected and what size the thread pool
had. The transition relation is defined by (sst , (sin, k, p), sst ′) ∈ →RR if and only if
k =
[
(sst(choice) + (](sin)− sst(size))) mod ](sin)]+ 1,
sst ′(choice) = k, sst ′(size) = ](sin), and p = 1.
The condition on k ensures, firstly, that no thread is skipped if the current thread
terminates (in this case ](sin)− sst(size) equals −1) and, secondly, that newly created
threads obtain their term only after all other threads have been scheduled (in this case
](sin)− sst(size) equals the number of newly created threads). ♦
Theorem 2.1. The scheduler RR from Example 2.3 satisfies the conditions imposed on
schedulers by Definition 2.13. ♦
Proof. Define
ρRRsst,sin(k) =
{
1 if k =
[
(sst(choice) + (](sin)− sst(size))) mod ](sin)]+ 1,
0 otherwise.
22 Chapter 2. Execution Model and Security Model
Then 1 =
∑](sin)
k=1 ρ
RR
sst,sin(k) and ρ
RR
sst,sin(k) = 0 for all k > ](sin). Moreover, define
nextRRsst,sin(k) =
{
sst [choice 7→ k][size 7→ ](sin)] if ρRRsst,sin(k) = 1,
sst otherwise.
From the definitions of ρRRsst,sin , next
RR
sst,sin , and→RR it follows that (sst , (sin, k, p), sst ′) ∈
→RR if and only if nextRRsst,sin(k) = sst ′ and ρRRsst,sin(k) = p = 1. Hence, RR satisfies the
conditions imposed by Definition 2.13.
Example 2.4. A uniform scheduler can be modeled by the tuple
Uni = ({s}, s,→Uni},
where (s, (sin, k, p), s) ∈ →Uni if and only if 1 ≤ k ≤ ](sin) and p = 1/](sin). ♦
Theorem 2.2. The scheduler Uni from Example 2.4 satisfies the conditions imposed on
schedulers by Definition 2.13. ♦
Proof. Define
ρUnisst,sin(k) =
{
1/](sin) if 1 ≤ k ≤ ](sin),
0 otherwise.
Then 1 =
∑](sin)
k=1 ρ
Uni
sst,sin(k) and ρ
Uni
sst,sin(k) = 0 for all k > ](sin). Moreover, define
nextUnisst,sin(k) = sst . From the definitions of ρ
Uni
sst,sin , next
Uni
sst,sin , and →Uni it follows that
(sst , (sin, k, p), sst ′) ∈ →Uni if and only if nextUnisst,sin(k) = sst ′ and ρUnisst,sin(k) = p =
1/](sin). Hence, Uni satisfies the conditions imposed by Definition 2.13.
Example 2.5. Lottery schedulers [WW94] assign a positive number of lottery tickets to
each thread. Thread selection is determined by holding a lottery where one ticket is
drawn from the set of all tickets, and the thread to which the ticket is assigned is selected.
By assigning a lower respectively higher number of tickets to a thread the thread’s CPU
share can be decreased respectively increased. This permits to increase the priority of
threads. In particular, if the number of tickets can be changed by the program at runtime
then the program can dynamically adapt the priorities.
To model a lottery scheduler we assume that the number of tickets of the thread at
position i is stored in the shared memory and can be dynamically adapted by a multi-
threaded program, and that this part of the shared memory is provided to the scheduler
as part of the scheduler input. We denote the number of tickets of the thread at position i
encoded in scheduler input sin with ticketsi(sin), and require that ticketsi(sin) > 0 for
all thread positions i.
We model a lottery scheduler by the tuple Lot = ({s}, s,→Lot), where the tran-
sition relation is defined by (s, (sin, k, p), s) ∈ →Lot if and only if k < ](sin) and
p = ticketsk(sin)/
[∑](sin)
i=1 ticketsi(sin)
]
. ♦
Theorem 2.3. The scheduler Lot from Example 2.5 satisfies the conditions imposed on
schedulers by Definition 2.13. ♦
2.4. Scheduling 23
Proof. Define
ρLotsst,sin(k) =
{
ticketsk(sin)/
[∑](sin)
i=1 ticketsi(sin)
]
if 1 ≤ k ≤ ](sin),
0 otherwise.
Then
∑](sin)
k=1 ρ
Lot
sst,sin(k) equals
[∑](sin)
i=1 ticketsi(sin)
]
/
[∑](sin)
i=1 ticketsi(sin)
]
= 1, and
ρLotsst,sin(k) = 0 for all k > ](sin). Moreover, define next
Lot
sst,sin(k) = sst . From the
definitions of ρLotsst,sin , next
Lot
sst,sin , and →Lot it follows that (sst , (sin, k, p), sst ′) ∈ →Lot if
and only if nextLotsst,sin(k) = sst
′ and ρLotsst,sin(k) = p = ticketsk(sin)/
[∑](sin)
i=1 ticketsi(sin)
]
.
Hence, Lot satisfies the conditions imposed by Definition 2.13.
Given a scheduler S we can now define derivability of the judgments of the form
(sst , sin)
k,p S sst ′.
Definition 2.14. Let S = (sSt , sst0,→) be a scheduler. The judgment (sst , sin) k,p S sst ′
is derivable if and only if (sst , (sin, k, p), sst ′) ∈ →. ♦
Definitions 2.13 and 2.14 ensure that if (sst , sin)
k,p S sst ′ is derivable then p and sst ′
are uniquely determined by sst , sin and k, i.e., Requirement 2.3 is satisfied:
Theorem 2.4. Requirement 2.3 is satisfied for every scheduler S. ♦
Proof. Assume that (sst , sin)
k,p1 S sst ′1 and (sst , sin)
k,p2 S sst ′2 are derivable. Then
(sst , (sin, k, p1), sst
′
1) ∈ → and (sst , (sin, k, p2), sst ′2) ∈ → by Definition 2.14. Hence, by
Definition 2.13, sst ′1 = nextsst,sin(k) = sst
′
2 and p1 = ρsst,sin(k) = p
′
2.
Moreover, for each scheduler S and each system configuration sc, the trace probabilities
from Definition 2.12 permit to define a probability space where each outcome is a trace
in the set TS(sc). The formal definition is based on the notions of induced σ-algebras
and induced probability measures from Definition 2.4.
Definition 2.15. Let sc be a system configuration and S be a scheduler. We define the
probability space (Ω(S, sc),F(S, sc), ρ(S, sc)) as follows:
− Ω(S, sc) = TS(sc);
− F(S, sc) is the σ-algebra induced by the set {{tr} | tr ∈ TS(sc)⇓} ∪ {TS(sc)6⇓};
− ρ(S, sc) is the probability measure induced by the function ζ defined by
∗ ζ({tr}) = ρ(tr) for tr ∈ TS(sc)⇓ and
∗ ζ(TS(sc)6⇓) = 1−
∑
tr∈TS(sc)⇓ ζ({tr}). ♦
Intuitively, for tr ∈ TS(sc)⇓ the set {tr} models the event that the program behaves as
indicated by the terminating trace tr , and the probability ρ(S, sc)({tr}) is the probability
that this event occurs. Moreover, the set TS(sc)6⇓ models the event that the program does
not terminate when starting in sc, and the probability ρ(S, sc)(TS(sc) 6⇓) is the probability
that this event occurs. If the system configuration sc is clear from the context we write
ρS for the probability measure ρ(S, sc).
Theorem 2.5. The triple (Ω(S, sc),F(S, sc), ρ(S, sc)) from Definition 2.15 satisfies the
conditions imposed on probability spaces (cf. Definition 2.3) for every system configura-
tion sc and every scheduler S. ♦
24 Chapter 2. Execution Model and Security Model
Proof. The set F(S, sc) is a σ-algebra over the set Ω(S, sc) by definition, namely the
smallest σ-algebra that contains the set {{tr} | tr ∈ TS(sc)⇓} ∪ {TS(sc) 6⇓} ⊆ P(Ω(S, sc)).
The function ρ(S, sc) is defined as the probability measure induced by the function ζ,
and, hence, by Lemma 2.1 the function ρ(S, sc) is a probability measure on F(S, sc) if
the range of ζ is the set [0, 1] and
∑
E∈{{tr}|tr∈TS(sc)⇓}∪{TS(sc)6⇓} ζ(E) = 1. By definition
of ζ, this sum equals (
∑
tr∈TS(sc)⇓ ζ({tr})) + (1−
∑
tr∈TS(sc)⇓ ζ({tr})), which equals 1. It
remains to show that the range of ζ is the set [0, 1]. We first show that 0 ≤ ζ({tr}) ≤ 1 for
all tr ∈ TS(sc). By definition, ζ({tr}) = ρ(tr). By Definition 2.12, ρ(tr) =
∏](dtr)
i=1 pi,dtr(i),
where pi,k is the probability p for which str [i]
k,p
=⇒S str [i+ 1] is derivable, and where the
product is defined to be 1 if ](dtr) = 0. All the pi,k are in the interval [0, 1] by definition
of the judgments of the form sc
k,p
=⇒S sc′. Hence, ρ(tr) ∈ [0, 1]. Now we show that
ζ(TS(sc) 6⇓) = 1 −
∑
tr∈TS(sc)⇓ ζ({tr}) ∈ [0, 1] by showing that
∑
tr∈TS(sc)⇓ ζ({tr}) ≤ 1.
Let str and dtr such that tr = (str , dtr). By Definition 2.12, this sum equals
∑
tr∈TS(sc)⇓
](dtr)∏
i=1
pi,dtr(i)
 ,
which we rewrite as
lim
n→∞
∑
tr∈TS(sc)⇓∧](tr)≤n
](dtr)∏
i=1
pi,dtr(i)
 .
Consider the sum in this sequence for some fixed n: Each summand corresponds to
the probability of some terminating trace tr of length smaller or equal to n. We can
represent these traces using a tree whose nodes are system configurations. The root of
the tree is the system configuration sc, and there is an edge from a system configuration
sc1 to another configuration sc2 marked with probability p if sc1
k,p
=⇒S sc2 is derivable
for some k. We mark each edge of this tree with the corresponding probability p. Then
the sum of the probabilities on outgoing edges from some system configuration is smaller
or equal to 1. Hence, the sum of all the probabilities in the sum for any fixed n is smaller
or equal to 1.
In consequence, the limit of the sequence consisting of the sums for all n ∈ N is smaller
or equal to 1, i.e.,
∑
tr∈TS(sc)⇓ ζ({tr}) ≤ 1.
Definition 2.16. Let S = (sSt , sst0,→) be a scheduler. A system configuration sc is
terminating under S if TS(sc) ⊆ T⇓. A thread pool thr is terminating under S if
〈thr ,mem, sst0〉 is terminating under S for all mem ∈ Mem. ♦
Theorem 2.6. If the system configuration sc is terminating under S then
ρ(S, sc)(TS(sc) 6⇓) = 0. ♦
Proof. This follows from the definition of the probability measure ρ(S, sc).
2.5. Security Model 25
2.5 Security Model
In this section, we define security policies, we formally define a simple noninterference-like
information flow property for the execution model introduced in the previous sections,
and we argue for the adequacy of the property. This information flow property shall serve
as reference point for more complex security properties in subsequent chapters.
2.5.1 Security Policy and Attacker Model
A security policy classifies the inputs and outputs of a program with respect to their
level of confidentiality. As usual, we model different levels of confidentiality with security
domains in a security lattice [Den76].
Definition 2.17. A security lattice is a lattice (D,v) where D is a finite set of security
domains. ♦
The interpretation is that if d1 v d2 and d1 6= d2 then d1 represents a lower level of
confidentiality than d2.
Example 2.6. A classical example (e.g., [Wei69]) is the security lattice with four linearly
ordered security domains unclassified v confidential v secret v top secret. ♦
Example 2.7. We denote with 2 the two-level security lattice (D2,v2) where D2 =
{low , high} and low v2 high. This lattice may be used to represent a low and a high
level of confidentiality.
One example interpretation is that high represents the confidentiality level of a user’s
personal information stored on the user’s computing device, and low represents the
confidentiality level of information on the Internet. ♦
Definition 2.18. A multi-level security policy is a tuple (D,v, dma), where (D,v) is a
security lattice and dma : (Varin ∪Varout)→ D is a domain assignment. ♦
Domain assignments associate input and output variables with security domains,
capturing the level of confidentiality of each input to and each output from a program.
Remark 2.3. We use the non-standard symbol dma for domain assignments instead of the
frequently used symbol dom to prevent confusion with the domain of partial functions.♦
We assume that the access to a program’s inputs and outputs is restricted by an access con-
trol system, such that an attacker with clearance d can only observe inputs and outputs at
security domain d or below, i.e., the initial values of the variables {x ∈Varin | dma(x ) v d}
and the final values of the variables {x ∈Varout | dma(x ) v d}. The intuitive security
requirement of a multi-level security policy (D,v, dma) is that for each d ∈ D an attacker
with clearance d cannot deduce information about the inputs that he cannot observe
directly (i.e., the initial values of variables in the set {x ∈ Varin | dma(x ) 6v d}) from his
observations of inputs and outputs.
Example 2.8. Consider a program that obtains confidential financial data via the single
input variable x ∈ Varin and that writes outputs to a server on the network into the
single output variable y ∈ Varout . Consider furthermore the multi-level security policy
(D2,v2, dma) with dma(x ) = high and dma(y) = low . Then an attacker with clearance
low can only see the output to the server. Moreover, the attacker must not be able to
deduce information about the financial data from his observation. ♦
26 Chapter 2. Execution Model and Security Model
In the remainder of this thesis we restrict our investigations to multi-level security
policies where the security lattice is the two-level lattice 2. This choice is justified by
the following observation: The intuitive security requirement imposed by a multi-level
security policy only distinguishes between variables x with dma(x ) v d and variables y
with dma(y) 6v d . Hence, the intuitive security requirement for the policy (D,v, dma) is
equivalent to the conjunction of the intuitive requirements for the policies in the family
(D2,v2, dmad)d∈D with
dmad(x ) =
{
low if dma(x ) v d ,
high otherwise.
2.5.2 Formal Security Characterization
We formalize the intuitive requirement for a security policy (D2,v2, dma) based on the
idea of Noninterference [GM82]. A program is noninterferent if different program runs
with the same public input produce the same public outputs, regardless of secret input.
In the following, we denote the set of input variables with security domain high
with HI = {x ∈ Varin | dma(x ) = high} and the set of output variables with security
domain low with LO = {x ∈ Varout | dma(x ) = low}. Moreover, for X ⊆ Var
we say that mem1 and mem2 are X-equal (denoted with mem1 =X mem2) if and
only if mem1(x ) = mem2(x ) for all x ∈ X. X-equality is an equivalence relation,
and we denote the equivalence class of mem with respect to the relation =X with
[mem]X = {mem ′ | mem =X mem ′}. In particular, if mem1 and mem2 model two
memories before program execution and mem1 =Var\HI mem2 then the attacker cannot
distinguish the two memories by observing only public inputs. Moreover, if mem1 and
mem2 model two memories after program termination and mem1 =LO mem2 then the
attacker cannot distinguish the memories by observing only public outputs.
We formalize a noninterference-like information flow property as follows:
Definition 2.19. Let S be a scheduler. A thread pool thr is S-noninterferent if the
following implication is satisfied for all memories mem1,mem2, and mem:
mem1 =Var\HI mem2 ∧ sc1 =〈thr , sst0,mem1〉 ∧ sc2 =〈thr , sst0,mem2〉
⇒
∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem′) =
∑
mem′∈[mem]LO
ρS(TS(sc2)⇓mem′) ♦
The two sums in the above definition express the probabilities that an execution of the
thread pool thr starting in memories mem1 and mem2, respectively, terminates in a
memory that agrees on public outputs with the memory mem.
I.e., our notion of S-noninterference guarantees in particular that whether an S-
noninterferent program terminates under scheduler S with given low outputs is not
influenced by the initial values of high inputs. This means, S-noninterference implies that
the attacker cannot deduce anything about high program inputs from his observation of
low program outputs. This implication still holds if the attacker knows the code of the
program and the scheduling algorithm. Moreover, the implication also holds if the attacker
observes multiple runs of the program and determines the frequency of his observations.
Moreover, S-noninterference is a termination-sensitive information flow property, i.e.,
from knowing whether a run of an S-noninterferent thread pool terminates or not an
attacker cannot deduce information about the secret program inputs. Even the probability
that an S-noninterferent thread pool terminates is not influenced by secret program input:
2.5. Security Model 27
Theorem 2.7. Let S be a scheduler, let mem1 and mem2 be two memories such that
mem1 =Var\HI mem2, and let thr be an S-noninterferent thread pool.
Then ρS(TS(〈thr , sst0,mem1〉)6⇓) = ρS(TS(〈thr , sst0,mem2〉)6⇓). ♦
Proof. Let sc be a system configuration. Then TS(sc)⇓ =
⋃
mem′∈Mem TS(sc)⇓mem′ by
Definition 2.10. In consequence, TS(sc)⇓ =
⋃
M∈Mem/=LO (
⋃
mem′∈M TS(sc)⇓mem′) where
Mem/ =LO denotes the set of equivalence classes of the equivalence relation =LO . Since
ρS is a probability measure and the sets TS(sc1)⇓mem′ are disjoint for different memories
mem ′ it follows that ρS(TS(sc)⇓) =
∑
M∈Mem/=LO (
∑
mem′∈M ρS(TS(sc)⇓mem′)).
Let sci = 〈thr , sst0,memi〉 for i ∈ {1, 2}. Since thr is S-noninterferent, the equality∑
mem′∈M ρS(TS(sc1)⇓mem′) =
∑
mem′∈M ρS(TS(sc2)⇓mem′) holds for allM ∈Mem/=LO .
Hence, ρS(TS(sc1)⇓) = ρS(TS(sc2)⇓). Moreover, by the definition of ρS (cf. Defini-
tion 2.15), ρS(TS(sci) 6⇓) = 1 − ρS(TS(sci)⇓) for i ∈ {1, 2}. Hence, ρS(TS(sc1)6⇓) =
ρS(TS(sc2) 6⇓).
Remark 2.4. Note that S-noninterference does not guarantee information flow security
with respect to physical side channels like power consumption channels or timing channels.
Such channels are outside the scope of this thesis. ♦
2.5.3 Examples
We illustrate the definition of S-noninterference as well as its limitations at examples in
the programming language introduced in Section 2.3. In the following examples as well
as in the remainder of this thesis we assume a domain assignment that assigns domain
low to output variables l , l ′, l1, l2 . . . and domain high to input variables h, h ′, h1, h2, . . .
Example 2.9. (Direct leak) The program
l :=h
directly copies the secret value of h into the public variable l . Intuitively, the program
has insecure information flow, because the final value of l contains all information about
the initial value of h.
In fact, the thread pool 〈l :=h〉 is not S-noninterferent for any scheduler: Consider two
memories mem1 and mem2 with mem1(h) 6= mem2(h) and mem1 =Var\HI mem2, and
let sc1 = 〈〈l :=h〉, sst0,mem1〉 and sc2 = 〈〈l :=h〉, sst0,mem2〉. Then the definition of S-
noninterference for 〈l :=h〉 requires that the equality ∑mem′∈[mem]LO ρS(TS(sc1)⇓mem′) =∑
mem′∈[mem]LO ρS(TS(sc2)⇓mem′) holds for all mem ∈ Mem. Consider this equality for
mem = mem1[l 7→ mem1(h)]. Then the only trace starting in sc1 terminates in mem.
Hence, the left side of the required equality equals 1. Moreover, the only trace starting in
sc2 terminates in mem2[l 7→ mem2(h)], which is not contained in the equivalence class
[mem]LO because mem(l) = mem1(h) 6= mem2(h). In consequence, the right side of the
required equality equals 0. Hence, the required equality is not satisfied. ♦
Example 2.10. (Indirect leak) Assume that l and h store Boolean values. The program
if (h = true) then l :=true else l :=false fi
copies the initial value of h into l indirectly, i.e., without direct assignment. Intuitively,
the program has insecure information flow, because as in the program from Example 2.9
the final value of l contains all information about the initial value of h.
28 Chapter 2. Execution Model and Security Model
In fact, the thread pool thr = 〈if (h = true) then l :=true else l :=false fi〉 is not S-
noninterferent for any scheduler. This follows by the same argument as in Example 2.9,
since also for this program every trace starting in the system configuration 〈thr , sst0,mem〉
terminates in the memory mem[l 7→ mem(h)]. ♦
Example 2.11. (Termination leak) The program
while (h = true) do skip od
terminates if and only if the initial value of h is false.
One sees as follows that this program is not S-noninterferent for any scheduler S: Let
thr = 〈while (h = true) do skip od〉, sc1 = 〈thr , sst0,mem1〉 and sc2 = 〈thr , sst0,mem2〉
where mem1 and mem2 are memories with mem1(h) = true, mem2(h) = false, and
mem1(x ) = mem2(x ) for all x 6= h. Then TS(sc1)⇓mem ={} for all memories mem,
whereas TS(sc2)⇓mem2 contains one trace. Hence,
∑
mem′∈[mem2]LO ρS(TS(sc1)⇓mem′) = 0
and
∑
mem′∈[mem2]LO ρS(TS(sc2)⇓mem′) > 0. In consequence, thr is not S-noninterferent.♦
Example 2.11 illustrates that S-noninterference is a termination-sensitive information
flow property, i.e., S-noninterference requires that the termination behavior of a thread
pool is not influenced by secret program input (cf. Theorem 2.7).
Example 2.12. (Timing leak) Consider the thread pool
〈while (h > 0) do h:=h − 1 od〉,
where h stores Integer values that are either positive or 0. The number of execution steps
during an execution of the thread pool depends on the initial value of h. If each execution
step takes the same amount of time, an attacker might, hence, deduce information about
this value by measuring execution time.
Nevertheless, the thread pool is S-noninterferent for any scheduler. Intuitively, this
is because the final value of any low variable l does not depend on the initial value
of h. To show this formally, let sci = 〈〈while (h > 0) do h:=h − 1 od〉, sst0,memi〉
for i ∈ {1, 2} be two system configurations with mem1 =Var\HI mem2. Then there
is exactly one trace starting in sc1 and sc2, respectively, which terminates in memory
mem ′1 = mem1[h 7→ 0] and mem ′2 = mem2[h 7→ 0], respectively. It follows from
mem1 =Var\HI mem2 and Varin ∩Varout = {} that mem ′1 =LO mem ′2. Hence, the sum∑
mem′∈[mem]LO ρS(TS(sc1)⇓mem′) equals the sum
∑
mem′∈[mem]LO ρS(TS(sc2)⇓mem′). ♦
Example 2.12 illustrates that S-noninterference is a timing-insensitive information flow
property in the sense that the number of execution steps of an S-noninterferent program
might depend on secret program inputs. I.e., S-noninterference does not guarantee
information flow security if the attacker has a stopwatch to measure execution time and
tries to deduce secret information from this additional observation of a program run.
However, S-noninterference forbids so-called internal timing leaks, i.e., leaks that arise
because the final value of a variable depends on the internal timing of a thread.
Example 2.13. (Internal timing leak) Consider the thread pool
〈if (h = true) then skip else skip; skip fi; l :=true , skip; skip; l :=false〉.
This is the thread pool already encountered in Example 1.1 in Section 1.2 (the variables
are renamed here to indicate the security domain of each variable). Assume that this
2.5. Security Model 29
thread pool is scheduled under the Round-Robin scheduler RR (see Example 2.3). Then
the first thread will execute the assignment to l in its third execution step (and, hence,
before the assignment to l in the second thread) if the initial value of h is true, and in
its fourth execution step (and, hence, after the assignment to l in the second thread)
otherwise. In consequence, the thread pool copies the initial value of h into l . The
underlying reason is that the number of execution steps before the assignment to l in
the first thread depends on the value of h. I.e., even if the attacker does not observe
execution time the timing influences the attacker’s observation because it affects the order
of the assignments to l .
That this thread pool thr is not RR-noninterferent follows by the same argument as
in Example 2.9, since every trace starting in the system configuration 〈thr , sstRR,0,mem〉
terminates in the memory mem[l 7→ mem(h)]. ♦
Information flow can also occur due to the communication between threads.
Example 2.14. (Leakage by thread communication) Consider thread pool thr defined by
〈l :=h; l :=0 , l ′:=l〉.
The value of h is leaked into l ′ if and only if the assignment to l ′ in the second thread
is scheduled between the two assignments in the first thread. This illustrates that the
security of a program might depend on the scheduler. In particular, this thread pool is
not RR-noninterferent (where RR is the Round-Robin scheduler from Example 2.3), but
it is S-noninterferent for a scheduler that always selects the first thread in a thread pool.
This is seen as follows: Let sc1 = 〈thr , sst0,mem1〉 and sc2 = 〈thr , sst0,mem2〉 be
two system configurations with mem1 =Var\HI mem2. Under scheduler RR there is
exactly one trace starting in sc1 and sc2, respectively, terminating in memories mem
′
1
with mem ′1(l
′) = mem1(h) and mem ′2 with mem
′
2(l
′) = mem2(h), respectively. Hence,
if mem1(h) 6= mem2(h) then mem ′1 6=LO mem ′2, and, hence, the equality required by
the definition of S-noninterference for mem = mem ′1 is not satisfied. I.e., thr is not
RR-noninterferent. For a scheduler that always selects the first thread in a thread pool,
call it First , there is also exactly one trace starting in sc1 and sc2, respectively, but
terminating in memories mem ′1 = mem1[l 7→ 0][l ′ 7→ 0] and mem ′2 = mem2[l 7→ 0][l ′ 7→ 0],
respectively. Hence, mem ′1 =LO mem
′
2, and, hence, the equality required by the definition
of S-noninterference is satisfied for all memories mem. Thus, thr is First-noninterferent.♦
Since both thread pools 〈l :=h; l :=0〉 and 〈l ′:=l〉 are S-noninterferent for any scheduler,
Example 2.14 illustrates that S-noninterference is not compositional with respect to
the composition of thread pools. We define compositional properties that imply S-
noninterference in the remainder of this thesis.
Example 2.15. (Probabilistic Leak) Consider the thread pool
〈l :=false, l :=true, l :=h〉
where h and l are Boolean input and output variables, respectively.
Assume that the thread pool is scheduled under a scheduler that may select any
thread at each execution step. Then the set of possible final values of l equals {true, false},
regardless of the initial value of h. However, if the scheduler is such that the probability of
scheduling the first thread in a thread pool is large, say, 0.9, then the third thread in the
thread pool will be selected last with probability larger than or equal to 0.9 ∗ 0.9 = 0.81,
and, hence, the probability that the final value of l equals the initial value of h is larger
30 Chapter 2. Execution Model and Security Model
than or equal to 0.81. In consequence, the probability that the final value of l does not
equal the initial value of h is smaller than or equal to 1− 0.81 = 0.19.
That the thread pool is not S-noninterferent for such a scheduler is seen as fol-
lows: If mem1(h) = true and mem2(h) = false in the system configurations sc1 and
sc2 in the definition of S-noninterference, then ρS(TS(sc1)⇓mem1[l 7→true]) > 0.81 and
0.19 > ρS(TS(sc2)⇓mem2[l 7→true]). Hence, the sums
∑
mem′∈[mem]LO ρS(TS(sc1)⇓mem′) and∑
mem′∈[mem]LO ρS(TS(sc2)⇓mem′) are not equal, where mem ′ = mem1[l 7→ true].
I.e., while the set of possible final values of l does not depend on the initial value
of h, the probabilities for the possible final values might depend on the initial value of h.
This could be exploited by an attacker who observes multiple program runs to learn the
frequency of each possible final value. ♦
Due to probabilistic leaks as in Example 2.15 we do not define S-noninterference with
a possibilistic approach (like, e.g., in [MSK07]), but use a probabilistic approach instead.
2.6 Summary
In this chapter we introduced the execution model and an example multi-threaded
programming language. Moreover, we defined a simple, noninterference-like information
flow property, S-noninterference. Now we can move to the first central chapter of this
thesis, where we investigate scheduler-independent information flow security.
C
H
A
P
T
E
R
3
A More Flexible Scheduler-independent
Security Analysis
3.1 Introduction
The information flow security of multi-threaded programs does not only depend on the
programs’ source code, but also on the execution environment. In particular, information
flow security of multi-threaded programs depends on the scheduler. In consequence, an
information flow analysis that is only sound for program executions under a particular
scheduler is not sufficient if programs might be executed in different execution environments
with potentially different schedulers. In such situations, it is desirable to use an information
flow analysis that provides reliable security guarantees for all schedulers under which the
program might run. Such an analysis is also desirable if programs will be executed under
a fixed scheduler which is not known at analysis time. Information flow analyses checking
that programs have secure information flow under a whole class of schedulers rather than
under a particular scheduler, as well as the underlying information flow properties, are
called scheduler independent.
In this chapter, we develop a novel scheduler-independent information flow property,
FSI-security. We define FSI-security without referring to the scheduler, and show that
FSI-secure programs satisfy the scheduler-dependent security property S-noninterference
(defined in Section 2.5) for a natural class of schedulers comprising, e.g., Round-Robin
schedulers and Lottery schedulers. Moreover, we show that FSI-security is preserved
under the composition of thread pools. We exploit the compositionality of FSI-security
in the development of a provably sound security type system that enforces FSI-security.
The goal of developing FSI-security was to overcome restrictions of other scheduler-
independent information flow properties. Previously developed scheduler-independent
properties suffer from three main deficiencies: Some properties are not suitable for
programs with nondeterministic public outputs. Such properties are not suitable for
programs with useful nondeterminism that occurs, e.g., if multiple threads concurrently
append to a public log file. Some properties are not suitable for programs whose runtime
31
32 Chapter 3. A More Flexible Scheduler-independent Security Analysis
depends on secrets, even if this dependency does not cause differences in the public
output. Other properties require a non-standard interface between program and scheduler.
FSI-security is the first information flow property that is suitable for programs with
nondeterministic public output whose runtime depends on secrets, and that is scheduler-
independent for common schedulers. The existence of such a property was somewhat
surprising in the light of Sabelfeld’s result in [Sab03] that a more restrictive information
flow property, strong security, is the least restrictive compositional information flow
property that is scheduler-independent for a natural class of schedulers. We overcame the
limits implied by this result by identifying another natural class of schedulers, the robust
schedulers, that also contains many relevant schedulers.
We conclude the section by illustrating the benefits of FSI-security as well as the
corresponding security type system at an example program, and discussing the relation
to other scheduler-independent security properties in more detail.
Overview. In Section 3.2 we introduce scheduler independence. In Section 3.3 we define
our novel scheduler-independent semantic characterization of information flow, for which
we present a security type system in Section 3.4. We illustrate the type system with an
example security analysis in Section 3.5. Section 3.6 summarizes the results and discusses
the relation to other approaches to scheduler-independent information flow security.
3.2 Scheduler-independent Information Flow Security
The security of multi-threaded programs depends on the scheduler. In other words, there
are multi-threaded programs that have secure information flow when they are executed
under one scheduler, but leak secret information when they are executed under another
scheduler. The following example illustrates this phenomenon.
Example 3.1. Consider the thread pool thr =〈c1, c2〉, with c1 and c2 defined as follows:
c1 = while (h1 > 0) do h1:=h1 − 1 od; l :=true
c2 = while (h2 > 0) do h2:=h2 − 1 od; l :=false
The execution of this thread pool under the Round-Robin scheduler from Example 2.3
leaks the value of the expression h1 > h2 into variable l . This is because under the
Round-Robin scheduler the assignment to l in c1 is executed after the assignment to l
in c2 if and only if the body of the loop in c1 is executed more often than the body of the
loop in c2, i.e., if and only if the expression h1 > h2 evaluates to true. In consequence,
the final value of l is true if and only if the expression h1 > h2 evaluates to true.
Consider another scheduler, First , that always selects the first thread in a thread pool.
If the thread pool thr is executed under the scheduler First then the final value of l is false
regardless of the initial values of variables, because the second thread is executed after the
execution of the first thread, and, hence, false is assigned to l after true is assigned to l .♦
Theorem 3.1. The thread pool thr from Example 3.1 is First-noninterferent but not
RR-noninterferent. ♦
Proof. Let mem1 and mem2 be two memories with mem1 =Var\HI mem2. Then, by the
definition of First and the program semantics, the sets TFirst(〈thr , sstFirst0 ,mem1〉) and
TFirst(〈thr , sstFirst0 ,mem2〉) both contain exactly one trace (where sstFirst0 is the initial
scheduler state of First), which we denote with trFirst1 and tr
First
2 . Hence, ρFirst (tr
First
1 ) =
3.3. A Novel Scheduler-independent Security Property 33
ρFirst(tr
First
2 ) = 1. Moreover, tr
First
1 terminates in memory mem1[l 7→ false][h1 7→
max(h1, 0)][h2 7→ max(h2, 0)], and trFirst2 terminates in memory mem2[l 7→ false][h1 7→
max(h1, 0)][h2 7→ max(h2, 0)]. These two memories are related by the relation =LO ,
because mem1 =Var\HI mem2 and LO ⊆ Var \ HI . Hence, by the definition of S-
noninterference, thr is First-noninterferent.
Let now mem1 and mem2 be memories with mem1 =Var\HI mem2, mem1(h1) = 1,
mem1(h2) = 0, mem2(h1) = 0, and mem2(h2) = 1. Then, by the definition of RR
and the program semantics, TRR(〈thr , sstRR0 ,mem1〉) and TRR(〈thr , sstRR0 ,mem2〉) both
contain exactly one trace (where sstRR0 is the initial scheduler state of RR), which we
denote with trRR1 and tr
RR
2 . Hence, ρRR(tr
RR
1 ) = ρRR(tr
RR
2 ) = 1. Moreover, tr
RR
1
terminates in memory mem1[l 7→ true][h1 7→ 0][h2 7→ 0], and trRR2 terminates in memory
mem2[l 7→ false][h1 7→ 0][h2 7→ 0]. These two memories are not related by the relation
=LO , because mem1(l) 6= mem2(l). Hence, by the definition of S-noninterference, thr is
not RR-noninterferent.
As illustrated by Example 3.1, a multi-threaded program might leak secrets even if one
has convinced oneself that the program has secure information flow with an analysis that
assumes a particular scheduler. In consequence, it is desirable to characterize information
flow security with a scheduler-independent information flow property, which has the
characteristic that programs satisfying the scheduler-independent property have secure
information flow under each scheduler in a sufficiently large class of schedulers.
Definition 3.1. An information flow property IFP on thread pools is scheduler indepen-
dent with respect to S-noninterference for a set of thread pools TP and a set of sched-
ulers S if whenever thr ∈ TP satisfies IFP then thr is S-noninterferent for all S ∈ S .♦
It is obviously straightforward to define a scheduler-independent information flow
property for a set of schedulers S , namely the property that is satisfied for a thread pool
if and only if the thread pool is S-noninterferent for all S ∈ S . A disadvantage of this
property is, however, that it might not be obvious how to verify that the property is
satisfied for a given thread pool for large or even infinite S . In the remainder of this
chapter we develop a scheduler-independent information flow property for a natural class
of schedulers that is defined without referring to concrete schedulers, and we use the
property as the basis for a type-based scheduler-independent information flow analysis.
Remark 3.1. For many properties, including, for instance, safety properties [Lam77], for
a scheduler-independent analysis it suffices to consider program execution under the
possibilistic scheduler, i.e., the scheduler that nondeterministically selects any possible
thread. This is, however, not sufficient for information flow security. The underlying
reason is the refinement paradox, i.e., that refinements of a system specification might
have insecure information flow even if the original specification has secure information flow
[Jac89]. Replacing the possibilistic scheduler with a scheduler that will never schedule the
threads in certain orders results in a refinement of the specification of program execution
which, in fact, may turn a secure program into an insecure program. ♦
3.3 A Novel Scheduler-independent Security Property
Before defining a novel scheduler-independent information flow property in Section 3.3.2
we describe the general approach for defining the property in Section 3.3.1. Subsequently,
we show the scheduler independence of the new property with respect to the novel class
of robust schedulers (Sections 3.3.3 and 3.3.4).
34 Chapter 3. A More Flexible Scheduler-independent Security Analysis
3.3.1 The Per Approach
To define the scheduler-independent information flow property, we follow the common
approach to define information flow security using a partial equivalence relation (short:
per) on thread pools [SS99].
Definition 3.2. A partial equivalence relation is a symmetric and transitive binary rela-
tion. ♦
The idea is to define a partial equivalence relation that relates two thread pools only
if they compute equal public outputs when being executed in memories that only differ in
secret inputs, and to define a thread pool as secure if it is related to itself. This ensures
that public outputs of a secure thread pool do not depend on secret inputs. Intuitively,
the relation models an “indistinguishability” of thread pools in the sense that executions
of related thread pools with equal public inputs are “indistinguishable“ for an attacker
who sees public inputs and outputs but who cannot see secret inputs and outputs.
To define the partial equivalence relation, we follow a line of security definitions (e.g.,
[SS00, Sab01, BC02, MR07]) that define partial equivalence relations using a bisimulation
relation that models a stepwise “indistinguishability“ of thread pools, ensuring that
execution steps of related thread pools are indistinguishable with respect to modifications
of ”public“ variables. The intention is that the set of public variables comprises public
input and public output variables, and that public variables store public but no secret
information. To this end, one extends the domain assignment dma from the set Varin ∪
Varout to the set Var such that variables in the set L = {x ∈ Var | dma(x ) = low} are the
”public“ variables. The bisimulation is defined such that single execution steps of bisimilar
thread pools in L-equal memories (i.e., memories that differ only on non-public variables)
result in bisimilar thread pools and L-equal memories. Using an inductive argument, it
follows that sequences of execution steps of bisimilar thread pools in L-equal memories
result in L-equal memories. This ensures that thread pools that are bisimilar to themselves
satisfy some noninterference-like information flow property (like, e.g., S-noninterference
from Section 2.5).
In the remainder of this thesis, we assume that the domain assignment dma assigns a
security domain to every variable, and we denote the sets {x ∈ Var | dma(x ) = low} and
{x ∈ Var | dma(x ) = high} with L and H , respectively.
Remark 3.2. Assigning a security domain to all variables and requiring that the intermedi-
ate values of public variables do not depend on the initial values of secrets is too restrictive
for programs that use some variables to store both secret and public information during
an execution. We do not consider this issue in this chapter, and present a solution that
permits such a more flexible use of variables in multi-threaded programs without giving
up compositionality in Chapter 4. ♦
3.3.2 FSI-Security
For the definition of FSI-security we distinguish between high and low threads. A high
thread never modifies the values of low variables. Moreover, this must still be true if other
threads influence the execution of the thread by modifying the shared memory. All other
threads are low. To formally define high and low threads, we use a notion of reachability
for thread configurations that takes memory modifications by other threads into account.
Definition 3.3. Let tc be a thread configuration. The set loc-reach(tc) ⊆ Com ×Mem
of thread configurations locally reachable from tc is inductively defined as follows:
3.3. A Novel Scheduler-independent Security Property 35
− tc ∈ loc-reach(tc),
− ∀c′,mem ′,mem ′′ : 〈c′,mem ′〉 ∈ loc-reach(tc)⇒ 〈c′,mem ′′〉 ∈ loc-reach(tc), and
− ∀tc′, c′′,mem ′′, thr : [tc′ ∈ loc-reach(tc) ∧ tc′ new(thr)−−−−−−_ 〈c′′,mem ′′〉]⇒
[〈c′′,mem ′′〉 ∈ loc-reach(tc)∧∀i ∈ {1, . . . , ](thr)} : 〈thr [i],mem ′′〉 ∈ loc-reach(tc)]. ♦
Definition 3.4. A command c is high if and only if the following condition is satisfied:
∀c′, c′′ ∈ Com : ∀mem,mem ′,mem ′′ ∈ Mem : ∀α ∈ Lab :
[〈c′,mem ′〉 ∈ loc-reach(〈c,mem〉) ∧ 〈c′,mem ′〉 α−_ 〈c′′,mem ′′〉]⇒ mem ′ =L mem ′′
We denote the set of high commands with HCom. A command is low if it is not high,
and we denote the set of low commands with LCom (i.e., LCom = Com \HCom). ♦
Example 3.2. The command h:=0 is high, and the command l :=0 is low. Moreover, the
command h:=false; if (h) then l :=0 else skip fi is low. ♦
The third command in Example 3.2 illustrates that a command that never assigns to
a low variable if executed in isolation need not be high. Low commands may result in
high commands after an execution step, like, e.g., the low command l :=0; h:=0. High
commands, in contrast, cannot result in a low command after an execution step.
Theorem 3.2. Let c ∈ HCom with 〈c,mem〉 new(thr)−−−−−−_ 〈c′,mem ′〉. Then c′ ∈ HCom and
thr [i] ∈ HCom for all i ∈ {1, . . . , ](thr)}. ♦
Proof. For all memories mem and mem ′ it follows from the definition of local reachability
that loc-reach(〈c′,mem ′〉) ⊆ loc-reach(〈c,mem〉). Thus, by the definition of high com-
mands, c′ ∈ HCom follows from c ∈ HCom. That thr [i] ∈ HCom for all i ∈ {1, . . . , ](thr)}
follows analogously from loc-reach(〈thr [i],mem ′〉) ⊆ loc-reach(〈c,mem〉).
In the following, we refer to a thread with control state represented by a high command
as high thread, and to all other threads as low thread.
Definition 3.5. A low match of thread pools thr1 and thr2 is an order-preserving bijection
f : {i∈{1, . . . , ](thr1)} | thr1[i] ∈ LCom} → {i∈{1, . . . , ](thr2)} | thr2[i] ∈ LCom}. ♦
That is, a low match of thr1 and thr2 maps the position of the ith low thread in thr1
to the position of the ith low thread in thr2.
Example 3.3. Let cl , c
′
l ∈ LCom and ch ∈ HCom. Then the function f : {1, 3} → {1, 2}
with f(1) = 1 and f(3) = 2 is a low match of the thread pools 〈cl , ch , c′l 〉 and 〈c′l , cl〉. ♦
Theorem 3.3. There exists a low match of thread pools thr1 and thr2 if and only if thr1
and thr2 have the same number of low threads, i.e., ](thr1|LCom) = ](thr2|LCom). If a
low match exists then it is unique and given by the function
l -matchthr1,thr2(k1) = min
{
k2 ∈ N |∣∣{l ≤ k1 | thr1[l] ∈ LCom}∣∣ = ∣∣{l ≤ k2 | thr2[l] ∈ LCom}∣∣}. ♦
36 Chapter 3. A More Flexible Scheduler-independent Security Analysis
Proof. An order-preserving bijection between two finite subsets of N exists if and only if
the sets have equal cardinality, and ](thr |LCom) =
∣∣{i ∈ {1, . . . , ](thr)} | thr [i] ∈ LCom}∣∣.
If an order-preserving bijection exists between two finite subsets of N then it is
unique and maps the kth-smallest number in one set to the kth-smallest number in the
other set. The number k1 ∈{i ∈ {1, . . . , ](thr1)} | thr1[i] ∈ LCom} is the kth-smallest
number in that set if k =
∣∣{l ≤ k1 | thr1[l] ∈ LCom}∣∣. Moreover, the kth-smallest
number in the set {i ∈ {1, . . . , ](thr2)} | thr2[i] ∈ LCom} is the minimal k2 such that
k=
∣∣{l≤ k2 | thr2[l]∈LCom}∣∣. This results in the given characterization of low matches.
Now we are ready to define the bisimulation relation on which we base the definition
of our novel security property, FSI-security.
Definition 3.6. A symmetric relation R on thread pools with an equal number of
low threads is a low bisimulation modulo low matching if and only if the following
conditions are satisfied for all thr1, thr
′
1, thr2 ∈ Thr , all mem1,mem2 ∈ Mem, all
k1 ∈ {1, . . . , ](thr1)}, and all c′1 ∈ Com with thr1 R thr2, mem1 =L mem2, and
〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉 where α1 = new(thr ′1):
1. if thr1[k1] ∈ LCom then there exist c′2 ∈ Com, mem ′2 ∈ Mem, and thr ′2 ∈ Thr with
a) 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉,
b) mem ′1 =L mem
′
2,
c) ](thr ′1|LCom) = ](thr ′2|LCom), and
d) updatek1(thr1, c
′
1, α1) R updatek2(thr2, c′2, α2)
where α2 = new(thr
′
2) and k2 = l -matchthr1,thr2(k1); and
2. if thr1[k1] ∈ HCom then updatek1(thr1, c′1, α1) R thr2.
The relation ∼lm is the union of all low bisimulations modulo low matching. ♦
Theorem 3.4. The relation ∼lm is the largest low bisimulation modulo low matching.♦
Proof. If ∼lm is a low bisimulation modulo low matching it follows from its definition
that it is the largest such relation. It remains to show that ∼lm is a low bisimulation
modulo low matching.
The relation ∼lm is symmetric and relates only thread pools with an equal number
of low threads because it is the union of relations with these properties. Assume that
thr1 ∼lm thr2, mem1 =L mem2, 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉, and α1 = new(thr ′1).
By the definition of ∼lm there exists a low bisimulation modulo low matching R such
that thr1 R thr2. Hence, if thr1[k1] ∈ LCom then there exist α2 = new(thr ′2), c′2 ∈
Com, and mem ′2 ∈ Mem such that 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉, mem ′1 =L mem ′2,
](thr ′1|LCom) = ](thr ′2|LCom), and updatek1(thr1, c′1, α1) R updatek2(thr2, c′2, α2) where
k2 = l -matchthr1,thr2(k1). Thus, updatek1(thr1, c
′
1, α1) ∼lm updatek2(thr2, c′2, α2) by the
definition of ∼lm. Moreover, updatek1(thr1, c′1, α1) R thr2 holds if thr1[k1] ∈ HCom, and,
in consequence, updatek1(thr1, c
′
1, α1) ∼lm thr2.
Remark 3.3. It is also possible to define the relation ∼lm as the greatest fixed point of a
function that maps binary relations on thread pools to binary relations on thread pools,
thereby following another well-known approach for defining bisimulation relations (see,
e.g., [San09, Section 2.3]). Such a definition makes fixed point theory directly available
for reasoning about ∼lm, e.g., yielding Theorem 3.4 as a corollary of the Knaster-Tarski
theorem. In this thesis, we do not exploit this alternative way of defining ∼lm. ♦
Theorem 3.5. The relation ∼lm is a partial equivalence relation. ♦
3.3. A Novel Scheduler-independent Security Property 37
Proof. Symmetry follows from Theorem 3.4 and the symmetry of low bisimulations
modulo low matching.
To prove transitivity, define a relation R on thread pools by thr1 R thr2 if and only
if there exists thr ′ such that thr1 ∼lm thr ′ and thr ′ ∼lm thr2. Relation R is a low
bisimulation modulo low matching by Lemma A.2 (see Appendix A.1). Assume now
that thr1 ∼lm thr2 and thr2 ∼lm thr3. Then thr1 R thr3. Since R is a low bisimulation
modulo low matching it follows from the definition of ∼lm that thr1 ∼lm thr3.
Low bisimulations modulo low matching characterize the following indistinguishability
of thread pools: If two thread pools are related by a low bisimulation modulo low matching
then their executions are indistinguishable to an observer who sees only modifications
of low variables, given that each step of a low thread in one execution is matched by a
step of the matching low thread in the other execution. This is due to Condition (1) in
Definition 3.6, which ensures that steps of matching low threads equally modify the values
of low variables and result in bisimilar thread pools, and to Condition (2) in Definition 3.6
which ensures that steps of high threads (that do not modify the values of low variables
by definition) result in bisimilar thread pools. In consequence, by observing modifications
of low variables an observer cannot distinguish the executions. This remains true if the
memory is modified between steps as long as the modified memories are again L-equal
(due to the quantification over all L-equal memories in Definition 3.6).
Definition 3.7. A thread pool thr is FSI-secure if thr ∼lm thr . A command c is FSI-secure
if the thread pool 〈c〉 is FSI-secure. ♦
From the above intuition of low bisimulations modulo low matchings it follows that
the FSI-security of a thread pool implies that two executions of the thread pool that start
in L-equal memories perform the same sequence of modifications of low variables, given
that each step of a low thread in one execution is matched by a step of the matching low
thread in the other execution. If this matching condition holds for executions under a
given scheduler, then it follows that an attacker who sees only the initial and final values
of low variables cannot deduce information about the initial values of high variables. In
consequence, an attacker who sees only the initial values of low input and the final values
of low output variables cannot deduce information about the initial values of high input
variables. We establish that FSI-security indeed implies S-noninterference for a natural
class of schedulers in Section 3.3.4, i.e., that FSI-security is a scheduler-independent
information flow property for that class of schedulers. This motivates the expansion
“flexible scheduler-independent security” of the acronym “FSI-security”.
Moreover, FSI-security is a compositional information flow property with respect to
the parallel composition of thread pools.
Theorem 3.6. Let thr1, thr2, thr
′
1, and thr
′
2 be thread pools such that thr1 ∼lm thr ′1 and
thr2 ∼lm thr ′2. Then thr1 :: thr2 ∼lm thr ′1 :: thr ′2.
In consequence, if thr1 and thr2 are FSI-secure thread pools then their parallel
composition thr1 :: thr2 is FSI-secure. ♦
Proof. We define the relation R by thr1 R thr2 if and only if there exist thr1,1, thr1,2,
thr2,1, and thr2,2 such that thr1 = thr1,1 :: thr1,2, thr2 = thr2,1 :: thr2,2, thr1,1 ∼lm thr2,1,
and thr1,2 ∼lm thr2,2.
By Lemma A.3 (see Appendix A.1), R is a low bisimulation modulo low matching.
Moreover, thr1 :: thr2 R thr ′1 :: thr ′2. Hence, since R is a low bisimulation modulo low
matching, thr1 :: thr2 ∼lm thr ′1 :: thr ′2 follows from the definition of ∼lm.
38 Chapter 3. A More Flexible Scheduler-independent Security Analysis
That the parallel composition of FSI-secure thread pools is FSI-secure follows with
the definition of FSI-security.
Theorem 3.6 ensures that a modular security analysis of multi-threaded programs
with respect to FSI-security that reduces the analysis of thread pools to single threads is
sound. Moreover, Theorem 3.6 shows that FSI-security is compatible with programs that
have nondeterministic public output, as illustrated by the following simplistic example.
Example 3.4. Assume that log ∈ Varout and dma(log) = low . Then the thread pool
〈log:=log + ”message1” , log:=log + ”message2”〉
has nondeterministic public output. The thread pool is FSI-secure by Theorem 3.6,
because both 〈log:=log + ”message1”〉 and 〈log:=log + ”message2”〉 are FSI-secure. ♦
Compatibility with programs that have nondeterministic public output is an advantage
of FSI-security over scheduler-independent information flow properties based on the idea
of observational nondeterminism (e.g., [ZM03, HWS06]) that are not satisfied for such
programs. (A more detailed comparison to such properties is provided in Section 3.6.)
Moreover, the presence of high threads in a thread pool does not influence the
FSI-security of the thread pool.
Theorem 3.7. Let thr1, thr2 ∈ Thr . Then thr1 ∼lm thr2 if and only if (thr1|LCom) ∼lm
(thr2|LCom). ♦
Proof. We define the relation R′ on thread pools by thr1 R′ thr2 if and only if there
exists thr ′2 such that thr1|LCom = thr2|LCom and thr1 ∼lm thr ′2. Moreover, we define the
relation R as the symmetric closure of R′. Then R is a low bisimulation modulo low
matching by Lemma A.4 (see Appendix A.1).
If thr1 ∼lm thr2 it follows from symmetry and transitivity of ∼lm (Theorem 3.5) that
thr1 ∼lm thr1 and thr2 ∼lm thr2. Hence, thr1 R thr1|LCom and thr2 R thr2|LCom . Since
R is a low bisimulation modulo low matching it follows from the definition of ∼lm that
thr1 ∼lm thr1|LCom and thr2 ∼lm thr2|LCom . Hence, by symmetry and transitivity of
∼lm and thr1 ∼lm thr2 it follows that thr1|LCom ∼lm thr2|LCom .
If thr1|LCom ∼lm thr2|LCom it follows that thr1|LCom R thr2 (set thr ′2 = thr2|LCom
in the definition of R and exploit that (thr |LCom)|LCom = thr |LCom for all thread
pools thr). Hence, since R is a low bisimulation modulo low matching, it follows that
thr1|LCom ∼lm thr2. But then thr1 R thr2 (set thr ′2 = thr1|LCom in the definition of R).
Thus, thr1 ∼lm thr2.
In particular, it follows directly from Theorem 3.7 that high commands are FSI-secure.
Theorem 3.8. Let c ∈ HCom. Then c is FSI-secure. ♦
Proof. Trivially, 〈〉 ∼lm 〈〉 is satisfied. Hence, 〈c〉 ∼lm 〈c〉 follows from Theorem 3.7
because 〈c〉|LCom = 〈〉 for c ∈ HCom.
Theorem 3.8 shows that FSI-security is compatible with programs whose number of
execution steps depends on secret information, as illustrated by the following example.
Example 3.5. Let c′ ∈ HCom. Then the command while (h > 0) do c′; h:=h − 1 od that
executes c′ for decreasing h is FSI-secure by Theorem 3.8. ♦
3.3. A Novel Scheduler-independent Security Property 39
Compatibility with programs for which the number of execution steps depends on
secret information constitutes a major improvement over the strong security condition
from [SS00] which classifies such programs as insecure. (A more detailed comparison to
strong security is provided in Section 3.6.)
3.3.3 Robust Schedulers
Our goal is to establish that FSI-security is scheduler independent for a natural class
of schedulers. If secrets leak to the scheduler via the interface between programs and
the scheduler then the schedule might depend on these secrets, and, in consequence,
the program’s public output might depend on secrets. To prevent such leakage via the
scheduler, we require that the interface between programs and the scheduler is restricted.
Definition 3.8. Let X ⊆ Var . The observation function obs is confined to X if it
satisfies the following condition for all multi-threaded configurations 〈thr1,mem1〉 and
〈thr2,mem2〉:
(](thr1) = ](thr2) ∧mem1 =X mem2)⇒ obs(〈thr1,mem1〉) = obs(〈thr2,mem2〉) ♦
If the observation function is confined to the set of variables X then the observation
function provides at most information about the number of threads and the values of
variables in X. I.e., if the observation function is confined to L then the scheduler does
not obtain information about the values of high variables or information about the control
state of the threads via the interface between program and scheduler. We assume in the
following that the observation function is confined to the set L.
Confining the observation function to L is not sufficient for the scheduler independence
of FSI-security, because the number of threads in an FSI-secure thread pool might
depend on secrets. A simple solution to obtain scheduler independence is to require
that schedulers cannot see the number of threads by confining the observation function
further. However, this would exclude standard schedulers, like, for instance, Round-Robin
schedulers. Another possible solution is to strengthen the definition of FSI-security such
that the number of threads in an FSI-secure program never depends on secrets. But then
all programs where the number of threads might depend on secrets would be rejected,
even those programs that are intuitively secure under standard schedulers.
The key to a solution to this problem was (a) the insight that FSI-security implies
S-noninterference if the scheduling order of low threads under S does not depend on the
number of high threads in the thread pool, and (b) the observation that various typical
schedulers satisfy this property on the scheduling order. In fact, it is even sufficient to
require that the scheduling order of low threads does not depend on the presence of high
threads in the thread pool. We formalize this requirement in the following, which leads
to the novel class of robust schedulers. We formalize the class of robust schedulers in
Definition 3.12 based on the auxiliary notion of S-simulations formalized in Definition 3.11.
Definition 3.9. Let sc = 〈thr ,mem, sst〉 be a system configuration and let S be a sched-
uler. The probability that S selects a low thread in sc is defined as
l -ρS(sc) =
∑
{k|thr [k]∈LCom}
ρSsc(k).
♦
40 Chapter 3. A More Flexible Scheduler-independent Security Analysis
Definition 3.10. We extend the projection of thread pools to low commands to the
projection of system configurations to low commands by
〈thr ,mem, sst〉|LCom = 〈thr |LCom ,mem, sst〉. ♦
Definition 3.11. Let S = (sSt , sst0,→) be a scheduler. A binary relation on system
configurations ≺ is an S-simulation if and only if whenever sc1 ≺ sc2 with thr1 =
getThr(sc1) and thr2 = getThr(sc2) then ](thr1|LCom) = ](thr2|LCom) = ](thr2) and for
all k1 ∈ {1, . . . , ](thr1)}, p1 ∈]0, 1], and sc′1 ∈ SysConf with sc1 k1,p1===⇒S sc′1 the following
conditions are satisfied:
1. if thr1[k1] ∈ LCom then there exists sc′2 ∈ SysConf such that
a) sc2
k2,p2
===⇒S sc′2 with k2 = l -matchthr1,thr2(k1) and p2 = p1/l -ρS(sc1), and
b) sc′1 ≺ sc′2|LCom ; and
2. if thr1[k1] ∈ HCom then sc′1 ≺ sc2.
The relation ≺S is the union of all S-simulations. ♦
Theorem 3.9. For every scheduler S the relation ≺S is an S-simulation. ♦
Proof. The theorem follows directly from the definition of ≺S as a union of S-simulations
and the definition of S-simulations.
S-simulations relate arbitrary system configurations with system configurations that
do not contain high threads (this follows from the requirement ](thr2|LCom) = ](thr2) in
Definition 3.11). If two system configurations sc1 and sc2 are related by an S-simulation,
then the sequence in which the low threads in sc1 are scheduled by S is also possible for
the threads in sc2. This leads to the definition of robust schedulers.
Definition 3.12. The scheduler S = (sSt , sst0,→) is robust if
〈thr ,mem, sst0〉 ≺S 〈thr ,mem, sst0〉|LCom
for each FSI-secure thread pool thr and each memory mem. ♦
Intuitively, if a scheduler is robust then the scheduling order of low threads during an
execution of an FSI-secure thread pool remains unchanged when one removes all high
threads from the thread pool. We make the requirement in the definition of robustness
only for FSI-secure thread pools, because this enlarges the class of robust schedulers
without losing scheduler independence of FSI-security for robust schedulers.
The class of robust schedulers contains various typical schedulers, including the
Round-Robin, the uniform, and the lottery scheduler introduced in Section 2.4.
Theorem 3.10. The Round-Robin scheduler RR (see Example 2.3) is robust. ♦
Theorem 3.11. The uniform scheduler Uni (see Example 2.4) is robust. ♦
Theorem 3.12. The Lottery scheduler Lot (see Example 2.5) is robust if the variables
that store the number of tickets for each thread are low. ♦
3.3. A Novel Scheduler-independent Security Property 41
Intuitively, these schedulers are robust because the order in which they select low
threads does not change when removing or adding high threads to the thread pool. To
prove Theorems 3.10 – 3.12 we define appropriate simulation relations and show that they
are actually S-simulations for the respective schedulers. In the following proof sketches
we show how we define the simulation relations, because these definitions are the key to
the proofs, and refer to Appendix A.2 for the proofs that the relations are S-simulations.
Proof sketch for Theorem 3.10. Define 〈thr1,mem1, sst1〉 ≺ 〈thr2,mem2, sst2〉 if and only
if the following conditions are satisfied:
1. thr1 ∼lm thr2,
2. mem1 =L mem2,
3. thr1|LCom = thr2, and
4. if k1 = [(sst1(choice) + (](thr1)− sst1(size)) mod ](thr1)] + 1 and thr1[k1] ∈ LCom
then l -matchthr1,thr2(k1) = [(sst2(choice) + (](thr2)− sst2(size)) mod ](thr2)] + 1.
The relation ≺ is a RR-simulation by Lemma A.6 (see Appendix A.2).
Let thr be an FSI-secure thread pool and mem a memory. Then
〈thr ,mem, sst0,RR〉 ≺ 〈thr ,mem, sst0,RR〉|LCom
(where Item 1 in the definition of ≺ follows from Lemma A.5).
Proof sketch for Theorem 3.11. Define 〈thr1,mem1, sst1〉≺〈thr2,mem2, sst2〉 if and only
if the following conditions are satisfied:
1. thr1 ∼lm thr2,
2. mem1 =L mem2, and
3. thr1|LCom = thr2.
The relation ≺ is a Uni -simulation by Lemma A.7 (see Appendix A.2).
Let thr be an FSI-secure thread pool and mem a memory. Then
〈thr ,mem, sst0,Uni〉 ≺ 〈thr ,mem, sst0,Uni〉|LCom
(where Item 1 in the definition of ≺ follows from Lemma A.5).
Proof sketch for Theorem 3.12. Consider the same relation ≺ as in the proof of Theo-
rem 3.11 above. The relation is a Lot-simulation by Lemma A.8 (see Appendix A.2).
Let thr be an FSI-secure thread pool and mem a memory. Then
〈thr ,mem, sst0,Lot〉 ≺ 〈thr ,mem, sst0,Lot〉|LCom
(where Item 1 in the definition of ≺ follows from Lemma A.5).
The above examples illustrate that typical schedulers are robust. Non-robust schedulers
exhibit different scheduling orders when adding or removing threads from the thread
pool. This is nicely illustrated by a class of schedulers that we call frog schedulers.
Frog schedulers derive from Round-Robin schedulers, but, in contrast to Round-Robin
schedulers, frog schedulers “jump” over one or more threads when selecting the next
thread. To our knowledge, frog schedulers are not used in practice for scheduling programs.
42 Chapter 3. A More Flexible Scheduler-independent Security Analysis
Example 3.6. We define a frog scheduler by modifying the definition of the Round-Robin
scheduler from Example 2.3, replacing the equation
k =
[
(sst(choice) + (](sin)− sst(size))) mod ](sin)]+ 1
by
k =
[
(sst(choice) + (](sin)− sst(size))) mod ](sin)]+ 2.
This frog scheduler is not robust: In a thread pool with two low threads the scheduler
selects the first thread until this thread terminates. When adding a high thread, the frog
scheduler firstly selects the first low thread, then the high thread, and then the second low
thread (assuming that the first low thread did not terminate after one execution step).♦
3.3.4 Scheduler-independence Result
We are now ready to establish the main theorem of this chapter, the scheduler independence
result for FSI-security.
Theorem 3.13. Assume that the observation function obs is confined to L. Then every
terminating FSI-secure thread pool is S-noninterferent (cf. Definition 2.19) for every
robust scheduler S. ♦
Theorem 3.13 shows that terminating FSI-secure thread pools satisfy the simple
noninterference-like security condition S-noninterference for all robust schedulers. In par-
ticular, Theorem 3.13 reduces the adequacy argument for FSI-security to the adequacy ar-
gument for S-noninterference. Theorems 3.10–3.12 indicate that FSI-security is scheduler-
independent for a practically relevant class of schedulers. Moreover, it follows from
Theorem 3.13 that FSI-security is scheduler independent in the sense of Definition 3.1.
Corollary 3.1. Assume that the observation function obs is confined to L. Then FSI-
security is scheduler independent with respect to S-noninterference for the set of all
terminating thread pools and the set of robust schedulers. ♦
Proof. The corollary follows immediately from Theorem 3.13 and Definition 3.1.
The proof of Theorem 3.13 uses an induction over the number of execution steps of
a terminating thread pool under a robust scheduler S. To obtain a sufficiently strong
induction hypothesis we prove the following generalization of the theorem which relates
trace probabilities for thread pools that are low bisimilar modulo low matching:
Theorem 3.14. Let S be a robust scheduler, and assume that obs is confined to L. More-
over, let sc1 = 〈thr1,mem1, sst1〉 and sc2 = 〈thr2,mem2, sst2〉 be terminating system
configurations, and let sc1,p = 〈thr1,p,mem1,p, sstp〉 and sc2,p = 〈thr2,p,mem2,p, sstp〉 be
system configurations such that the following conditions are satisfied:
1. thr1 ∼lm thr2, thr1 ∼lm thr1,p, and thr2 ∼lm thr2,p,
2. mem1 =L mem2, mem1 =L mem1,p, and mem2 =L mem2,p, and
3. sc1 ≺S sc1,p and sc2 ≺S sc2,p.
Then the following holds for all mem ∈ Mem:∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem′) =
∑
mem′∈[mem]LO
ρS(TS(sc2)⇓mem′)
♦
3.4. A Type-based Security Analysis 43
[EXP] ` e : ⊔x∈vars(e) dma(x )
Figure 3.1: Typing rule for expressions
Intuitively the assumptions in Theorem 3.14 express relations between system configu-
rations that are reached after n execution steps of low threads from four initial system
configurations with L-equal memories: Configurations sc1 and sc2 result from two initial
configurations, and sc1,p and sc2,p result from the same configurations from which all
high threads have been removed. A proof of Theorem 3.14 is provided in Appendix A.3.
Proof of Theorem 3.13. Let S be a robust scheduler. Moreover, let thr be a terminating
FSI-secure thread pool and let mem1 and mem2 be memories such that mem1 =Var\HI
mem2. Then mem1 =L mem2 because L ⊆ Var \ HI . Moreover, by Lemma A.5,
thr ∼lm thr |LCom . Hence, all requirements of Theorem 3.14 are satisfied when defining
sc1 = 〈thr , sst0,mem1〉, sc2 = 〈thr , sst0,mem2〉, sc1,p = 〈thr |LCom ,mem1, sst0〉, and
sc2,p = 〈thr |LCom ,mem2, sst0〉. Hence,∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem′) =
∑
mem′∈[mem]LO
ρS(TS(sc2)⇓mem′)
for all mem ∈ Mem. I.e., thr is S-noninterferent.
Remark 3.4. FSI-security is a termination-insensitive security property. For example, the
command c = while h = 0 do skip od is FSI-secure, although the termination of c depends
on the initial value of h. In contrast, S-noninterference is a termination-sensitive property
(cf. Theorem 2.7), and, in particular, c is not S-noninterferent for any scheduler S. This
is why we established the scheduler independence result for FSI-security for the set of
terminating programs. Checking the termination behavior of a program is possible with
existing analysis techniques (see, e.g., [CS02, OBvEG10]).
3.4 A Type-based Security Analysis
We present a security type system to illustrate how an automated analysis of programs
with respect to FSI-security could be implemented. The security type system is for the
programming language from Section 2.3. For the formalization of the security type system,
we assume that the domain assignment for variables is given by dma.
The type system consists of judgments for expressions, commands, and thread pools.
Typing judgments for expressions are of the form
` e : d
with e ∈Exp and d ∈{low , high}. The interpretation of the judgments is that d is an upper
bound on the security level of the value of expression e (cf. typing rule [EXP] in Figure 3.1).
I.e., the value of e might depend on the value of a variable x with domain high if d = high,
whereas the value of e only depends on variables with domain low if d = low .
Typing judgments for commands are of the form
` c : (mdf , stp)
44 Chapter 3. A More Flexible Scheduler-independent Security Analysis
[STOP] ` stop : (high, low) [SKIP] ` skip : (high, low)
[ASS]
` e : d d v dma(x )
` x :=e : (dma(x ), low) [SPAWN]
∀i∈{1, . . . , k} : ` ci : (mdf , stpi)
` spawn(c1, . . . , ck) : (mdf , low)
[IF]
` c1 : (mdf , stp) ` c2 : (mdf , stp) ` e : d d v mdf
` if e then c1 else c2 fi : (mdf , stp unionsq d)
[WHILE]
` c : (mdf , stp) ` e : d stp unionsq d v mdf
` while e do c od : (mdf , stp unionsq d)
[SEQ]
` c1 : (mdf 1, stp1) ` c2 : (mdf 2, stp2) stp1 v mdf 2
` c1; c2 : (mdf 1 umdf 2, stp1 unionsq stp2)
[SUB]
` c : (mdf ′, stp′) mdf v mdf ′ stp′ v stp
` c : (mdf , stp)
Figure 3.2: Typing rules for commands
where c ∈ Com and mdf , stp ∈ {low , high}. The interpretation of the judgments is
as follows: The security domain mdf (for “modify”) is a lower bound on the security
domain of the variables which a thread with control state modeled by c modifies. I.e., if
mdf = high, then the command c is a high command, while if mdf = low then c might
be a high or a low command. Moreover, the security domain stp (for “steps”) is an upper
bound on the security domain of variables on whose values the number of execution steps
of a thread with control state modeled by c depends (not counting execution steps of
spawned threads). I.e., if stp = low then the number of execution steps does not depend
on the values of high variables, and if stp = high then the number of execution steps
might depend on the values of high variables.
The typing rules for commands are displayed in Figure 3.2. Subtyping is covariant in
the first component of the pair (mdf , stp) (compare rule [SUB]), because the interpretation
is that mdf is a lower bound, and contravariant in the second component, because the
interpretation is that stp is an upper bound. To prevent direct information leaks, rule
[ASS] ensures that assignments of high expressions to low variables are not typable.
Moreover, to prevent indirect information leaks rules [IF] and [WHILE] prevent typability
of commands that assign to low variables under high control conditions by requiring
d v mdf . Rule [SPAWN] permits to type commands that dynamically spawn threads.
Since a spawn-command always takes one execution step, the typing rule states that
stp = low . Moreover, the typing rule states that mdf = high only if each command
in the list of spawned threads is typable with mdf = high, i.e., if all spawned threads
modify only high variables. The conditions stp1 v mdf 2 and stp v mdf in rules [SEQ]
and [WHILE], respectively, ensure that if a thread is low then the number of execution
steps that it performs does not depend on the values of high variables. These restrictions
on the typability of sequentially composed threads and loops are essential for the type
system’s soundness, because they ensure that lock-step execution is possible for threads
that execute low commands.
Definition 3.13. A command c is typable with type (mdf , stp) if and only if ` c : (mdf , stp)
3.4. A Type-based Security Analysis 45
is derivable in the type system. A command c is typable if there exist mdf , stp ∈
{low , high} such that ` c : (mdf , stp) is derivable in the type system. ♦
Before introducing typing judgments for thread pools, we establish a soundness result for
the typing rules for commands.
Theorem 3.15. Let c ∈ Com. If c is typable then c is FSI-secure. ♦
To prove Theorem 3.15, we establish three lemmas about typability, concerning subject
reduction, high threads, and execution steps in L-equal memories.
Lemma 3.1. Let c ∈ Com. Assume that c is typable with type (mdf , stp) and that
〈c,mem〉 new(thr)−−−−−−_ 〈c′,mem ′〉. Then c′ is typable with (mdf ′, stp′) where mdf v mdf ′
and stp′ v stp. Moreover, thr [i] is typable for all i ∈ {1, . . . , ](thr)}. ♦
Lemma 3.2. Let c ∈ Com. Assume that c is typable with type (high, stp) for some
stp ∈ {low , high}. Then c ∈ HCom. ♦
Lemma 3.3. Let c ∈ Com. Assume that c is typable with type (mdf , stp). Assume
furthermore that 〈c,mem1〉 α1−_ 〈c′1,mem ′1〉 and 〈c,mem2〉 α2−_ 〈c′2,mem ′2〉 for L-equal
memories mem1 and mem2. Then the following conditions are satisfied:
− If stp = low then c′1 = c′2, α1 = α2, and mem ′1 =L mem ′2.
− If c′1 6= c′2 then stp = high. ♦
The proof for each of the three lemmas is by induction over the derivation of typing
judgments. We provide detailed proofs in Appendix A.4.
Now we sketch the proof of Theorem 3.15.
Proof Sketch. We define the relation R on thread pools by thr1 R thr2 if and only if the
following conditions are satisfied:
− thr1 and thr2 contain the same number of low threads and
− if i ∈ {1, . . . , ](thr1)} and thr1[i] ∈ LCom then thr1[i] = thr2[l -matchthr1,thr2(i)] and
thr1[i] is typable.
Then 〈c〉 R 〈c〉 if c is typable. To show that typable commands are FSI-secure it hence
suffices to show that R is a low bisimulation modulo low matching.
A detailed proof that R is a low bisimulation modulo low matching is available in
Appendix A.4, here we only sketch the proof. We must show that whenever thr1 R thr2
then (a) if thr1[i] ∈ LCom then an execution step of thr1[i] can be matched by an
execution step of thr2[l -matchthr1,thr2(i)] in each L-equal memory, resulting in related
thread pools and L-equal memories, and (b) if thr1[i] ∈ HCom then an execution step of
thr1[i] results in related thread pools. While (b) follows directly from the definition of R,
for proving (a) we exploit that ` thr1[i] : (mdf , stp) is derivable by the definition of R
and do a proof by induction on the derivation of this judgment. Note that mdf = low ,
because otherwise thr1[i] ∈ HCom would hold by Lemma 3.2.
We sketch the proof for three more interesting cases, namely derivations via rules
[ASS], [IF], and [SEQ].
If the derivation is via [ASS] (i.e., thr1[i] = x :=e) the typing rule ensures that the
security level of e is low, and, hence, that the value of e only depends on low variables. In
consequence, executing the assignment in L-equal memories results in L-equal memories.
If the derivation is via [IF] (i.e., thr1[i] = if e then c1 else c2 fi) it follows from
mdf = low and rule [IF] that e is typable with low , i.e., the value of e depends only on
46 Chapter 3. A More Flexible Scheduler-independent Security Analysis
[PAR]
∀i ∈ {1, . . . , n} : ` thr [i] : (mdf i, stpi)
` thr
Figure 3.3: Typing rule for thread pools
low variables. Hence, transitions of thr1[i] in L-equal memories result either both in c1 or
both in c2, which are also typable by Lemma 3.1.
If the derivation is via [SEQ] (i.e., thr1[i] = c1; c2) then ` c1 : (mdf 1, stp1) and
` c2 : (mdf 2, stp2) are derivable. Assume that c1 6= stop (for c1 = stop the proof is
straightforward). Then, by the induction hypothesis, steps of c1 in L-equal memories
result in L-equal memories. It remains to show that the resulting commands, call them
c′′1 ; c2 and c
′′
2 ; c2, are either both high or are equal, low, and typable. By the induction
hypothesis, c′′1 and c
′′
2 are either both high or are equal, low, and typable. If they are equal
it is straightforward to see that c′′1 ; c2 and c
′′
2 ; c2 are either both high or equal, low, and
typable using rule [SEQ]. If c′′1 6= c′′2 are both high, then stp1 = high by Lemma 3.3. In
consequence, by typing rule [SEQ] it follows that mdf 2 = high, i.e., c2 is a high command
by Lemma 3.2. Hence, c′′1 ; c2 and c
′′
2 ; c2 are both high commands.
Typing judgments for thread pools are of the form
` thr ,
where thr ∈ Thr is a thread pool. The corresponding typing rule in Figure 3.3 requires that
thr [i] is typable for all i ∈ {1, . . . , ](thr)}. The soundness of the type system for thread
pools then follows directly from the compositionality of FSI-security and Theorem 3.15.
Theorem 3.16. If the judgment ` thr is derivable then thr is FSI-secure. ♦
Proof. Since ` thr is derivable, thr [i] is typable for all i ∈ {1, . . . , ](thr)} by rule [PAR].
Hence, by Theorem 3.15, thr [i] is FSI-secure for all i ∈ {1, . . . , ](thr)}. In consequence,
by compositionality of FSI-security (Theorem 3.6) thr is FSI-secure.
Remark 3.5. The type systems proposed in [Smi01, BC02, Smi03, ABC07] are similar
to our type system because they restrict the assignments a program may perform after
executing a conditional or a loop with a high control condition. However, [Smi01, Smi03,
ABC07] guarantee soundness only for one scheduler-specific security property. The type
system in [BC02] is for a language that allows dynamic thread creation only in a limited
form (no threads may be created inside loops), and the article assumes that threads idle
after their termination instead of being removed from the thread pool. Our type system
and its soundness result do not share these limitations. The scheduler independence result
from [BC02] will be further compared to the result in this thesis in Section 3.6. ♦
3.5 Example Security Analysis
We illustrate the benefits of FSI-security and the security type system at the security
analysis of a simple, yet realistic multi-threaded example program.
Consider the code fragment in Figure 3.4, which is part of an application managing
the personal finances of the user of the program. The input to the program is stored in
3.5. Example Security Analysis 47
Initial thread :
spawn(writeStockPricesToDB);
spawn(writeFundsPricesToDB);
spawn(computeAccountOverview)
writeStockPricesToDB:
il:=0;
while (il < getSize(stockPricesInl))
do
databaseOutl:=databaseOutl
+getTitleAt(stockPricesInl, il)
+getPriceAt(stockPricesInl, il);
il:= il+1 od
writeFundsPricesToDB:
jl:=0;
while (jl < getSize(fundsPricesInl))
do
databaseOutl:=databaseOutl
+getTitleAt(fundsPricesInl, jl)
+getPriceAt(fundsPricesInl, jl);
jl:= jl+1 od
computeAccountOverview:
kh:= 0; overviewOuth:= ””;
while (kh < getSize(userPortfolioInh)) do
titleh:=getTitleAt(userPortfolioInh, kh);
if (isStock(titleh)) then
priceh:=getPrice(stockPricesInl, titleh)
∗ getQuantityAt(userPortfolioInh, kh)
else
priceh:=getPrice(fundsPricesInl, titleh)
∗ getQuantityAt(userPortfolioInh, kh)
fi;
oldPriceh:=
getLastPrice(databaseInl, titleh);
if (oldPriceh ≤ priceh)
then tendencyh:= ”up”
else tendencyh:= ”down”
fi;
overviewOuth:=overviewOuth+titleh
+priceh+tendencyh;
kh:= kh+1
od
Figure 3.4: Example code fragment
the input variables stockPricesInl and fundsPricesInl (up-to-date pricing information about
stocks and funds, respectively), databaseInl (a database with historical pricing information
that is administered by the program), and userPortfolioInh (containing information about
the user’s custody account). The output computed by the program is stored in the
output variables databaseOutl (novel pricing information to be stored in the database)
and overviewOuth (an overview of the user’s custody account).
To compute the novel pricing information to be stored in the database, the program
spawns two threads executing the commands writeStockPricesToDB and writeFundsPri-
cesToDB, respectively. A third spawned thread (computeAccountOverview) generates the
overview of the user’s custody account and stores it in the variable overviewOuth. The
three tasks are spawned in separate threads to not block any computations following this
code fragment in the overall application.
We model the data used in the example program by String values. To access data
encoded in String values, we use selector expressions like, e.g., getTitleAt or getPriceAt.
The subscripts of variables indicate whether the domain assignment classifies a variable
as public (l) or as secret (h). Information about historical pricing information (stored
within the database) and information about up-to-date pricing information is classified as
public, while the user’s portfolio as well as the computed overview of the portfolio are
classified as secret. The variables that do not model inputs or outputs are classified in
a way that permits to type-check the program with the type system from Section 3.4.
For instance, variable titleh is classified as secret because it is used to store information
that is derived from the secret portfolio, and variable il is classified as public because it is
used to iterate over the entries of the public variable stockPricesInl.
We use the security type system to show that the program is FSI-secure.
48 Chapter 3. A More Flexible Scheduler-independent Security Analysis
Theorem 3.17. The program from Figure 3.4 is FSI-secure. ♦
Proof. The initial thread as well as the threads executing the commands writeStockPrices-
ToDB and writeFundsPricesToDB are typable with the type (low , low) (they or threads
that they spawn write to low variables, and they do only contain low control conditions).
Moreover, the command computeAccountOverview is typable with the type (high, high)
(it assigns only to high variables and contains high control conditions).
In contrast, the program is rejected by other information flow analyses that guarantee
the absence of insecure information flows under common schedulers, because the underlying
scheduler-independent information flow properties are not satisfied for the program.
Properties based on the idea of observational determinism [ZM03] are violated because
the order in which entries are written to the database is nondeterministic (the order
depends on the order in which the threads writeStockPricesToDB and writeFundsPri-
cesToDB are selected by the scheduler). Strong security [SS00] is violated because the
number of execution steps of the loop in the thread computeAccountOverview depends
on secret information.
Since the program is terminating, it is S-noninterferent for robust S by Theorem 3.13.
This shows that although the number of execution steps depends on secret information
the public outputs do not. In particular, the order of entries in variable databaseOutl
does not depend on secret information.
3.6 Summary and Comparison to Related Work
In this chapter, we have presented the novel information flow security property FSI-
security, and we have shown that FSI-security is scheduler independent with respect to a
class of relevant schedulers, the robust schedulers.
We defined FSI-security using a standard approach that is based on partial equivalence
relations (pers) and bisimulations. Using a bisimulation-based security definition, firstly,
permitted us to easily derive a compositionality result for FSI-security. Secondly, since pers
and bisimulations are also used for other advances in the characterization of information
flow security, we are confident that it is possible to integrate FSI-security with other
information flow properties defined using the same approach, like, e.g., properties that
permit controlled declassification as proposed in [MR07]. In Chapter 5 we show how to
integrate FSI-security with a per-based information flow property that exploits assumption-
guarantee based reasoning and that we present in the following chapter.
With the development of FSI-security we were able to overcome three major deficiencies
of other approaches to scheduler-independent information flow security: Incompatibility
with programs that have nondeterministic public output, incompatibility with programs for
which the number of execution steps depends on secrets, and incompatibility with standard
scheduler interfaces. Moreover, we were not only able to overcome these deficiencies in
the security property, but also in a provably sound type system. In the following, we
discuss these improvements with respect to other approaches to scheduler-independent
information flow security in more detail. An overview of the benefits of FSI-security and
the approaches discussed in the following is displayed in Table 3.1.
Observational Determinism. The idea of observational determinism goes back to McLean
[McL92] and Roscoe et al [RWW94, Ros95], who proposed information flow properties not
at the level of program implementations but for more abstract specifications. The idea
3.6. Summary and Comparison to Related Work 49
S
ch
ed
u
le
r-
in
d
ep
en
d
en
ce
R
es
u
lt
S
ta
n
d
ar
d
S
ch
ed
u
le
r
In
te
rf
ac
e
C
o
m
p
a
ti
b
le
w
it
h
N
on
d
et
er
m
in
is
ti
c
P
u
b
li
c
O
u
tp
u
t
C
o
m
p
a
ti
b
le
w
it
h
T
im
in
g
D
iff
er
en
ce
s
D
ep
en
d
in
g
o
n
S
ec
re
ts
C
o
m
p
a
ti
b
le
w
it
h
L
ow
A
ss
ig
n
m
en
ts
a
ft
er
H
ig
h
L
o
o
p
G
u
a
rd
(b
u
t
B
lo
ck
s
D
u
ri
n
g
L
o
op
)
C
o
m
p
os
it
io
n
a
li
ty
R
es
u
lt
[VS98] % ! ! ! ! !
[SS00] ! ! ! % % !
[ZM03, HWS06] ! ! % ! % !1
[BC02] % % ! ! % !
[RS06a, BRRS07, RS09] ! % ! ! ! !
[RS06b] %2 % ! ! ! !
FSI-security ! ! ! ! % !
1 Compositionality requires that the composed threads do not have races.
2 It seems plausible that a scheduler-independence result could be established.
Table 3.1: Comparison of approaches to information flow security with scheduling
was adapted to a language-based setting in [ZM03, HWS06]. Observational determinism
requires that public observations of program executions are deterministic regardless of
the interleaving of threads and the values of secret variables. If this requirement is
satisfied, reducing the possible interleavings by assuming a concrete scheduler cannot
result in a dependency of public observations on secrets. Observational determinism has
the drawback that it forbids useful nondeterminism which occurs, for instance, when
multiple threads append data to the same public variable (as in the example program
analyzed in Section 3.5).
Strong Security. Sabelfeld and Sands [SS00] introduce the property strong security which
is scheduler independent for a natural class of schedulers. Strong security is quite
restrictive, because it requires that the runtime of a program must not depend on secret
data. This drawback appeared unavoidable because Sabelfeld [Sab03] proved that strong
security is the weakest compositional property that implies information flow security for
the natural class of schedulers. Hence, strong security was used, despite its restrictiveness,
as the foundation of many later developments (e.g., [MS03, FRS05, KM07]) and has
been generalized in various ways, e.g., for distributed systems [MS03] or to control
declassification [LM09]. While [SS00] proposes a security type system that can transform
some insecure programs into strongly secure programs, only a subset of the intuitively
50 Chapter 3. A More Flexible Scheduler-independent Security Analysis
secure programs is amenable to this approach. For instance, the security type system does
not transform the FSI-secure example from Section 3.5 into a strongly secure program.
Remark 3.6. The combining calculus [MSK07] (joint work of the author of this thesis with
Heiko Mantel and Tina Kraußer) was a first step towards combining approaches based on
observational determinism and strong security by making the combination of different
analysis techniques in an information flow analysis feasible. However, the information flow
property considered in [MSK07] is not scheduler independent with respect to standard
schedulers like Round-Robin schedulers, and no scheduler independence result has so far
been established for the combining calculus. ♦
Controlled Thread Systems. Boudol and Castellani [BC02] proposed a security type
system for controlled thread systems that consist of a thread pool and a scheduler. If a
controlled thread system is typable, then the thread pool is secure under the scheduler.
In contrast to FSI-security, the approach requires the size of a thread pool to remain
fixed during a program run. In particular, dynamic thread creation is not supported, and
threads remain in the thread pool even after their termination (and may still be selected
by the scheduler). Boudol and Castellani argue that if the termination of certain threads
would be signaled to the scheduler then controlled thread systems writing public variables
cannot be typed. This is a non-standard restriction, because schedulers typically need to
know the number of running threads when selecting the next thread.
Non-standard Scheduler Interfaces. As a different approach to relax the security property
while remaining scheduler-independent, Russo and Sabelfeld [RS06a, BRRS07, RS09]
proposed to use non-standard schedulers that provide a customized interface to the
scheduled threads. Via two special commands, programs can hide (and at a later point
unhide) a thread; the schedulers guarantee that during the execution of hidden threads
no other threads are scheduled. The approach allows to securely execute programs
containing threads that assign to low variables after performing computations whose
runtime depends on secrets (hiding the thread during those computations), but at the cost
that a scheduler with a non-standard interface must be used. Such threads are rejected
by FSI-security, because they may cause information leakage when being executed under
currently available schedulers.
Program Transformations and Cooperative Scheduling. Another approach that, like the
approach discussed in the previous paragraph, prevents scheduling during computations
whose runtime depends on secrets is followed by Russo and Sabelfeld [RS06b]. They
propose a program transformation that introduces yield-statements into a program, where
each yield-statement instructs the scheduler to select another thread, such that no yield-
statements occur during computations depending on secrets, and rescheduling only occurs
at yield-statements. The approach is implemented for a Round-Robin scheduler, but the
article argues that it is applicable for a wide class of schedulers. The transformation
entails that computations on secrets block all remaining threads. This is particularly
critical when these computations are time-consuming. In contrast, FSI-security allows
any computations to be interleaved with the executions of other threads.
C
H
A
P
T
E
R
4
A Flow-sensitive Security Analysis
4.1 Introduction
Many information flow analyses are flow-insensitive. Flow-insensitive analyses do not
take the order of program statements into account [NNH99, Sec. 2.5.6], i.e., they yield
the same result for programs P1;P2 and P2;P1 where the semicolon denotes sequential
composition of programs. In contrast, a flow-sensitive information flow analysis might
give different results for the programs P1;P2 and P2;P1. Hence, flow-sensitivity permits
higher precision for information flow analysis because the information flow in a program
might change when reordering program statements. To increase precision, flow-sensitive
information flow analyses were developed for sequential programs, e.g., using program
logics [AB04], security type systems [HS06], and program dependence graphs [HS09].
In this chapter, our main goal is to develop a provably sound flow-sensitive information
flow analysis for multi-threaded programs. A key challenge in this development is that
for information flow analysis for multi-threaded programs there is a conflict between
flow-sensitivity and compositionality. To solve this conflict, we propose an approach based
on assumption-guarantee style reasoning. We define a novel information flow property,
SIFUM-security, that exploits assumptions and guarantees about how threads access
shared variables and that, thereby, enables a compositional and flow-sensitive analysis.
We relate SIFUM-security to our reference property, S-noninterference, with a scheduler
independence result. Moreover, we develop a provably sound flow-sensitive security type
system that enforces SIFUM-security. It is, to our knowledge, the first provably sound
flow-sensitive information flow analysis for multi-threaded programs.
SIFUM-security and the flow-sensitive security type system use assumptions made for
single threads about read and write accesses of other threads, and they use guarantees
provided about a thread’s own read and write accesses. SIFUM-security permits to use a
flow-sensitive information flow analysis as long as valid assumptions are made. Moreover,
for those parts of a program for which no assumptions are made the analysis can safely
fall back to flow-insensitive reasoning. In addition to the security analysis one must verify
that assumptions and guarantees are valid, and we sketch how this task can be approached
51
52 Chapter 4. A Flow-sensitive Security Analysis
with the help of existing verification techniques. We illustrate the applicability of the
flow-sensitive analysis at realistic examples.
Overview. In Section 4.2 we discuss the challenge of flow-sensitive information flow
analysis for multi-threaded programs in more detail, and we informally introduce our
solution based on assumption-guarantee style reasoning in Section 4.3. In Section 4.4 we
define a semantic characterization of information flow that is compatible with assumption-
guarantee style reasoning and show that it is compositional and scheduler-independent.
In Section 4.5 we present a flow-sensitive security type system based on the semantic
characterization, and illustrate benefits of the flow-sensitive analysis in Section 4.6.
Section 4.7 summarizes the results and discusses the relation to other works.
4.2 Flow-sensitive Analysis and Multi-threading
A flow-sensitive analysis, in principle, permits higher precision than a flow-insensitive
analysis if one wants to check a property of programs that depends on the order of the
program statements. This is in particular so for information flow security. For instance,
in contrast to a flow-insensitive information flow analysis a flow-sensitive analysis can
exploit that a program overwrites the value of a secret variable with a public value before
it copies the secret variable to a public sink. The following example illustrates this.
Example 4.1. Consider the program h:=0; l :=h, where variable h contains a secret input
and l is a low output variable. Intuitively, the program has secure information flow,
because it overwrites the secret in h with a constant before it copies the value of h to l .
Nevertheless, a flow-insensitive information flow analysis will not classify the program
as secure, because the program obtained by reversing the order of the assignments,
l :=h; h:=0, is insecure (it copies the secret in h into l). ♦
In contrast to a flow-insensitive analysis, a flow-sensitive analysis might also tolerate
that a program copies a secret value to a variable classified as public, as long as the
program overwrites the value of this public variable at a later point with a public value.
Example 4.2. Consider the program l :=h; l :=0, where l is a low output variable and h
contains a secret value. Intuitively, the program has secure information flow, because it
overwrites l with a constant value after copying the secret in h to l .
A flow-insensitive information flow analysis rejects the program because the program
obtained by reordering the assignments, l :=0; l :=h, leaks the secret value in h into l . ♦
Several flow-sensitive information flow analyses for sequential programs classify the pro-
grams in Examples 4.1 and 4.2 as secure (for instance, using program logics (e.g., [AB04]),
security type systems (e.g., [HS06]), or program dependence graphs (e.g., [HS09])).
In the following, we illustrate that a key challenge for developing a flow-sensitive
information flow analysis for multi-threaded programs is that flow-sensitive reasoning as
illustrated in the above examples conflicts with the desire that the parallel composition
of any two programs classified as secure should also have secure information flow.
Example 4.3. The programs h:=0; l :=h and h:=h ′ are both classified as secure by existing
flow-sensitive analyses for sequential programs (where h and h ′ contain secrets and l is
a public output variable). However, executing the programs in parallel leaks the secret
in h ′ into l if the assignment h:=h ′ is executed between the other two assignments. ♦
4.3. Assumptions and Guarantees 53
Example 4.3 illustrates that it is unsound to exploit that a secret variable is overwritten
with a public value before being copied to a public output, if in between another thread
writes a secret value into that variable.
The next example illustrates that there is danger if one permits assignments of secrets
to public variables even if the secret is later overwritten with a public value, because
another thread might copy the intermediate secret value into another public variable.
Example 4.4. The programs l :=h; l :=0 and l ′:=l are both classified as secure by existing
flow-sensitive analyses for sequential programs (where h contains a secret and l and l ′ are
public output variables). However, executing the programs in parallel leaks the secret
in h into l ′ if the assignment l ′:=l is executed between the other two assignments. ♦
Examples 4.3 and 4.4 illustrate that the parallel composition of two programs classified
as secure by a flow-sensitive analysis for sequential programs might leak secret information.
I.e., there is a conflict between flow-sensitivity and compositionality.
In the following sections, we develop a solution that permits flow-sensitive composi-
tional analysis based on assumption-guarantee style reasoning.
4.3 Assumptions and Guarantees
To develop an information flow analysis for multi-threaded programs that is both compo-
sitional and flow-sensitive we exploit that programmers usually ensure that threads in a
multi-threaded program access the shared memory in a coordinated way. For instance,
if a variable is used in one thread for a computation and modifications of that variable
by other threads would interfere with the computation in undesired ways, programmers
ensure that other threads do not write the variable during the computation. Moreover,
if other threads shall not access intermediate values of a variable during a computation
in one thread, programmers ensure that the other threads only read the variable at
defined points during the computation. To ensure such coordinated memory accesses,
programmers might employ some form of synchronization.
To exploit such coordinated access to the shared memory in the information flow
analysis, we develop an analysis that exploits assumption-guarantee style reasoning.
Reconsider the thread h:=0; l :=h from Example 4.1. Under the assumption that other
threads do not write the value of h between the two assignments it is safe to exploit
the order of the assignments in the information flow analysis. Moreover, for the thread
l :=h; l :=0 from Example 4.2 it is safe to exploit the order of the assignments under the
assumption that other threads do not read l between the assignments. This motivates
the use of two types of assumptions in the analysis, namely assumptions of the form
“During some interval of the thread’s execution other threads do not read variable x”,
and assumptions of the form
“During some interval of the thread’s execution other threads do not write variable x”.
Such assumptions are sufficient to cover scenarios in which a thread exclusively accesses
shared variables during some parts of its execution, and shares these variables with other
threads at selected points during the execution. The first type of assumption is useful for
the analysis of programs like in Example 4.2 that temporarily store secret values in low
variables. The second type of assumption is useful for the analysis of programs like in
Example 4.1 that store public values in high variables.
54 Chapter 4. A Flow-sensitive Security Analysis
Moreover, we consider corresponding guarantees that express that a thread refrains
from certain accesses to the shared memory. The guarantees are of the form
“During some interval of the thread’s execution the thread does not read variable x”,
and
“During some interval of the thread’s execution the thread does not write variable x”.
Where do the assumptions and guarantees come from? They could, for instance, be
specified before the information flow analysis using annotations in the program source
code, capturing the intended pattern of variable accesses. The annotations could be added,
e.g., by the programmer or by the security analyst. In this case, the validity of assumptions
and guarantees needs to be verified to ensure that an information flow analysis that
exploits them is correct. The assumptions and guarantees could also be inferred using
a program analysis, capturing some actual pattern of variable accesses. In this case, a
soundness result for this program analysis could guarantee that the inferred assumptions
and guarantees are valid. For the definition of a formal information flow property that
exploits assumptions and guarantees we abstract from the way in which assumptions
and guarantees are obtained by enriching the program semantics from Section 2 with
information about assumptions and guarantees.
4.4 A Security Property with Assumptions and Guarantees
To formalize a security property that is compatible with assumptions and guarantees (as
introduced informally in the previous section) we extend our formal model of program
execution with information about assumptions and guarantees. This information is used
solely for defining an information flow property and for proving soundness of assumption-
guarantee based information flow analyses with respect to that property, and we extend
the execution model such that information about assumptions and guarantees does not
influence the transitions modeling program execution.
4.4.1 Modes
The assumptions and guarantees made for a thread in the information flow analysis
may differ for different points in the thread’s execution. We model the assumptions
and guarantees made for a thread at some program point by associating each variable
with a collection of modes. Each mode represents an assumption or a guarantee for the
corresponding variable. This modeling approach borrows from the idea of access modes in
file systems, where a file is associated with access modes representing how the file may be
accessed. Similar to files being associated with multiple access modes (e.g., both read and
write access), multiple modes representing assumptions and guarantees may be associated
with a variable (using, e.g., two modes to represent the guarantee that the thread neither
reads nor writes the variable).
Definition 4.1. A mode is an element of the set
Mod = {asm-no-r , asm-no-w , guar -no-r , guar -no-w}.
A mode state is a function mds : Mod → P(Var). We denote the set of mode states
with Mds. ♦
4.4. A Security Property with Assumptions and Guarantees 55
If x ∈ mds(asm-no-r) or x ∈ mds(asm-no-w) the mode state mds represents the
assumption that no other thread reads or writes the variable x before the next execution
step of the thread, respectively. Moreover, if x ′ ∈ mds(guar -no-r) or x ′ ∈ mds(guar -no-w)
the mode state mds represents the guarantee that the thread itself does not read or write
the variable x ′ in its next execution step, respectively.
To model that different assumptions are made and different guarantees are provided
at different points of a thread’s execution, we extend our model of snapshots during a
thread’s execution with mode states.
Definition 4.2. A thread configuration with modes is a triple 〈c,mds,mem〉, where c ∈
Com, mds ∈ Mds, and mem ∈ Mem. ♦
Moreover, we introduce judgments of the form
〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉,
where α ∈ Labm = {new(thr ,mdss) | thr ∈ Thr ∧mdss ∈ Mds∗ ∧ ](thr) = ](mdss)}. In
addition to modeling the single execution steps of a thread, the judgments model changes
of the assumptions and guarantees between two points in the thread’s execution. The
event new(thr ,mdss) ∈ Labm represents the creation of new threads, where the list of
mode states mdss models the initial assumptions and guarantees for each new thread.
We use modes solely for the information flow analysis, and the modes shall have no
impact on the program execution. We formalize this with the following requirement
on the relation between judgments of the form 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉 and
judgments of the form 〈c,mem〉 α−_ 〈c′,mem ′〉.
Requirement 4.1. If 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉 with α = new(thr ,mdss) then
〈c,mem〉 α′−_ 〈c′,mem ′〉 with α′ = new(thr).
Moreover, whenever 〈c,mem〉 α−_ 〈c′,mem ′〉 with α = new(thr), then for each mode
state mds there exist a mode state mds ′ and a list of mode states mdss ′ such that
〈c,mds,mem〉 α′−_ 〈c′,mds ′,mem ′〉 with α′ = new(thr ,mdss). ♦
We define derivation rules for the new judgments for an extension of the programming
language from Section 2.3 in Section 4.5.1, taking care that Requirement 4.1 is satisfied.
Moreover, we extend our model of snapshots during the execution of multi-threaded
programs with modes.
Definition 4.3. A system configuration with modes is a tuple 〈thr ,mdss,mem, sst〉 where
thr ∈Thr , mdss ∈Mds∗, mem ∈Mem, sst ∈ sSt , and ](thr) = ](mdss). ♦
Moreover, we introduce judgments of the form
(thr ,mdss,mem, sst)
k,p
=⇒S (thr ′,mdss ′,mem ′, sst ′)
and define derivability for these judgments with the derivation rule displayed in Figure 4.1.
The rule is an extension of Rule (2.1) from Section 2.2.2 to judgments with modes. The
rule specifies that the list of mode states is updated when the size of the thread pool
changes in accordance with the update of the thread pool.
In the remainder, we denote thread configurations with modes with tcm and system
configurations with modes with scm, both possibly with primes and subscripts.
56 Chapter 4. A Flow-sensitive Security Analysis
〈thr [k],mdss[k],mem〉 new(thr
′′,mdss′′)−−−−−−−−−−−_ 〈c′,mds ′,mem ′〉
sin = obs(thr ,mem) (sst , sin)
k,p S sst ′ thr ′ = updatek(thr , c′, thr ′′)
c′ = stop ⇒ mdss ′ = replacek(mdss,mdss ′′)
c′ 6= stop ⇒ mdss ′ = replacek(mdss, 〈mds ′〉 :: mdss ′′)
〈thr ,mdss,mem, sst〉 k,p=⇒S 〈thr ′,mdss ′,mem ′, sst ′〉
Figure 4.1: Derivation rule for transitions of system configurations with modes
4.4.2 SIFUM-Security
We define a security property that is compatible with assumptions and guarantees, basing
the definition on the Per-approach with bisimulation relations [SS99] (cf. Section 3.3.1).
Like in Chapter 3, we extend the domain assignment dma to the set Var such that
a security domain is also assigned to variables that do not represent input or output,
and we denote the set of all variables with security domain low with L. In contrast to
Chapter 3, we define a partial equivalence relation on commands (and not on thread
pools) that models “indistinguishability“ of commands with respect to executions in
L-equal memories, and define a command as secure if and only if it is related to itself.
Usually, information flow properties that are defined based on a bisimulation-based
partial equivalence relation not only require that two runs of a secure program starting
in L-equal memories result in L-equal final memories, but require L-equality also at
intermediate execution points (like, e.g., FSI-security in Section 3.3 and the properties
in [SS00], [Sab03], [ZM03], and [MS04]). This requirement can be used to prove the
compositionality of the resulting security property by exploiting that no thread ever
stores secrets in low variables. We exploit assumptions that other threads do not read
variables to relax this requirement at intermediate execution points without loosing
compositionality. To this end, we permit a thread to store secrets in a low variable as long
as one makes a no-read assumption for that thread and that variable. To capture this
formally, we introduce the following relaxed variant of L-equality that requires equality
only for low variables without mode asm-no-r .
Definition 4.4. Memories mem1,mem2 ∈ Mem are L-equal modulo mode state mds ∈
Mds (denoted by mem1 =
mds
L mem2) if and only if
mem1(x ) =L\mds(asm-no-r) mem2(x ).
Moreover, in contrast to previous definitions of information flow properties that are
based on partial equivalence relations and bisimulations we follow a two-step approach to
distinguish explicitly between execution steps of a thread’s environment and execution
steps of a thread itself: In the first step, we consider memory modifications by the
environment in a closure condition on the bisimulation that exploits no-write assumptions.
In the second step, we consider the execution steps of a single thread in a bisimulation
definition that exploits no-read assumptions.
Definition 4.5. A binary relation R on thread configurations with modes that have
equal mode states is closed under globally consistent changes if for all c1, c2 ∈ Com,
mds ∈ Mds, and mem1,mem2 ∈ Mem with 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 the
following conditions are satisfied for all x ∈ Var :
1. (x 6∈ mds(asm-no-w) ∧ dma(x ) = high)⇒
∀v1, v2 ∈ Val : 〈c1,mds,mem1[x 7→ v1]〉 R 〈c2,mds,mem2[x 7→ v2]〉
4.4. A Security Property with Assumptions and Guarantees 57
2. (x 6∈ mds(asm-no-w) ∧ dma(x ) = low)⇒
∀v ∈ Val : 〈c1,mds,mem1[x 7→ v ]〉 R 〈c2,mds,mem2[x 7→ v ]〉 ♦
The two conditions in Definition 4.5 characterize the possible modifications of the
memory by other threads that (a) respect the no-write assumptions modeled by the mode
state and (b) do not store secrets in low variables.
Definition 4.6. A symmetric binary relation R on thread configurations with modes that
have equal mode states is a strong low bisimulation modulo modes if it is closed under
globally consistent changes, and if for all c1, c2 ∈ Com, mds ∈ Mds, and mem1,mem2 ∈
Mem with 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 the following conditions are satisfied:
1. mem1 =
mds
L mem2, and
2. for all c′1 ∈Com, mds ′ ∈Mds, mem ′1 ∈Mem, and α1 = new(thr1,mdss1) ∈ Labm, if
〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉 then there exist c′2 ∈ Com, mem ′2 ∈ Mem, and
α2 = new(thr2,mdss2) ∈ Labm such that the following conditions are satisfied:
a) 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
b) 〈c′1,mds ′,mem ′1〉 R 〈c′2,mds ′,mem ′2〉,
c) ](thr1) = ](thr2), and
d) 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
The relation ∼mm is the union of all strong low bisimulations modulo modes. ♦
Theorem 4.1. The relation ∼mm is a strong low bisimulation modulo modes. ♦
Theorem 4.2. The relation ∼mm is a partial equivalence relation (i.e., transitive and
symmetric). ♦
The proofs of the two theorems are straightforward, they go along the same lines as
the proofs for the corresponding theorems for low bisimulations modulo low matching
(Theorems 3.4 and 3.5 in Section 3.3.2). Detailed proofs are available in Appendix A.5.
Strong low bisimulations modulo modes characterize an indistinguishability of snap-
shots during two executions of a thread: If 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 then
the executions of c1 and c2 starting in mem1 and mem2 are indistinguishable to an
observer who sees the values of all low variables without no-read assumption. This is
due to Condition (1) in Definition 4.6 that ensures L-equality of memories modulo the
mode state, and to Condition (2) that ensures that execution steps result in related
configurations and, hence, contain memories that are L-equal modulo the mode state.
Repeating this argument inductively shows that the same still holds after any number of
execution steps. In consequence, it is impossible to distinguish the executions based on
the values of low variables without no-read assumption. Since strong low bisimulations
modulo modes are closed under globally consistent changes, the indistinguishability still
holds if other threads that respect the no-write assumptions and that do not store secrets
in low variables are executed concurrently. Even more, the indistinguishability still holds
if the other threads respect no-write assumptions and store secrets only in low variables
that the thread does not read, because those variables do not affect the execution.
Based on strong low bisimulations modulo modes we define a partial equivalence
relation on commands that we use to define the novel information flow property.
Definition 4.7. Two commands c1 and c2 are SIFUM-indistinguishable for mode state
mds (denoted by c1 ∼mdsmm c2) if and only if 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉 for all
memories mem1 and mem2 with mem1 =L mem2. ♦
58 Chapter 4. A Flow-sensitive Security Analysis
Definition 4.8. Command c is SIFUM-secure for mode state mds if and only if c∼mdsmm c.♦
The acronym ”SIFUM“ expands to ”secure information flow using modes“. We
illustrate strong low bisimilarity modulo modes and SIFUM-security at the simplistic
examples from Section 4.2 and discuss more realistic examples after introducing a flow-
sensitive type system enforcing SIFUM-security in Section 4.6. For the following examples,
we assume that the semantics of the example programs is such that modes do not change
during program execution. (The semantics with modes is formalized in Section 4.5.1.)
Example 4.5. Reconsider the command c = h:=0; l :=h from Example 4.1. We construct
a strong low bisimulation modulo modes R such that 〈c,mds,mem1〉 R 〈c,mds,mem2〉 if
h ∈ mds(asm-no-w) and mem1 =L mem2. We define 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉
if and only if h ∈ mds(asm-no-w) and one of the following conditions is satisfied:
− c1 = c2 = c and mem1 =L mem2,
− c1 = c2 = stop; l :=h, mem1 =L mem2, and mem1(h) = mem2(h) = 0,
− c1 = c2 = l :=h, mem1 =L mem2, and mem1(h) = mem2(h) = 0, or
− c1 = c2 = stop and mem1 =L mem2.
It is straightforward to show that R is indeed a strong low bisimulation modulo modes.
Hence, h:=0; l :=h is SIFUM-secure for initial mode states mds with h ∈ mds(asm-no-w).
If h ∈ mds(asm-no-w) would not be required in the definition of R then R would not be
closed under globally consistent changes, because 〈l :=h,mds,mem1〉 R 〈l :=h,mds,mem2〉
does not hold for arbitrary L-equal mem1 and mem2. In fact, if h 6∈ mds(asm-no-w)
then h:=0; l :=h is only SIFUM-secure for mds if l ∈ mds(asm-no-r). ♦
Example 4.6. Reconsider the program l :=h; l :=0 from Example 4.2. The command is
SIFUM-secure for all initial mode states mds with l ∈ mds(asm-no-r). This can be
shown like in Example 4.5 by constructing a suitable strong low bisimulation modulo
modes. In difference to Example 4.5, a suitable relation relates configurations where the
memories are not necessarily equal for l . ♦
The above examples illustrate that the two examples from Section 4.2 that are classified
as secure by flow-sensitive analyses for sequential programs are also classified as SIFUM-
secure if one makes suitable assumptions about other threads. Intuitively, this expresses
that the execution of the threads in the examples does not lead to information leaks if the
threads are executed in parallel with SIFUM-secure threads that respect the assumptions.
In fact, SIFUM-security adequately captures information flow security given that
assumptions and guarantees capture correctly how threads and the scheduler access the
shared memory. We provide formal justification in Section 4.4.4.
We use SIFUM-security as a reference point for flow-sensitive information flow analyses
exploiting assumptions and guarantees. SIFUM-security supports flow-sensitive reasoning
in two directions: Firstly, it permits that low variables store secrets as long as a no-read
assumption is made, and, in consequence, flow-sensitive reasoning like in Example 4.1
is sound in such situations. Moreover, if a no-write assumption is made for a variable
one can be sure that the security level of the value of that variable does not change, and,
hence, flow-sensitive reasoning like in Example 4.2 is possible. Beyond this, we establish
a compositionality result for SIFUM-security in the following sections, which permits
modular information flow analyses.
4.4. A Security Property with Assumptions and Guarantees 59
4.4.3 Sound Modes
A thread pool that contains only SIFUM-secure commands is S-noninterferent for any
scheduler if assumptions and guarantees are used in a sound way. This means that
(a) whenever an assumption is made for a thread then this assumption is matched by
the corresponding guarantee in all other threads,
(b) the guarantees made for a thread are valid for that thread,
(c) no no-read assumptions are made after a thread terminates, and
(d) the observation function obs is confined to a subset of low variables for which no
no-read assumptions are made for any thread.
Items (a) and (b) ensure that the assumptions for one thread are valid with respect to
memory accesses by other threads. Besides such accesses, a variable might also be read if
it is output upon program termination or if it is used to interface the program with the
scheduler. Items (c) and (d) ensure that no-read assumptions are also valid with respect to
such variable accesses. We make this notion of soundness of assumptions and guarantees
precise in Definition 4.17, based on a formalization of Item (a) in Definition 4.10, of
Item (b) in Definition 4.14, of Item (c) in Definition 4.15, and of Item (d) in Definition 4.16.
Definition 4.9. Let scm be a system configuration with modes. We inductively define the
set reachS(scm) of system configurations with modes reachable from scm under scheduler S
as follows:
− scm ∈ reachS(scm), and
− if scm ′ ∈ reachS(scm) and scm ′ k,p=⇒S scm ′′ for some k and p then scm ′′ ∈ reachS(scm).
The set of lists of mode states reachable from scm under S is defined as
{mdss ∈ Mds∗ | ∃thr ,mem, sst : 〈thr ,mdss,mem, sst〉 ∈ reachS(scm)}. ♦
Definition 4.10. We say that a list of mode states mdss has compatible modes if and only
if for all i ∈ {1, . . . , ](mdss)} and all x ∈ Var the following conditions are satisfied:
− x ∈ mdss[i](asm-no-r)⇒ ∀j 6= i : x ∈ mds[j](guar -no-r), and
− x ∈ mdss[i](asm-no-w)⇒ ∀j 6= i : x ∈ mds[j](guar -no-w).
A set of lists of mode states has compatible modes if each of its elements has compatible
modes. The system configuration with modes scm has compatible modes under scheduler
S if the set of lists of mode states reachable from scm under S has compatible modes.♦
Definition 4.11. Let c ∈ Com and x ∈ Var . We say that c does not read x if and only if
for all c′ ∈ Com, mem,mem ′ ∈ Mem, and α ∈ Lab with 〈c,mem〉 α−_ 〈c′,mem ′〉 one of
the following conditions is satisfied:
− ∀v ∈ Val : 〈c,mem[x 7→ v ]〉 α−_ 〈c′,mem ′[x 7→ v ]〉, or
− ∀v ∈ Val : 〈c,mem[x 7→ v ]〉 α−_ 〈c′,mem ′〉. ♦
Intuitively, the first condition captures the case that the value of x does not change in the
execution step, and the second condition captures the case that the value of x changes.
Definition 4.12. Let c ∈Com and x ∈Var . We say that c does not modify x if mem(x ) =
mem ′(x ) for all c′ ∈Com, mem,mem ′ ∈Mem, and α∈Lab with 〈c,mem〉 α−_ 〈c′,mem ′〉.♦
60 Chapter 4. A Flow-sensitive Security Analysis
To define what it means that a thread respects its guarantees we refine the approxi-
mation of the set of thread configurations that are locally reachable from a configuration
(see Section 3.3.2). To this end, we adapt local reachability to our setting with modes,
exploiting the no-write assumptions to refine local reachability.
Definition 4.13. Let tcm be a thread configuration with modes. The set loc-reach(tcm) ⊆
Com ×Mds ×Mem of thread configurations with modes that are locally reachable from
tcm is inductively defined as follows:
− tcm ∈ loc-reach(tcm),
− ∀c′,mds ′,mem ′,mem ′′ : [〈c′,mds ′,mem ′〉 ∈ loc-reach(tcm) ∧
mem ′ =mds′(asm-no-w) mem ′′]⇒ 〈c′,mds ′,mem ′′〉 ∈ loc-reach(tcm), and
− ∀tcm ′, c′′,mds ′′,mem ′′, thr ,mdss :
[tcm ′ ∈ loc-reach(tcm) ∧ tcm ′ new(thr ,mdss)−−−−−−−−−_ 〈c′′,mds ′′,mem ′′〉]⇒[〈c′′,mds ′′,mem ′′〉 ∈ loc-reach(tcm) ∧
∀i ∈ {1, . . . , ](thr)} : 〈thr [i],mdss[i],mem ′′〉 ∈ loc-reach(tcm)]. ♦
Definition 4.14. A thread configuration with modes tcm respects guarantees if for all
〈c′,mds ′,mem ′〉 ∈ loc-reach(tcm) and all x ∈ Var the following conditions are satisfied:
− x ∈ mds ′(guar -no-r)⇒ c′ does not read x , and
− x ∈ mds ′(guar -no-w)⇒ c′ does not modify x . ♦
Definition 4.15. A thread configuration with modes tcm has no no-read assumptions at
thread termination if mds ′(asm-no-r) = {} for all 〈stop,mds ′,mem ′〉 ∈ loc-reach(tcm).♦
Definition 4.16. Let X ⊆ Var be the largest set of variables such that obs is confined to X.
A thread configuration with modes tcm has modes compatible with obs if mds ′(asm-no-r)∩
X = {} for all 〈c′,mds ′,mem ′〉 ∈ loc-reach(tcm). ♦
Definition 4.17. Let thr be a thread pool, mdss be a list of mode states, and S =
(sSt , sst0,→) be a scheduler. The pair (thr ,mdss) has sound modes for S if the configura-
tion 〈thr ,mdss,mem, sst0〉 has compatible modes under S and, for all i ∈ {1, . . . , ](thr)},
the configuration 〈thr [i],mdss[i],mem〉 respects guarantees, has no no-read assumptions
at thread termination, and has modes compatible with obs. ♦
The definition of sound modes expresses that all assumptions and guarantees are
actually valid for a multi-threaded program. This definition captures the necessary re-
quirements on assumptions and guarantees for establishing compositionality and scheduler
independence of SIFUM-security in the following section.
4.4.4 Compositionality and Scheduler-independence Result
For any scheduler S, the parallel composition of SIFUM-secure threads is S-noninterferent
if the thread pool has sound modes for S and the observation function is confined to L.
Theorem 4.3. Let thr be a thread pool, mdss a list of mode states, and S a scheduler
such that the following conditions are satisfied:
− thr [i] is SIFUM-secure for mdss[i] for all i ∈ {1, . . . , ](thr)}, and
− the pair (thr ,mdss) has sound modes for S.
4.4. A Security Property with Assumptions and Guarantees 61
Assume furthermore that obs is confined to L. Then thr is S-noninterferent. ♦
Theorem 4.3 states both compositionality and scheduler-independence. The theorem
shows, firstly, that SIFUM-security adequately captures information flow security in
the sense of the noninterference-like property S-noninterference. Secondly, the theorem
shows that this is still the case when composing multiple SIFUM-secure threads in
parallel, as long as the assumptions and guarantees made for the threads satisfy the sanity
requirements formalized in the previous section.
In the remainder of this section, we discuss the proof of Theorem 4.3. The basic idea
is to firstly show that the probability that an execution of the thread pool thr under S
terminates with given public outputs after any fixed number k of execution steps does
not depend on the secret inputs if modes are sound for S. From this intermediate result
it follows immediately that the probability to terminate with given public outputs after
any number of execution steps does not depend on the secret inputs (by summation over
the probability for each possible number of execution steps k).
In the proof, we exploit that execution steps of a thread configuration can be matched
in thread configurations that are strong low bisimilar modulo modes. However, it is not
straightforward to lift this property from single threads to thread pools. The reason is that
memory modifications of one thread may “destroy” strong low bisimilarity modulo modes
for another thread, or, formally, 〈thr1[i],mdss[i],mem1〉 ∼mm 〈thr2[i],mdss[i],mem2〉
does not imply 〈thr1[i],mdss[i],mem ′1〉 ∼mm 〈thr2[i],mdss[i],mem ′2〉, where mem ′1 and
mem ′2 result from execution steps of another pair of threads thr1[j] and thr2[j]. The
problem is that the closure of ∼mm under globally consistent changes only ensures that
this implication is valid if the values of low variables are modified equally by thr1[j] and
thr2[j], which need not be the case if mdss[j] contains a no-read assumption for a low
variable. However, intuitively, the possible execution steps of thr1[i] and thr2[i] do not
depend on those variables because under the assumption of sound modes thr1[i] and
thr2[i] do not read them. In particular, there exist memories mem
′′
1 and mem
′′
2 such that
〈thr1[i],mdss [i],mem ′′1〉 ∼mm 〈thr2[i],mdss [i],mem ′′2〉 and such that mem ′1 and mem ′′1 as
well as mem ′2 and mem
′′
2 differ only on variables that thr1[i] and thr2[i] do not read. The
following definition formally captures the properties of these memories.
Definition 4.18. Let tcm1 = 〈thr1,mdss,mem1〉 and tcm2 = 〈thr2,mdss,mem2〉 be
thread configurations with modes with the same number of threads, and let n = ](thr1) =
](thr2). We say that lists of memories mems1 and mems2 with ](mems1) = ](mems2) = n
make tcm1 and tcm2 compatible with strong low bisimulation modulo modes if and only if
the following conditions are satisfied (where Xi = {x ∈ Var | mems1[i](x ) 6= mem1(x ) ∨
mems2[i](x ) 6= mem2(x )} for each i ∈ {1, . . . , n}):
1. ∀i ∈ {1, . . . , n} : ∀f ∈ Var ⇀ Val : dom(f) = Xi ⇒ 〈thr1[i],mdss[i],mems1[i][x 7→
f(x) | x ∈ Xi]〉 ∼mm 〈thr2[i],mdss[i],mems2[i][x 7→ f(x) | x ∈ Xi]〉,
2. ∀i ∈ {1, . . . , n} : ∀x ∈ Var : [mem1(x ) = mem2(x ) ∨ x ∈ H ]⇒ x 6∈ Xi, and
3. (n = 0 ∧mem1 =L mem2) ∨ (∀x ∈Var : ∃i ∈ {1, . . . , n} : x 6∈ Xi). ♦
Intuitively, the set Xi in Definition 4.18 contains those variables for which the memories
mems1[i] or mems2[i] differ from the actual memories mem1 and mem2, respectively.
Item 1 ensures that the thread configurations for the threads at position i are strong
low bisimilar modulo modes for memories mem1 and mem2 after redefining the values of
variables in Xi. Item 2 ensures that the memories only differ from the actual memories
for low variables for which the actual memories differ (i.e., for which some thread makes
62 Chapter 4. A Flow-sensitive Security Analysis
a no-read assumption). Finally, Item 3 ensures that for each variable there is at least
one thread index i for which the memories mems1[i] or mems2[i] are equal to the actual
memories. Intuitively, this is the index of the thread that last modified that variable.
The existence of memories that make two multi-threaded configurations compatible
with strong low bisimulation modulo modes ensures, firstly, that for all i the threads
thr1[i] and thr2[i] do not read variables in the set Xi from Definition 4.18, and, secondly,
that for all i an execution step of thr1[i] in mem1 can be matched by an execution
step of thr2[i] in mem2 such that there are lists of memories that make the resulting
configurations compatible with strong low bisimulations modulo modes. These properties
are established by the following lemmas.
Lemma 4.1. Let 〈thr1,mdss,mem1, sst〉 and 〈thr2,mdss,mem2, sst〉 be configurations
such that (thr1,mdss) and (thr2,mdss) have sound modes for S, and let mems1 and
mems2 be lists of memories that make 〈thr1,mdss,mem1〉 and 〈thr2,mdss,mem2〉 com-
patible with strong low bisimulation modulo modes.
Then for all i ∈ {1, . . . , ](thr1)} the commands thr1[i] and thr2[i] do not read any
variable in Xi = {x ∈ Var | mems1[i](x ) 6= mem1(x ) ∨mems2[i](x ) 6= mem2(x )}. ♦
Proof Sketch. (A detailed proof is available in Appendix A.6.)
If x ∈ Xi then there exists j 6= i with x 6∈ Xj by Items 2 and 3 in Definition 4.18. It
follows with Item 1 in Definition 4.18 for index j that x ∈ mdss[j](asm-no-r). Hence,
x ∈ mdss [i](guar -no-r) due to sound modes, and, hence, also due to sound modes thr1[i]
and thr2[i] do not read x .
Lemma 4.2. Let 〈thr1,mdss,mem1, sst〉 and 〈thr2,mdss,mem2, sst〉 be configurations
such that (thr1,mdss) and (thr2,mdss) have sound modes for S, and assume that
obs is confined to L. Assume that ](thr1) = ](thr2), that mems1 and mems2 make
〈thr1,mdss,mem1〉 and 〈thr2,mdss,mem2〉 compatible with strong low bisimulation
modulo modes, and that 〈thr1,mdss,mem1, sst〉 k,p=⇒S 〈thr ′1,mdss ′,mem ′1, sst ′〉.
Then there exist thr ′2, mem
′
2, mems
′
1, and mems
′
2 such that ](thr
′
1) = ](thr
′
2), such
that mems ′1 and mems
′
2 make 〈thr ′1,mdss ′,mem ′1〉 and 〈thr ′2,mdss ′,mem ′2〉 compatible
with strong low bisimulation modulo modes, and such that 〈thr2,mdss,mem2, sst〉 k,p=⇒S
〈thr ′2,mdss ′,mem ′2, sst ′〉. ♦
Proof Sketch. (A detailed proof is available in Appendix A.6.)
By Lemma 4.1, mem1 and mems1[k] differ only in variables that thr1[k] does not read.
Hence, the execution step of thr1[k] in mem1 implies that the same execution step is also
possible in (mems1[k])[x 7→ f(x) | x ∈ Xk] for an arbitrary partial function f with domain
Xk = {x ∈ Var | mems1[k](x ) 6= mem1(x )∨mems2[k](x ) 6= mem2(x )}. Due to Item 3 in
Definition 4.18 and the definition of strong low bisimulations modulo modes this execution
step can be matched by an execution step of thr2[k] in (mems2[k])[x 7→ f(x) | x ∈ Xk].
Again by Lemma 4.1 (mems2[k])[x 7→ f(x) | x ∈ Xk] and mem2 differ only in variables
that thr2[k] does not read, from which we obtain the execution step of thr2[k] in mem2
that we need to exhibit.
The lists of memories mems ′1 and mems
′
2 can be constructed from mems1 and mems2
based on the modifications of the memory by thr1[k] and thr2[k].
Theorem 4.4. Let 〈thr1,mdss,mem1, sst〉 and 〈thr2,mdss,mem2, sst〉 be configurations
such that (thr1,mdss) and (thr2,mdss) have sound modes for S, and assume that obs
is confined to L. Assume furthermore that ](thr1) = ](thr2) and that lists of memories
4.5. A Type-based Flow-sensitive Security Analysis 63
mems1 and mems2 make 〈thr1,mdss,mem1〉 and 〈thr2,mdss,mem2〉 compatible with
strong low bisimulation modulo modes.
Then the following equation is satisfied for all k ∈ N, all mem ∈ Mem, sc1 =
〈thr1,mem1, sst〉, and sc2 = 〈thr2,mem2, sst〉:∑
mem′∈[mem]LO
ρS({tr ∈ TS(sc1)⇓mem′ | ](tr) = k}) =
∑
mem′∈[mem]LO
ρS({tr ∈ TS(sc2)⇓mem′ | ](tr) = k})
♦
Proof Sketch. The proof is by induction on k (for a detailed proof see Appendix A.6).
In the base case, k = 1 holds. For arbitrary sc the set TS(sc)⇓mem′ contains at most one
trace of length 1. The set contains a trace of length 1 if and only if getMem(sc) = mem ′
and sc is final, i.e., ](getThr(sc)) = 0. In this case, the probability of the single trace is 1.
Hence, the equality that we have to prove is satisfied if ](thr1) > 0, because then sc1 and
sc2 are both not final. If ](thr1) = 0 the equality is satisfied because then mem1 =L mem2
by assumption.
In the step case, it follows from Lemma 4.2 that a step of 〈thr1,mdss,mem1, sst〉
can be matched by a step of 〈thr2,mdss,mem2, sst〉 with the same probability, resulting
in two system configurations with modes for which the assumptions of the theorem are
again satisfied. Hence, the induction hypothesis for k − 1 can be applied, from which the
statement for k follows immediately.
Finally, we can prove Theorem 4.3 by exploiting Theorem 4.4.
Proof of Theorem 4.3. Let mem1 =Var\HI mem2. Then mem1 =L mem2 because L ⊆
Var \HI . Hence, if ](thr) = 0 the theorem follows trivially.
If ](thr) > 0 define mems1 and mems2 by mems1[i] = mem1 and mems2[i] = mem2
for all i ∈ {1, . . . , ](thr1)}. Then the assumptions of Theorem 4.4 are satisfied for mems1
and mems2, and, hence, the following holds for all k ∈ N, where sc1 = 〈thr ,mem1, sst0〉
and sc2 = 〈thr ,mem2, sst0〉:∑
mem′∈[mem]LO
ρS({tr ∈ TS(sc1)⇓mem′ | ](tr) = k}) =
∑
mem′∈[mem]LO
ρS({tr ∈ TS(sc2)⇓mem′ | ](tr) = k})
Thus, thr is S-noninterferent, i.e., the following equation is satisfied for all mem ∈ Mem:∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem′) =
∑
mem′∈[mem]LO
ρS(TS(sc2)⇓mem′).
4.5 A Type-based Flow-sensitive Security Analysis
In this section, we present a flow-sensitive security type system for multi-threaded
programs and establish the soundness of the type system with respect to SIFUM-security.
Moreover, at the end of the section we illustrate with an extension of the type system
how SIFUM-security can be exploited beyond flow-sensitive security types.
The type system is based on assumptions and guarantees that are specified by
annotations in the program. To enable such specifications, we extend the programming
language from Section 2.3 with annotations.
64 Chapter 4. A Flow-sensitive Security Analysis
〈c,mem〉 new(thr)−−−−−−_ 〈c′,mem ′〉 ](mdss) = ](thr)
∀i ∈ {1, . . . , ](thr)} : mdss[i] = spawn-mds(mds)
〈E [c],mds,mem〉 new(thr ,mdss)−−−−−−−−−_ 〈E [c′],mds,mem ′〉
〈c,mds-update(mds, ann),mem〉 α−_ 〈c′,mds ′,mem ′〉
〈E [//ann// c],mds,mem〉 α−_ 〈E [c′],mds ′,mem ′〉
Figure 4.2: Semantics for commands with annotations
4.5.1 Annotations for Specifying Assumptions and Guarantees
We extend the syntax of the programming language from Section 2.3 with annotations
that specify for which parts of a thread one makes assumptions about memory accesses
by other threads, and for which parts one states guarantees for a thread. Annotations
are enclosed in comments (// . . . //), indicating that the annotations do not influence the
runtime behavior of programs. The extended syntax is defined by the following grammar:
ann ::= acq(m, x )
∣∣ rel(m, x )
c ::= skip
∣∣ x :=e ∣∣ c; c ∣∣ if e then c else c fi ∣∣
while e do c od
∣∣ spawn(c, . . . , c) ∣∣
//ann// c,
where m ∈ Mod , x ∈ Var , and e ∈ Exp. The annotation acq(m, x ) indicates that mode m
is acquired for variable x , and the annotation rel(m, x ) indicates that mode m is released
for variable x . Each command may be annotated with multiple annotations, e.g., two
annotations may be used for acquiring a mode for two different variables.
For the semantics of the extended programming language, we instantiate the set Com
of commands with the set of all terms that are defined by the above grammar for c
to which we add the command stop. We formalize the semantics by a calculus for the
judgments of the form 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉 such that Requirement 4.1 from
Section 4.4.1 is satisfied, i.e., such that modes do not influence the runtime behavior of
programs. The derivation rules are defined in Figure 4.2. They are based on the calculus
for the judgments 〈c,mem〉 α−_ 〈c′,mem ′〉 that formalizes the semantics of programs
without annotations.
The annotations directly preceding an instruction are evaluated together with the
first execution step of that instruction. This ensures that the evaluation of annotations
does not introduce additional execution steps. Moreover, the evaluation of annotations
affects the mode state as specified by the function mds-update.
Definition 4.19. Let mds be a mode state and ann an annotation. We define the mode
state mds-update(mds, ann) by
mds-update(mds, ann) =
{
mds[m 7→ mds(m) ∪ {x}] if ann = acq(m, x ),
mds[m 7→ mds(m) \ {x}] if ann = rel(m, x ). ♦
When new threads are spawned, the initial mode states of the spawned threads are
determined based on the mode state of the spawning thread.
4.5. A Type-based Flow-sensitive Security Analysis 65
Definition 4.20. Let mds be a mode state. We define the mode state spawn-mds(mds) by
− spawn-mds(mds)(m) = {} if m ∈ {asm-no-r , asm-no-w},
− spawn-mds(mds)(guar -no-r) = mds(asm-no-r) ∪mds(guar -no-r), and
− spawn-mds(mds)(guar -no-w) = mds(asm-no-w) ∪mds(guar -no-w). ♦
Definition 4.20 formalizes that no assumptions are made initially for a spawned thread.
Moreover, all guarantees made for the spawning thread are also made for the spawned
thread. Finally, if one makes assumptions for the spawning thread, the corresponding
guarantees are stated for the spawned thread. This ensures that the modes of the spawned
thread are compatible with the modes of the spawning thread. Any assumptions for the
spawned thread can be specified with annotations in the code of the spawned thread.
Remark 4.1. Definition 4.20 formalizes a simple way for specifying the initial modes for
spawned threads. In some scenarios, more complex schemes might be useful, like, for
instance, handing over an assumption from the spawning thread to a spawned thread. To
handle such situations one could, for instance, extend the syntax of the programming
language with special annotations for spawn-commands. Another possibility is to interpret
release-annotations of instructions that spawn exactly one thread as “transfer a mode
from the spawning thread to the spawned thread”. ♦
The evaluation of annotations only affects mode states, and not the control state of
the thread or the shared memory. I.e., Requirement 4.1 from Section 4.4.1 is satisfied.
Theorem 4.5. Requirement 4.1 is satisfied for the calculus from Figure 4.2, i.e., the
following conditions are satisfied:
− If 〈c,mds,mem〉 new(thr ,mdss)−−−−−−−−−_ 〈c′,mds ′,mem ′〉 then 〈c,mem〉 new(thr)−−−−−−_ 〈c′,mem ′〉.
− If 〈c,mem〉 new(thr)−−−−−−_ 〈c′,mem ′〉 then for each mode state mds there exist a mode
state mds ′ and a list of mode states mdss ′ such that 〈c,mds,mem〉 new(thr ,mdss)−−−−−−−−−_
〈c′,mds ′,mem ′〉. ♦
Proof. The theorem follows directly from the derivation rules for judgments of the form
〈c,mds1,mem〉 new(thr ,mdss)−−−−−−−−−_ 〈c′,mds ′1,mem ′〉 which are based on the derivation rules
for judgments of the form 〈c,mem〉 new(thr)−−−−−−_ 〈c′,mem ′〉.
4.5.2 The Security Type System
For defining the type system we assume that the domain assignment is given by dma.
The type system contains different typing judgments for expressions, commands, and
thread pools. Typing judgments for expressions have the form Γ ` e : d where Γ : Var →
{low , high}. We call the functions in the set Var → {low , high} environments. The
interpretation of the judgment is that d is an upper bound on the security level of the
value of e, given that Γ(x ) is an upper bound on the security level of the value of x for
all x ∈ Var . The derivation rule for typing judgments for expressions is displayed at the
top of Figure 4.3.
Typing judgments for commands are of the form
` Λ {c} Λ′,
where c is a command and Λ,Λ′ : Var ⇀ {low , high}. We call the partial functions
in the set Var ⇀ {low , high} partial environments. A partial environment Λ captures
66 Chapter 4. A Flow-sensitive Security Analysis
upper bounds on the security level of the values of variables in dom(Λ). For each variable
x 6∈ dom(Λ) we assume that the upper bound is dma(x ). The upper bounds for all
variables are then given by the following extension of the partial environment Λ:
Definition 4.21. Let Λ be a partial environment. Then the total environment for Λ is
the environment Λ〈·〉 : Var → {low , high} that is defined by
Λ〈x 〉 =
{
Λ(x ) if x ∈ dom(Λ),
dma(x ) otherwise.
We use the total environment to describe the interpretation of the judgment ` Λ {c} Λ′:
If dom(Λ) is a lower bound on the set of low variables with no-read and high variables
with no-write assumption before c is executed then dom(Λ′) is such a lower bound after
the execution of c. Moreover, if Λ〈x 〉 is an upper bound on the security level of the value
of x for all variables before the execution of c then Λ′〈x 〉 is such an upper bound after
the execution of c. Moreover, this still holds if other SIFUM-secure threads that respect
the assumptions made for c modify the memory during the execution of c.
The typing judgments permit to exploit the order of program statements in the typing
rules because they encode variations of upper bounds on security levels that are caused by
the execution of a command. The reason for the requirement that the upper bound is given
by dma(x ) if x is not in the domain of the partial environment is twofold: If x is a low
variable, then SIFUM-security requires that x stores secrets only if a no-read assumption
is made for x , and, hence, if no such assumption is made then domain low must be an
upper bound for x . Moreover, if x is a high variable without no-write assumption then
other threads might write secrets into x , and, hence, the upper bound must be high.
The derivation rules for judgments of the form ` Λ {c} Λ′ are displayed in Figure 4.3.
When typing an annotated command, rule [ANNO] ensures that the domain of the
partial environment is adjusted based on the annotation, using the function adjust-pe
(for “adjust partial environment”).
Definition 4.22. Let Λ be a partial environment and ann an annotation. Then Λ′ =
adjust-pe(Λ, ann) is the partial environment defined by
dom(Λ′) =

dom(Λ)∪{x} ann = acq(asm-no-r , x )∧ dma(x ) = low
dom(Λ)∪{x} ann = acq(asm-no-w , x ) ∧ dma(x ) = high
dom(Λ) \ {x} ann = rel(asm-no-r , x ) ∧ dma(x ) = low
dom(Λ) \ {x} ann = rel(asm-no-w , x ) ∧ dma(x ) = high
dom(Λ) otherwise
and Λ′(x ) = Λ〈x 〉 for all x ∈ dom(Λ′). ♦
The second premise in rule [ANNO] ensures that the upper bound on the security level for
a variable, Λ〈x 〉, does not decrease when adjusting the partial environment. Decreasing
Λ〈x 〉 is only possible by decreasing Λ(x ) in rule [ASS2]. If the security level of a variable
has been reset to its original security level dma(x ), i.e., if it is safe to stop making the
no-read assumption for x , then rule [ANNO] can remove x from dom(Λ).
The typing rule [ASS1] is applicable for assignments to variables that are not in the
domain of Λ, i.e., for variables for which the upper bound on the security level is fixed
to dma(x ), while rule [ASS2] is applicable for assignments to variables in the domain
of Λ, i.e., for variables for which the upper bound on the security level is not fixed. If
4.5. A Type-based Flow-sensitive Security Analysis 67
[EXP]
Γ ` e : ⊔x∈vars(e) Γ(x ) [STOP] ` Λ {stop} Λ [SKIP] ` Λ {skip} Λ
[ASS1]
x 6∈ dom(Λ) Λ〈·〉 ` e : d
d v dma(x )
` Λ {x :=e} Λ [ASS2]
x ∈ dom(Λ) Λ〈·〉 ` e : d
` Λ {x :=e} Λ[x 7→ d ]
[IF]
` Λ {c1} Λ′ ` Λ {c2} Λ′
Λ〈·〉 ` e : high ⇒ [(∀mds : mds consistent with Λ⇒ c1 ∼mdsmm c2)
∧ (∀x ∈ dom(Λ′) : Λ′(x ) = high)]
` Λ {if e then c1 else c2 fi} Λ′
[WHILE]
Λ〈·〉 ` e : low ` Λ {c} Λ
` Λ {while e do c od} Λ [SEQ]
` Λ {c1} Λ′ ` Λ′ {c2} Λ′′
` Λ {c1; c2} Λ′′
[SPAWN]
∀i ∈ {1, . . . , ](thr)} : ` Λ0 {thr [i]} Λi
∀x ∈ Var : Λ〈x 〉 v dma(x )
` Λ {spawn(thr)} Λ
[ANNO]
Λ′ = adjust-pe(Λ, ann) ∀x ∈ Var : Λ〈x 〉 v Λ′〈x 〉 ` Λ′ {c} Λ′′
` Λ {//ann// c} Λ′′
[SUB]
` Λ1 {c} Λ′1 Λ2 v Λ1 Λ′1 v Λ′2
` Λ2 {c} Λ′2
Figure 4.3: Flow-sensitive security type system
x ∈ dom(Λ) then an assignment x :=e is typable with rule [ASS2], and the new upper
bound on the security level of x is stored in Λ(x ). If, however, x 6∈ dom(Λ) then the
assignment x :=e is not typable if dma(x ) = low and the upper bound on the security
level of e is high. This prevents that public variables without no-read assumption are
assigned secret values.
The rule for conditionals, [IF], distinguishes between control conditions that might
depend on secret information and control conditions that only depend on public infor-
mation. Besides typability of the branches no additional requirement is imposed if the
control condition only depends on public information. If the control condition might
depend on secrets, the third premise of rule [IF] requires that the two branches are strong
low bisimilar modulo modes. This prevents indirect information leaks. The condition that
mds is consistent with Λ expresses that mds contains no-read and no-write assumptions
only for low and high variables in dom(Λ), respectively.
Definition 4.23. The mode state mds is consistent with the partial environment Λ if and
only if for all x ∈ dom(Λ) one of the following conditions is satisfied:
− dma(x ) = low and x ∈ mds(asm-no-r), or
− dma(x ) = high and x ∈ mds(asm-no-w). ♦
Remark 4.2. To approximate the third premise of rule [IF] syntactically, ideas proposed
by Mantel and Sands [MS04] for a similar approximation can be applied. The basic idea
68 Chapter 4. A Flow-sensitive Security Analysis
is to check that both branches take the same number of execution steps, that assignments
to low variables without no-read assumption occur simultaneously in both branches, and
that these assignments equally modify the variable. ♦
Rule [WHILE] requires that the loop guard depends only on public information. This
ensures that the number of execution steps of the loop does not depend on secret
information, which is essential for the SIFUM-security of the loop.
Remark 4.3. The restriction that loop guards do not depend on secrets is not needed
in the type system for FSI-security (see Chapter 3). We show in chapter 5 how to
integrate FSI-security with SIFUM-security as well as how to integrate the respective type
systems. In the integration, this restriction on loop guards is relaxed. Another approach
to relaxing the restriction on loop guards is proposed by Volpano and Smith [VS98]
and further explored by Russo and Sabelfeld [RS06b], where one adds a (non-standard)
protect-statement to the programming language which ensures that no rescheduling occurs
during the execution of a protected loop. It is safe to type loops with secret guards that
are protected in this fashion as long as no public variables are written in the loop body.♦
Rule [SPAWN] permits to type commands that spawn new threads. The rule requires
that all spawned threads are also typable, where the domain of the partial environment
before the execution of a spawned thread is empty (the partial environment Λ0 is defined
as the unique partial environment with dom(Λ0) = {}).
For subtyping (rule [SUB]) we define an order on partial environments.
Definition 4.24. We define the relation v on partial environments by Λ v Λ′ if and only
if dom(Λ) ⊇ dom(Λ′) and Λ〈x 〉 v Λ′〈x 〉 for all x ∈ Var . ♦
The order captures that the domain of partial environments is a lower bound on the
variables with suitable assumptions and that the total environment for Λ, the environment
Λ〈·〉, captures upper bounds on the security levels of the variables’ values.
We establish a subject reduction result for type derivations for commands as well
as a soundness result for type derivations for commands with respect to strong low
bisimulations modulo modes.
Theorem 4.6. Let c ∈ Com. Assume that the judgment ` Λ {c} Λ′ is derivable and
that 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉. Then there exists Λ′′ such that the following
conditions are satisfied:
− ` Λ′′ {c′} Λ′, and
− if mds is consistent with Λ then mds ′ is consistent with Λ′′. ♦
Proof Sketch. The proof is by induction on the derivation of ` Λ {c} Λ′. A detailed proof
is available in Appendix A.7.
Theorem 4.7. Let c ∈ Com. Assume that ` Λ {c} Λ′ is derivable, and let mds be a mode
state consistent with Λ. Let mem1 and mem2 be memories with mem1(x ) = mem2(x )
for all x ∈ Var with Λ〈x 〉 = low . Then 〈c,mds,mem1〉 ∼mm 〈c,mds,mem2〉. ♦
Proof Sketch. To prove the theorem we construct a family of relations on thread con-
figurations with modes (RΛ)Λ:Var⇀{low ,high} consisting of a relation for each partial
environment Λ such that (a) the union of these relations is a strong low bisimulation
modulo modes and (b) 〈c,mds,mem1〉 RΛ′ 〈c,mds,mem2〉 is satisfied.
4.5. A Type-based Flow-sensitive Security Analysis 69
[PARS ]
∀i ∈ {1, . . . , ](thr)} : ` Λi {thr [i]} Λ′i
∀i ∈ {1, . . . , ](thr)} : ∀x ∈ Var : dma(x ) v Λi〈x 〉
∀i ∈ {1, . . . , ](thr)} : mdss[i] is consistent with Λi
(thr ,mdss) has sound modes for S
` thr
Figure 4.4: Typing rule for thread pools
Intuitively, two configurations are related if their commands are typable with partial
environments Λ and Λ′, their mode states are consistent with Λ, and their memories
are equal for all variables x with Λ〈x 〉 = low . To take the semantic side condition in
rule [IF] into account, the relation also relates configurations that are related by ∼mm as
long as the commands are typable with partial environments Λ1 and Λ
′ and with partial
environments Λ2 and Λ
′, respectively.
A formal definition of the family of relations and the proof that their union is a strong
low bisimulation modulo modes is available in Appendix A.7.
Corollary 4.1. Let c ∈ Com, let Λ and Λ′ be such that ` Λ {c} Λ′ is derivable, and let
mds be a mode state. Assume that mds is consistent with Λ, and that dma(x ) v Λ〈x 〉
for all x ∈ Var . Then c is SIFUM-secure for mode state mds. ♦
Proof. To show that c is SIFUM-secure for mds we must show that 〈c,mds,mem1〉 ∼mm
〈c,mds,mem2〉 for all mem1 and mem2 with mem1 =L mem2.
Let mem1 and mem2 be two memories with mem1 =L mem2. Let x ∈ Var with
Λ〈x 〉 = low . Then it follows from the assumption dma(x ) v Λ〈x 〉 that dma(x ) = low .
Hence, it follows from mem1 =L mem2 that mem1(x ) = mem2(x ). I.e., all assumptions
of Theorem 4.7 hold, and, in consequence, 〈c,mds,mem1〉 ∼mm 〈c,mds,mem2〉.
Corollary 4.2. Let c ∈Com and let Λ′ be such that ` Λ0 {c} Λ′ is derivable (where Λ0 is
the partial environment with dom(Λ0) = {}). Then c is SIFUM-secure for any mode state.♦
Proof. By Definition 4.23, every mode state is consistent with Λ0. Moreover, by Defini-
tion 4.21, Λ0〈x 〉 = dma(x ) for all x ∈ Var . Hence, by Corollary 4.1, c is SIFUM-secure
for any mode state.
Typing judgments for thread pools have the form ` thr . The corresponding derivation
rule is parametric in a scheduler. It is displayed in Figure 4.4. The premises of the rule
ensure, firstly, that every command in the thread pool is typable with suitable partial
environments. In consequence, every command is SIFUM-secure for some mode state by
Corollary 4.1. Secondly, the premises ensure that the thread pool has sound modes for
these mode states and the scheduler. In combination, this ensures that typable thread
pools are S-noninterferent.
Theorem 4.8. Assume that the observation function is confined to L. If the judgment
` thr is derivable with typing rule [PARS ] then the thread pool thr is S-noninterferent.♦
Proof. Since ` thr is derivable, by the typing rule [PARS ] there exist a list of mode
states mdss and partial environments Λ1, . . . ,Λ](thr) and Λ
′
1, . . . ,Λ
′
](thr) such that `
Λi {thr [i]} Λ′i is derivable, dma(x ) v Λi〈x 〉 for all x ∈ Var , and mdss [i] is consistent with
70 Chapter 4. A Flow-sensitive Security Analysis
Λi for all i ∈ {1, . . . , ](thr)}, and such that (thr ,mdss) has sound modes for S. Hence,
by Corollary 4.1, it holds for all i ∈ {1, . . . , ](thr)} that thr [i] is SIFUM-secure for mode
state mdss[i]. Since modes are sound for S, with Theorem 4.3 it follows that thr is
S-noninterferent.
4.5.3 Enforcing Sound Use of Modes
The typing rule [PARS ] requires that thread pools and lists of mode states have sound
modes, i.e., that the set of mode state lists reachable from a configuration has compatible
modes, and that thread configurations with modes respect guarantees, have no no-read
assumptions at thread termination, and have modes compatible with obs . This verification
is not the focus of this thesis. To illustrate how a verification of sound modes could be
done we sketch a simple approach in this section.
For verifying that guarantees are respected, that no no-read assumptions occur
at thread termination, and that modes are compatible with obs, an upper bound on
the assumptions and guarantees made at each program point can be computed for an
annotated command with a simple type system. Judgments are simply triples of the form
` mds {c} mds ′. The interpretation of the judgment is that if mds gives an upper bound
on assumptions and guarantees before c executes, then mds ′ gives an upper bound on
assumptions and guarantees after the execution of c. We provide a straightforward type
system for computing this approximation of modes and verifying that guarantees are
respected, that no no-read assumptions occur at thread termination, and that modes are
compatible with obs in Appendix B (including a soundness proof).
For verifying the compatibility of all reachable mode state lists, one can compute
another approximation of modes at each program point for an annotated program using a
simple type system, where the approximation is an upper bound on the assumptions and
a lower bound on the guarantees. One can then check compatibility of reachable mode
state lists by using a may-happen-in-parallel analysis (see, e.g., [MR93, NA98, NAC99])
to determine all pairs of program points which may execute concurrently, and, using
the upper bound on assumptions and the lower bound on guarantees for each of these
program points, to check whether the modes are compatible.
4.5.4 Extending the Type System with Value Tracking
So far, we exploited assumptions and guarantees to determine upper bounds on the
security levels of variables in a flow-sensitive manner. In addition, no-write assumptions
can also be used to approximate the possible values of variables in a flow-sensitive manner,
because no-write assumptions ensure that the set of possible values is not modified between
execution steps by other threads. The benefit of such tracking of values is illustrated by
the following simplistic example:
Example 4.7. Consider the following command:
//acq(asm-no-w , debug)//
debug:=false;
if (debug) then log:=log + secret else skip fi
Due to the assumption that other threads do not write the variable debug it is safe to
assume that the value of debug is false when the control condition of the conditional is
4.5. A Type-based Flow-sensitive Security Analysis 71
evaluated, and that, hence, the branch with the insecure assignment is not executed. In
fact, the command is SIFUM-secure. ♦
No-write assumptions are, for instance, used in the spirit of tracking values in program
analyses based on concurrent separation logic like, e.g., by Dodds, Feng, Parkinson, and
Vafeiadis in [DFPV09]. They exploit assumptions to ensure that the truth values of
formulas in a Hoare-like logic remain unchanged between execution steps of a thread. In
this section, we illustrate how the type system from Section 4.5.2 can be extended with
value tracking, which has to our knowledge not been used for the information flow analysis
of multi-threaded programs so far. In combination with the partial environments this
even permits to determine upper bounds on the security levels of variables that depend
on the current values of variables.
To extend the type system, we consider partial memories pm : Var ⇀ Val that we
use to map only variables with no-write assumption to a value, while the values of other
variables are not specified. We extend the evaluation of expressions to partial memories by
eval(e, pm) = {eval(e,mem) | mem ∈ Mem ∧ ∀x ∈ dom(pm) : mem(x ) = pm(x )}, i.e.,
eval(e, pm) contains the values to which e might evaluate given the values of variables in
dom(pm).
We modify the typing judgments from Section 4.5.2 by using dependent partial
environments instead of partial environments. A dependent partial environment is a
partial function ∆ : (Var ⇀ Val) ⇀ (Var ⇀ {low , high}) with dom(∆) 6= {} such that
all pm ∈ dom(∆) have the same domain. The extended judgments are of the form
` ∆ {c} ∆′,
where ∆,∆′ are dependent partial environments. The interpretation of the judgments
is as follows: Assume that the domain of the partial memories in dom(∆) is a lower
bound on the set of variables with no-write assumption before the execution of c. Then
the domain of the partial memories in dom(∆′) is a lower bound on this set after the
execution of c. Moreover, if dom(∆) is a lower bound on the set of possible values of
variables with no-write assumption before the execution of c then dom(∆′) is a lower
bound on this set after the execution of c. Finally, if the values of variables with no-write
assumption are as specified by pm then ∆(pm)〈·〉 and ∆′(pm)〈·〉 give upper bounds on
the security domains of variables like in the type system from Section 4.5.2.
Example 4.8. Let ∆ be a dependent partial environment with dom(∆) = {pm1, pm2},
where dom(pm1) = dom(pm2) = {x}. This encodes that a no-write assumption is made
at least for the variable x .
Moreover, assume that pm1(x ) = 1 and that pm2(x ) = 2. This encodes that x might
have value 1 or value 2, and that it is certain that x does not have any other value.
Assume furthermore that ∆(pm1) = Λ1 and ∆(pm2) = Λ2, where dom(Λ1) =
dom(Λ2) = {y} and dma(y) = low . This encodes that regardless of the value of x a
no-read assumption is made for y .
Finally, assume that Λ1(y) = low and Λ2(y) = high. This encodes that if the value
of x equals 1 then the security level of the value of y is guaranteed to be low , while the
security level of y might be high if the value of x equals 2. ♦
We define the typing rules by extending the rules from Figure 4.3 in Section 4.5.2.
The extended rules are displayed in Figure 4.5.
Rule [ASS] ensures that an assignment x :=e is not typable if dma(x ) = low , the
upper bound on the security level of e is high, and x is not in the domain of the partial
72 Chapter 4. A Flow-sensitive Security Analysis
[EXP]
Γ ` e : ⊔x∈vars(e) Γ(x ) [STOP] ` ∆ {stop} ∆ [SKIP] ` ∆ {skip} ∆
[ASS]
∀pm ∈ dom(∆) : ∀x 6∈ dom(∆(pm)) : ∆(pm)〈·〉 ` e : dpm ⇒ dpm v dma(x )
` ∆ {x :=e} update-dpe(∆, x , e)
[IF]
∆1 = ∆ |{pm|true∈eval(e,pm)} dom(∆1) 6= {} ⇒ ` ∆1 {c1} ∆′
∆2 = ∆ |{pm|false∈eval(e,pm)} dom(∆2) 6= {} ⇒ ` ∆2 {c2} ∆′
pm ∈ dom(∆)⇒ ∆(pm)〈·〉 ` e : low
` ∆ {if e then c1 else c2 fi} ∆′
[WHILE]
pm ∈ dom(∆)⇒ ∆(pm)〈·〉 ` e : low ` ∆ {c} ∆
` ∆ {while e do c od} ∆
[SEQ]
` ∆ {c1} ∆′ ` ∆′ {c2} ∆′′
` ∆ {c1; c2} ∆′′
[SPAWN]
∀i ∈ {1, . . . , ](thr)} :` ∆0 {thr [i]} ∆i
pm ∈ dom(∆⇒ ∀x ∈ Var : ∆(pm)〈x 〉 v dma(x )
` ∆ {spawn(thr)} ∆
[ANNO]
∆′ = adjust-dpe(∆, ann) ` ∆′ {c} ∆′′
pm ∈ dom(∆)⇒ ∀x ∈ Var : ∆(pm)〈x 〉 v ∆′(pm)〈x 〉
` ∆ {//ann// c} ∆′′
[SUB]
∆2 v ∆1 ∆′1 v ∆′2 ` ∆1 {c} ∆′1
` ∆2 {c} ∆′2
Figure 4.5: Flow-sensitive security type system with value tracking
environment for any of the possible partial memories pm. This corresponds to rule [ASS1]
from the original type system. Moreover, to construct the partial environment after
the assignment the domain of ∆ is updated by the function update-dpe (for “update
dependent partial environment”) based on the assignment, and each partial environment
is updated like in rules [ASS1] and [ASS2] in the original type system.
Definition 4.25. Let ∆ be a dependent partial environment, x ∈ Var , and e ∈ Exp. We
define the dependent partial environment update-dpe(∆, x , e) as follows, where for each
pm ∈ dom(∆) the security domain dpm is such that ∆(pm)〈·〉 ` e : dpm is derivable and
the partial environment Λ′pm equals ∆(pm) if x 6∈ dom(∆(pm)) and ∆(pm)[x 7→ dpm ]
otherwise, and X is the domain of the partial memories in dom(∆):
− If x 6∈ X then dom(update-dpe(∆, x , e)) = dom(∆), and (update-dpe(∆, x , e))(pm) =
Λ′pm for all pm ∈ dom(∆).
− If x ∈ X then dom(update-dpe(∆, x , e)) = {pm[x 7→ v ] | pm ∈ dom(∆) ∧ v ∈
eval(e, pm)}, and (update-dpe(∆, x , e))(pm[x 7→ v ]) = ⊔{pm∈dom(∆)|v∈eval(e,pm)} Λ′pm
for all pm[x 7→ v ] ∈ dom(update-dpe(∆, x , e)), where (Λ unionsq Λ′)(x ) = Λ(x ) unionsq Λ′(x ). ♦
Intuitively, Definition 4.25 ensures that the value of the assigned variable x is updated
in the partial memories in the domain of the dependent partial environment only if x is
4.5. A Type-based Flow-sensitive Security Analysis 73
in the domain of these partial memories. This happens in Item 2 of the definition. Item 2
moreover ensures that if the upper bounds on the security levels depended on the value
of x before the assignment then the least upper bound of the different upper bounds
before the assignment is used after the assignment. For instance, if the upper bound for
a variable y was high if the value of x equals 0 and low if the value of x equals 1, then
the upper bound for y will be set to high by the function update-dpe.
Rule [IF] exploits that the branches need only be analyzed if the control condition eval-
uates to true or false, respectively, given the values of variables with no-write assumption.
Rule [ANNO] updates the domains of the functions when assumptions are acquired or
released. We model this by extending the function adjust-pe from partial environments
to dependent partial environments.
Definition 4.26. Let ∆ be a dependent partial environment, and let X = dom(pm) for
some pm ∈ dom(∆). Then ∆′ = adjust-dpe(∆, ann) is defined as follows:
− If ann = acq(asm-no-w , x ) then dom(∆′) = {pm | dom(pm) = X ∪ {x} ∧ pm|X ∈
dom(∆)}, and ∆′(pm) = adjust-pe(∆(pm|X), ann) for all pm ∈ dom(∆′).
− If ann = rel(asm-no-w , x ) then dom(∆′) = {pm|X\{x} | pm ∈ dom(∆)}, and
∆′(pm ′) = adjust-pe(
⊔
{pm∈dom(∆)|pm|X\{x}=pm′}∆(pm), ann) for all pm
′ ∈ dom(∆′).
− If ann 6= acq(asm-no-w , x ) and ann 6= rel(asm-no-w , x ) then dom(∆′) = dom(∆)
and ∆′(pm) = adjust-pe(∆(pm), ann) for all pm ∈ dom(∆′). ♦
Intuitively, the function adjust-dpe ensures that if a no-write assumption is acquired
for variable x then x is included in the domain of the partial memories in the dependent
partial environment (cf. the first item in the definition). Moreover, if the no-write
assumption is released then the function adjust-dpe ensures that x is removed from the
domain of the partial memories (cf. the second item in the definition). If in this case the
upper bounds given by the partial environments depended on the value of x then the
function adjust-dpe ensures that these partial environments are suitably combined.
For subtyping we extend the order on partial to dependent partial environments.
Definition 4.27. We define the order v on dependent partial environments by ∆ v ∆′
if and only if X ⊇ X ′ where X is the domain of the partial memories in dom(∆)
and X ′ is the domain of the partial memories in dom(∆′), and, for all pm ∈ dom(∆),
∆(pm) v ∆′(pm|X′). ♦
We derive a soundness result in analogy to the soundness result for the type system
from Section 4.5.2, where we say that ∆ is consistent with a mode state mds if and only
if X ⊆ {x ∈ Var | x ∈ mds(asm-no-w)} where X is the domain of the partial memories
in dom(∆), and ∆(pm) is consistent with mds for all pm ∈ dom(∆).
Theorem 4.9. Assume that ` ∆ {c} ∆′ is derivable, let mds be a mode state consistent
with ∆, let pm ∈ dom(∆), and letX be the domain of the partial memories in dom(∆). Let
mem1,mem2 ∈ Mem be such that mem1(x ) = mem2(x ) = pm(x ) for all x ∈ dom(pm).
Then 〈c,mds,mem1〉 ∼mm 〈c,mds,mem2〉 if mem1(x ) = mem2(x ) for all x ∈ Var with
∆(pm)〈x 〉 = low . ♦
A proof of Theorem 4.9 (see Appendix A.7) is obtained by adapting the proof of
the corresponding result for the type system from Section 4.5.2 (Theorem 4.7). The
major differences are (a) in the definition of the bisimulation relation, which now requires
that the memories in the related configurations, restricted to the domain of the partial
memories in the domain of the dependent partial environment, are in the domain of the
74 Chapter 4. A Flow-sensitive Security Analysis
dependent partial environment), and (b) in the induction steps for derivations with rules
[ASS] and rule [IF].
Example 4.9. The command from Example 4.7 is typable with the type system, and,
hence, SIFUM-secure by Theorem 4.9. ♦
Note that the program from Example 4.7 is rejected by many existing compositional
analysis techniques like in [VS99, SS00, RS06a] and the analysis from Chapter 3. While the
compositional analysis techniques in [ZM03, MSK07] classify programs like in Example 4.9
as secure, they impose the restriction that the variable log must not be concurrently written
by the environment, which is restrictive because logging is often performed in multiple
threads of a multi-threaded program. In contrast, for Example 4.7 SIFUM-security does
not restrict concurrent modifications of the log.
4.6 Benefits of the Flow-sensitive Analysis
We illustrate the benefits of the type-based analyses from Section 4.5 at two small, yet
realistic examples. With the first example we illustrate how the flow-sensitive security
types are exploited. The second example illustrates how the combination of flow-sensitive
security types and value tracking is exploited.
Example 4.10. Consider a thread that executes the command displayed in Figure 4.6.
The thread subsequently swaps the values of the two secret variables key1 and key2, and
the values of the two public variables pub1 and pub2. The swaps are performed using a
temporary variable with mode asm-no-r during the execution of ctemp. This assumption
is, for instance, natural if temp is used as a local variable in the thread. ♦
Theorem 4.10. Assume that dma(key1) = dma(key2) = high and that dma(pub1) =
dma(pub2) = low . Then command ctemp from Example 4.10 is SIFUM-secure for mds0
(defined by mds0(m) = {} for all m ∈ Mod). ♦
Proof. We prove the statement by deriving the judgment ` Λ0 {ctemp} Λ0 in the type
system without value tracking (from Section 4.5.2). Let Λlow and Λhigh be partial
environments defined by dom(Λlow ) = dom(Λhigh) = {temp}, Λlow (temp) = low , and
Λhigh(temp) = high. Then the judgments
(1) ` Λ0 {//acq(asm-no-r , temp)//; temp:=key1} Λhigh ,
(2) ` Λhigh {key1:=key2} Λhigh ,
(3) ` Λhigh {key2:=temp} Λhigh ,
(4) ` Λhigh {temp:=pub1} Λlow ,
(5) ` Λlow {pub1:=pub2} Λlow , and
(6) ` Λlow {pub2:=temp//rel(asm-no-r , temp)//} Λ0
are derivable using rules [ANNO], [ASS2], [SKIP], and [SEQ] for (1), [ASS1] for (2), (3),
and (5), [ASS2] for (4), and [ANNO] and [ASS1] for (6). By five applications of rule [SEQ]
it follows that ` Λ0 {ctemp} Λ0 is derivable.
In consequence, ctemp is SIFUM-secure for mds0 by Theorem 4.7.
Example 4.10 illustrates that flow-sensitive reasoning permits to successfully analyze
secure programs that were rejected by existing compositional analysis techniques like,
e.g., the analyses in [VS99, SS00, RS06a] and the analysis from Chapter 3.
In the next example, we illustrate how using both no-read and no-write assumptions
can be exploited in the information flow analysis of more complex application scenarios.
4.6. Benefits of the Flow-sensitive Analysis 75
ctemp =
//acq(asm-no-r , temp)//;
temp:=key1; key1:=key2; key2:=temp;
temp:=pub1; pub1:=pub2; pub2:=temp
//rel(asm-no-r , temp)//
Figure 4.6: Thread reusing temporary variable
Example 4.11. We consider a multi-threaded server. The command csrv in Figure 4.7
implements a thread that is part of the server. The thread serves a client that requests
information from the server. The contents of the variables request and src are set up
by the main server thread (which we do not display here) specifying the data that is
requested and the network address of the requester, respectively. This technique is used in
multi-threaded server implementations like Null httpd [Nul] that spawn worker threads
working on data structures set up by the main server thread. To simplify the setting,
we assume identifiers for two categories of data (”secret-data” and ”public-data”) and
two network addresses (”local” and ”nonlocal”). The variables secretData and publicData
contain the data identified by ”secret-data” and ”public-data”, respectively. The variables
localout and nonlocalout represent output channels to the network addresses ”local” and
”nonlocal”, respectively. The command csrv operates in three steps: It firstly checks
whether the request’s source is authorized to access the requested data, where the policy is
that ”secret-data” may only be sent to ”local”. Afterwards, it computes the answer to the
request (which is either the requested data or an error message if the authorization failed).
Finally, it sends the answer to the channel identified by src, deletes the answer, and logs
the request. We use a mutex variable mutex1 to ensure exclusive access to variables that
are shared with other threads (as for instance request and src which are shared with the
main server thread). If other threads only access these variables when holding the mutex
variable mutex, they provide guarantees matching the assumptions specified for csrv. ♦
Theorem 4.11. Assume that dma(secretData) = dma(localout) = high and dma(x ) =
low for all other variables. Then the command csrv from Example 4.11 (omitting the mutex
operations) is SIFUM-secure for mds0 (defined by mds0(m) = {} for all m ∈ Mod).2 ♦
Proof Sketch. For the proof we use the type system with value tracking from Section 4.5.4,
showing that the judgment ` ∆0 {csrv} ∆0 is derivable (where ∆0 is defined as the
dependent partial environment with domain {pm0} and ∆0(pm0) = Λ0, where both pm0
and Λ0 have domain {}). We illustrate the type derivation by sketching the dependent
partial environments at the intermediate program points of csrv.
− Due to the four annotations, the domain of the partial memories in the domain
of the dependent partial environment is set to {src, request, auth} by rule [ANNO].
Moreover, the domain of the partial environments in the image of the dependent
partial environment is set to {answer}.
− After the first conditional, the domain of the dependent partial environment contains
all partial memories pm with one of the following two properties:
1Given that our simple language does not support mutexes as primitives, the operations for acquiring
and releasing mutexes can be implemented using, e.g., Peterson’s algorithm [Pet81] without leaving the
language fragment.
2Assuming that the mutex operations are actually implemented with Peterson’s algorithm using low
flag variables the command including these operations is also SIFUM-secure.
76 Chapter 4. A Flow-sensitive Security Analysis
csrv =
acquire(mutex);
//acq(asm-no-w , src)/// acq(asm-no-w , request)//
//acq(asm-no-w , auth)/// acq(asm-no-r , answer)//
if (src 6= ”local” ∧ request = ”secret-data”)
then auth:=false
else auth:=true
fi;
if (auth = false)
then answer:=”not authorized”
else if (request = ”public-data”)
then answer:=publicData
else answer:=secretData
fi
fi;
if (src = ”local”)
then localout:=answer
else nonlocalout:=answer
fi;
answer:=””;
log:=log + src + request;
//rel(asm-no-w , src)/// rel(asm-no-w , request)//
//rel(asm-no-w , auth)/// rel(asm-no-r , answer)//
release(mutex)
Figure 4.7: Worker thread of multi-threaded server
∗ pm(src) 6= ”local”, pm(request) = ”secret-data”, and pm(auth) = false, or
∗ pm(src) = ”local” or pm(request) 6= ”secret-data”, and pm(auth) = true.
In both cases the dependent partial environment maps pm to the partial environment
that assigns low to answer.
− After the second conditional, the domain of the dependent partial environment
contains all partial memories pm with one of the following properties:
∗ pm(src) 6= ”local”, pm(request) = ”secret-data”, pm(auth) = false, and
pm(answer) = ”not authorized”, or
∗ pm(src) = ”local” or pm(request) 6= ”secret-data”, and pm(auth) = true.
The partial memory pm is mapped to the partial environment that maps answer to
high if and only if pm(auth) = true and pm(request) 6= ”public-data”. Otherwise, pm
is mapped to the partial environment that maps answer to low .
− The last conditional does not change the dependent partial environment. Note,
however, that the conditional is only typable because the partial environment maps
answer to high if and only if src 6= ”local”. If answer would be mapped to high while
src = ”local” then the type system would require to type the assignment of answer to
localout, which is not possible if answer is mapped to high.
The thread would not be typable without the no-write assumptions for src, request, and
auth. In fact, if other threads could modify these variables, for instance, the value of request
could be modified from ”public-data” to ”secret-data” after checking the authorization.
This modification would result in secretData being sent to nonlocalout although this is not
4.7. Summary and Comparison to Related Work 77
authorized, constituting a type of attack also referred to as a time-of-check-to-time-of-use
(TOCTTOU) attack [LBMC94].
Example 4.11 illustrates how the flow-sensitive information flow analysis can be ex-
ploited in the security analysis in realistic multi-threaded example scenarios. We are not
aware of a compositional analysis technique for multi-threaded programs that allows a suc-
cessful information flow security analysis for the multi-threaded server in Example 4.11.
4.7 Summary and Comparison to Related Work
In this chapter, we have presented the first flow-sensitive security type system for analyzing
information flow security of multi-threaded programs. The key for developing such a type
system was the introduction of assumption-guarantee style reasoning into the information
flow analysis. Exploiting assumptions and guarantees about variable accesses of threads
permits to do flow-sensitive analysis without giving up compositionality, and, hence,
without giving up a modular security analysis.
Moreover, exploiting assumptions and guarantees permits to exploit information about
the synchronization between threads, because, typically, synchronization ensures that
variables are accessed in a controlled way. Other approaches do not exploit synchronization
in the security analysis, but rather only consider synchronization as a potential source
of forbidden information leakage (e.g., [Sab01, RS09]). Our assumption-guarantee based
approach permits to consider both positive and negative influences of synchronization on
the information flow in a program.
As a basis for the flow-sensitive security type system we developed a novel infor-
mation flow property, SIFUM-security, that is compatible with assumption-guarantee
style reasoning. SIFUM-security abstracts from how assumptions and guarantees are
determined. This permits the manual specification of assumptions and guarantees, but
also the computation of assumptions and guarantees by a program analysis. Moreover, it
leaves freedom of the choice of synchronization patterns that are used to establish the
validity of assumptions and guarantees.
We have shown that SIFUM-security is compositional and scheduler independent. The
only requirements for this result are that assumptions and guarantees are used in a sound
way, i.e., that assumptions are matched by valid guarantees in all other threads, and that
assumptions are not violated by memory accesses of the scheduler or when the program
outputs values. Whether assumptions and guarantees are sound can be checked based on
existing program analysis techniques that compute may-happen-in-parallel information.
Finally, we have illustrated at realistic example programs that our flow-sensitive
information flow analysis permits to successfully analyze secure programs that were
rejected by existing analysis techniques. In particular, the flow-sensitive analysis permits
to successfully classify programs as secure that are not classified as secure by existing
flow-insensitive information flow analyses for multi-threaded programs like, e.g., the
analyses in [VS98, VS99, SS00, Smi01, BC02, ZM03, RS06a].
Interestingly, in contrast to more modern information flow analyses for multi-threaded
programs, the to our knowledge first information flow analysis for multi-threaded programs
proposed by Andrews and Reitman in [RA79, AR80] supports flow-sensitive reasoning.
Andrews and Reitman consider a flow logic that supports the derivation of noninterference
proofs for programs. They sketch an extension to concurrent programs based on the
Owicki-Gries method [OG76]. The idea is that one must show that any derivation for
a given thread is unaffected by the assignment statements in any other thread. As
well as being non-compositional, a consequence of this approach is an assumption that
78 Chapter 4. A Flow-sensitive Security Analysis
any assignment in one thread may run concurrently with any other statement. This
would make the opportunities to exploit flow sensitivity limited to thread local variables.
Moreover, the approach neither provides a semantically justified soundness result nor a
formal semantics for the underlying programming language.
There are some other approaches that use the general idea of assumption-guarantee
reasoning to perform modular security analyses. Ju¨rjens [Ju¨r00] studied a probabilistic
noninterference for trace-based message-passing processes, and used assumption-guarantee
reasoning in the proof of compositionality. In contrast to our approach, assumptions
and guarantees are not explicitly exploited in the analysis, but rather used as a proof
technique in the compositionality result. Guttman et al [GTC+04] annotate Strand-
space representations of protocol participants with assumption-guarantee statements
related to trust. In common with the approach here a soundness of assumptions and
guarantees is required for annotated protocols. Garg et al [GFKD10] place heavy emphasis
on assumption-guarantee proof rules in reasoning about safety-property-based security
properties in a concurrent first-order functional language.
Finally, assumptions similar to those used in this thesis have been proposed by others
in contexts that were not security-specific. As our focus is information flow security,
we do not consider in depth the problem of verifying the soundness of modes. One
influential line of work stems from Boyland’s fractional permissions [Boy03] that permit
to divide permissions among multiple threads: Full permissions permit both writing
and reading, partial permissions permit only reading. I.e., full permissions correspond
to the combination of our no-read and no-write assumption, and partial permissions
to the combination of our no-write assumption and no-write guarantee. Other kinds
of fractional permissions have also been investigated: In [DFPV09], fractional deny-
permissions, roughly, correspond to the combination of our no-write assumption and
guarantee, and fractional guar-permissions to neither making no-write assumptions nor
providing no-write guarantees. Based on ideas from concurrent separation logic [O’H04],
compositional logics for reasoning with fractional permissions have been developed, where
a key to compositionality is to exploit specific synchronization primitives that permit to
safely transfer permissions between threads. For instance, [DFPV09] uses synchronization
points provided by fork/join synchronization to transfer permissions between dynamically
forked threads, and [HG11] allows to transfer permissions at synchronization points
established by barrier synchronization. Other approaches exploit atomic statements
[PBO07] and conditional critical regions [O’H04]. Our approach is, in contrast, not
specific to some particular synchronization primitive. The price we pay for this generality
is that we cannot describe the soundness of modes in a compositional way. The closest
form of assumption to those used in the present paper are the thread-level exclusive
ownership (nobody else will read or write) and read ownership policies used by Martin et
al [MHC+10]. Ownership is acquired and released via annotations. The soundness of the
annotations are not verified however, but are checked using a runtime monitor.
C
H
A
P
T
E
R
5
Integrating Flexible Scheduler
Independence and Flow-sensitivity
5.1 Introduction
In Chapters 3 and 4 we developed information flow security analyses that improved the
state of the art in two directions: The analysis from Chapter 3 permits a more flexible
scheduler-independent analysis and, for instance, does not reject all secure programs with
control conditions that depend on secrets. Moreover, the analysis from Chapter 4 is
flow-sensitive and thereby increases analysis precision. However, both improvements are
needed for the successful analysis of some secure programs.
To combine both improvements, in this chapter we integrate our solutions from
Chapters 3 and 4. We firstly integrate the security properties FSI-security and SIFUM-
security, resulting in a novel compositional and scheduler-independent security property
that inherits benefits of FSI-security (scheduler independence without unconditionally
rejecting programs with secret control conditions) and SIFUM-security (support for
flow-sensitive information flow analyses). Secondly, we integrate the security type system
for FSI-security and the flow-sensitive security type system for SIFUM-security, result-
ing in a scheduler-independent flow-sensitive information flow analysis that does not
unconditionally reject programs with secret control conditions.
Overview. We integrate FSI-security and SIFUM-security in Section 5.2, and we integrate
the security type systems for these properties in Section 5.3. Section 5.4 briefly summarizes
the results.
5.2 Integration of FSI-Security and SIFUM-Security
To integrate FSI-security and SIFUM-security, we use the definition of strong low bisimu-
lations modulo modes from Section 4.4 as a starting point that we modify based on low
bisimulations modulo low matching from Section 3.3.
79
80 Chapter 5. Integrating Flexible Scheduler Independence and Flow-sensitivity
Definition 5.1. A symmetric binary relation R on thread configurations with modes that
have equal mode states is a low bisimulation modulo low matching and modes if it is
closed under globally consistent changes, and if for all c1, c2 ∈ Com, mds ∈ Mds, and
mem1,mem2 ∈ Mem with 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 the following conditions
are satisfied:
1. mem1 =
mds
L mem2, and
2. if c1 6∈ HCom then for all c′1 ∈ Com, mds ′ ∈ Mds, mem ′1 ∈ Mem, and α1 =
new(thr1,mdss1) ∈ Labm, if 〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉 then there exist
c′2 ∈ Com, mem ′2 ∈ Mem, and α2 = new(thr2,mdss2) ∈ Labm such that the following
conditions are satisfied:
a) 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
b) 〈c′1,mds ′1,mem ′1〉 R 〈c′2,mds ′2,mem ′2〉, and
c) there exists an injective partial function match :{1, . . . , ](thr1)}⇀{1, . . . , ](thr2)}
such that 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[match(i)],mdss2[match(i)],mem ′2〉
for all i ∈ dom(match), thr1[i] ∈ HCom for all i 6∈ dom(match), and thr2[i] ∈
HCom for all i 6∈ img(match).
The relation ∼lmm is the union of all low bisimulations modulo low matching and modes.♦
Theorem 5.1. Relation ∼lmm is a low bisimulation modulo low matching and modes. ♦
Theorem 5.2. Relation ∼lmm is a partial equivalence relation. ♦
The proofs for Theorems 5.1 and 5.2 are along the same lines as the proofs for
the corresponding theorems for low bisimulations modulo low matching and strong low
bisimulations modulo modes, i.e., Theorems 3.4, 3.5, 4.1, and 4.2.
In contrast to the definitions of low bisimulations modulo low matching and strong
low bisimulations modulo modes (Definitions 3.6 and 4.6), Definition 5.1 does not place a
requirement on the execution steps of high threads. Although we could have required that
after an execution step of a high thread in one of two bisimilar configurations one obtains
again two bisimilar configurations, we chose to omit such a requirement to simplify the
definition. Omitting the requirement does not weaken the resulting bisimulation relation,
in analogy to the result that we have shown for low bisimulations modulo low matching
in Theorem 3.7 stating that two thread pools are bisimular modulo low matching if and
only if they are bisimilar modulo low matching after removing all high threads. In fact,
later in this section we show that Definition 5.1 leads to a security definition that implies
S-noninterference, like FSI-security and SIFUM-security (cf. Theorem 5.3).
Intuitively, the partial function match in Item (2c) of Definition 5.1 corresponds to
the low match in the definition of low bisimulations modulo low matching. In contrast to
low bisimulations modulo low matching, Definition 5.1 does not require that every low
thread is matched by a low thread. The reason is that the definition of high and low
threads (Definition 3.4) does not exploit no-write assumptions. In consequence, a low
thread might never assign to low variables due to the assumptions made for the thread.
Definition 5.1 permits to match such low threads with high threads. An example for such
a low thread is given by the following example:
Example 5.1. Consider the command
//acq(asm-no-w , x )//x :=false; if x = true then l :=1 else skip fi.
The command is a low command, although it will never assign the low variable l given
that concurrent threads respect the no-write assumption for x . ♦
5.2. Integration of FSI-Security and SIFUM-Security 81
Like for strong low bisimulations modulo modes, we use low bisimulations modulo
low matching and modes to define an indistinguishability relation on commands and a
security property for commands.
Definition 5.2. Two commands c1 and c2 are FSIFUM-indistinguishable for mode state
mds (denoted by c1 ∼mdslmm c2) if and only if 〈c1,mds,mem1〉 ∼lmm 〈c2,mds,mem2〉 for
all memories mem1,mem2 with mem1 =L mem2. ♦
Definition 5.3. A command c is FSIFUM-secure for mode state mds if and only if
c ∼mdslmm c. ♦
The name FSIFUM-security indicates that the security property results from integrat-
ing FSI-security and SIFUM-security. According to one’s preference, one can pronounce
it either F-S-I-FUM-security or F-SIFUM-security. The following compositionality and
scheduler-independence theorem results from integrating the corresponding theorems for
FSI-security and SIFUM-security, Theorems 3.13 and 4.3.
Theorem 5.3. Let thr be a terminating thread pool, mdss a list of mode states, and S a
robust scheduler such that the following conditions are satisfied:
1. thr [i] is FSIFUM-secure for mdss[i] for all i ∈ {1, . . . , ](thr)} and
2. the pair (thr ,mdss) has sound modes for S.
Assume furthermore that obs is confined to L. Then thr is S-noninterferent. ♦
The proof (see Appendix A.8) is obtained by integrating the proofs of Theorem 3.13 and
of Theorem 4.3.
FSIFUM-security is no more restrictive than FSI-security for commands in which one
does not specify any assumptions and guarantees. We capture such commands by the
following definition.
Definition 5.4. A command c does not affect the mode state if for all commands c′ and c′′,
all memories mem,mem ′, and mem ′′, all mode states mds ′ and mds ′′, and all labels α
the following condition is satisfied:
[〈c′,mem ′〉 ∈ loc-reach(〈c,mem〉) ∧ 〈c′,mds ′,mem ′〉 α−_ 〈c′′,mds ′′,mem ′′〉]
⇒ mds ′ = mds ′′ ♦
Theorem 5.4. Let c be an FSI-secure command that does not affect the mode state.
Then c is FSIFUM-secure for any mode state. ♦
Proof. Define relation R on thread configurations by 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉
if and only if 〈c1〉 ∼lm 〈c2〉, mem1 =L mem2, and both c1 and c2 do not affect the mode
state. Then R is a low bisimulation modulo low matching and modes (see Lemma A.15
in Appendix A.8).
Let mem1 =L mem2. It follows from the FSI-security of c that 〈c〉 ∼lm 〈c〉. Hence,
〈c,mds,mem1〉 R 〈c,mds,mem2〉. Since R is a low bisimulation modulo low matching
and modes, 〈c,mds,mem1〉 ∼lmm 〈c,mds,mem2〉. Hence, c is FSIFUM-secure.
Moreover, FSIFUM-security is also no more restrictive than SIFUM-security.
Theorem 5.5. Let c be a command that is SIFUM-secure for mode state mds . Then c is
FSIFUM-secure for mode state mds. ♦
82 Chapter 5. Integrating Flexible Scheduler Independence and Flow-sensitivity
Proof. If mem1 =L mem2 it follows from the SIFUM-security of c for mode state mds that
〈c,mds,mem1〉 ∼mm 〈c,mds,mem2〉. Moreover, the relation ∼mm is a low bisimulation
modulo low matching and modes (see Lemma A.16 in Appendix A.8). In consequence,
〈c,mds,mem1〉 ∼lmm 〈c,mds,mem2〉 for all mem1 =L mem2. Hence, c is FSIFUM-secure
for mode state mds.
Moreover, FSIFUM-security is strictly more permissive than both FSI-security and
SIFUM-security, because it permits both flow-sensitive reasoning as well as control
conditions that depend on secrets. This is illustrated by the following simplistic example:
Example 5.2. Consider the following command:
//acq(asm-no-r , l)//;
l :=h; l :=0;
if h > 0 then skip; skip else skip fi;
//rel(asm-no-r , l)//
The command is FSIFUM-secure, but neither is the command with annotations removed
FSI-secure nor is it SIFUM-secure. (We show that the command is FSIFUM-secure in
the following section, using a security type system for FSIFUM-security.) ♦
I.e., while Theorem 5.3 shows that FSIFUM-security preserves the compositionality
and the scheduler-independence of FSI-security and SIFUM-security and Theorems 5.4
and 5.5 show that there is no loss in precision with respect to FSI-security and SIFUM-
security, Example 5.2 shows that FSIFUM-security even permits to exploit the advantages
regarding precision of both FSI-security and SIFUM-security in combination.
5.3 Integration of the Security Type Systems
To analyze programs with respect to FSIFUM-security, we integrate the type system for
FSI-security from Section 3.4 and the type system for SIFUM-security from Section 4.5.
It turns out that it is sufficient to simply combine the ingredients of both kinds of typing
judgment for commands in typing judgments of the form
` Λ {c} Λ′ : (mdf , stp),
where Λ,Λ′ : Var ⇀ {low , high} are partial environments (like in the type system
for SIFUM-security), c is a command, and mdf , stp ∈ {low , high} (like in the type
system for FSI-security). The interpretation of the judgment is derived directly from
the interpretations of the judgments ` c : (mdf , stp) and ` Λ {c} Λ′. (I.e., dom(Λ) is a
lower bound on the set of low variables with no-read and high variables with no-write
assumption after the execution of c if dom(Λ) is such a lower bound before the execution
of c, Λ′〈x 〉 is an upper bound on the security level of x after the execution of c if Λ〈·〉 gives
such upper bounds before the execution of c, mdf is a lower bound on the security level
of variables modified by c, and stp is an upper bound on the security level of variables on
which the number of execution steps of c depends.)
The derivation rules for the judgments are displayed in Figure 5.1. The rules are
obtained by merging the conditions of the respective typing rules from the type systems
for FSI-security in Section 3.4 and for SIFUM-security in Section 4.5.
Note that in rule [IF] we do not use a semantic side condition for conditionals with a
high control condition like in the security type system for SIFUM-security. The reason
5.4. Summary 83
is the following: In the soundness proof of the security type system for FSI-security we
exploit that the typing rules ensure that after executing a high control condition a typable
program no longer assigns to low variables. We exploit this also in the soundness proof of
the type system for FSIFUM-security. The semantic side condition from the type system
for SIFUM-security, however, permits assignments to low variables within the branches of
a conditional with a high guard. A consequence of removing the semantic side condition
is that some programs that are typable in the type system for SIFUM-security are not
typable in the type system for FSIFUM-security (namely such programs that assign to
low variables after a high guard, and that are hence only typable in the type system for
SIFUM-security using the semantic side condition).
The type system for commands is sound with respect to FSIFUM-security.
Theorem 5.6. Assume that ` Λ {c} Λ′ : (mdf , stp) is derivable, and let mds be a mode
state consistent with Λ. Moreover, let mem1,mem2 be memories such that mem1(x ) =
mem2(x ) for all x ∈ Var with Λ〈x 〉 = low . Then 〈c,mds,mem1〉 ∼lmm 〈c,mds,mem2〉.♦
The proof (see Appendix A.9) is along the same lines as the proofs for Theorems 3.15
and 4.7, constructing a bisimulation relation that relates typable commands and showing
that this relation is a low bisimulation modulo low matching and modes.
Typing judgments for concurrent programs have the form ` thr . The single derivation
rule (also displayed in Figure 5.1) is derived directly from the corresponding derivation
rule in the security type system for SIFUM-security.
Theorem 5.7. Assume that obs is confined to L and that S is a robust scheduler. If thr
is terminating and ` thr is derivable with rule [PARS ] then thr is S-noninterferent. ♦
The proof (see Appendix A.9) is along the same lines as the proof of the corresponding
Theorem for SIFUM-security, Theorem 4.8.
Example 5.3. Reconsider the command from Example 5.2. It is typable with the rules
[ANNO], [ASS2], [IF], [SKIP], and [SEQ]. Hence, it is FSIFUM-secure by Theorem 5.6. ♦
Moreover, it can be easily seen that the security type system for FSIFUM-security
subsumes the security type system for FSI-security from Section 3.4 (assuming that one
does not make any assumptions and guarantees that might not be sound), and that it
subsumes the security type system for SIFUM-security from Section 4.5 if one removes
the semantic side condition in rule [IF] of that type system.
5.4 Summary
In this chapter, we have integrated our solutions from Chapters 3 and 4, resulting in
a novel compositional and scheduler-independent information flow property, FSIFUM-
security. FSIFUM-security subsumes FSI-security and SIFUM-security. Moreover, we
integrated the two corresponding security type systems, resulting in a provably sound
security type system for FSIFUM-security. The results illustrate that the benefits of
FSI-security and SIFUM-security can be combined in a single information flow property.
The integration was rather straightforward, which was due to using the Per-approach
in the definitions of both FSI-security and of SIFUM-security. Also the proofs for the
compositionality, scheduler-independence and type system soundness results could be
adopted directly from the existing proofs for FSI-security and SIFUM-security. This gives
hope that other properties based on the Per-approach (like properties supporting control
of declassification as, e.g., in [MR07]) could also be integrated.
84 Chapter 5. Integrating Flexible Scheduler Independence and Flow-sensitivity
[EXP]
Γ ` e : ⊔x∈vars(e) Γ(x )
[STOP] ` Λ {stop} Λ : (high, low) [SKIP] ` Λ {skip} Λ : (high, low)
[ASS1]
x 6∈ dom(Λ) Λ〈·〉 ` e : d d v dma(x )
` Λ {x :=e} Λ : (dma(x ), low)
[ASS2]
x ∈ dom(Λ) Λ〈·〉 ` e : d
` Λ {x :=e} Λ[x 7→ d ] : (dma(x ), low)
[IF]
` Λ {c1} Λ′ : (mdf , stp) ` Λ {c2} Λ′ : (mdf , stp)
Λ〈·〉 ` e : d d v mdf
` Λ {if e then c1 else c2 fi} Λ′ : (mdf , stp unionsq d)
[WHILE]
Λ〈·〉 ` e : d ` Λ {c} Λ : (mdf , stp) stp unionsq d v mdf
` Λ {while e do c od} Λ : (mdf , stp unionsq d)
[SEQ]
` Λ {c1} Λ′ : (mdf 1, stp1) ` Λ′ {c2} Λ′′ : (mdf 2, stp2) stp1 v mdf 2
` Λ {c1; c2} Λ′′ : (mdf 1 umdf 2, stp1 unionsq stp2)
[SPAWN]
∀i ∈ {1, . . . , ](thr)} : ` Λ0 {thr [i]} Λi : (mdf , stpi)
∀x ∈ Var : Λ〈x 〉 v dma(x )
` Λ {spawn(thr)} Λ : (mdf , low)
[ANNO]
Λ′ = adjust-pe(Λ, ann) ` Λ′ {c} Λ′′ : (mdf , stp)
∀x ∈ Var : Λ〈x 〉 v Λ′〈x 〉
` Λ {//ann// c} Λ′′ : (mdf , stp)
[SUB]
` Λ1 {c} Λ′1 : (mdf 1, stp1) Λ2 v Λ1 Λ′1 v Λ′2
mdf 2 v mdf 1 stp1 v stp2
` Λ2 {c} Λ′2 : (mdf 2, stp2)
[PARS ]
∀i ∈ {1, . . . , ](thr)} : ` Λi {thr [i]} Λ′i : (mdf i, stpi)
∀i ∈ {1, . . . , ](thr)} : ∀x ∈ Var : dma(x ) v Λi〈x 〉
∀i ∈ {1, . . . , ](thr)} : mdss[i] is consistent with Λi
(thr ,mdss) has sound modes for S
` thr
Figure 5.1: Security type system for FSIFUM-security
C
H
A
P
T
E
R
6
A Bridge to PDG-based Information
Flow Analysis
6.1 Introduction
In Chapters 3–5 we developed the information flow analyses for the novel information flow
properties using security type systems. Security type systems are so far probably the most
popular approach to language-based information flow analysis. Starting with Volpano,
Smith, and Irvine in the nineties [VSI96], type-based information flow analyses were
developed for programs containing various language features comprising procedures (e.g.,
[VS97, HS11]), concurrency (e.g., [SV98, MSS11]), and objects (e.g., [Mye99, BN02]).
Moreover, security type systems were proposed for certifying a variety of information
flow properties, including timing-sensitive properties (e.g., [SS00]), timing-insensitive
properties (e.g., [BC02] and the type systems from this thesis), and properties supporting
declassification (e.g., [MS04, MR07]).
Other information flow analysis techniques were also investigated. For instance,
Hsieh, Unger, and Mata-Toledo already proposed at the beginning of the nineties to
use program dependence graphs (PDGs) in an information flow analysis [HUM92]. A
PDG [FOW87] is a graph-based representation of dependencies in a program. PDGs
have been extended over time to programs with various languages features including
procedures (e.g., [HRB90, RHSR94]), concurrency (e.g., [Che93, Kri98]), and objects (e.g.,
[MMKM94, HS09]). The idea of PDG-based information flow analysis recently received
renewed attention, resulting in, e.g., a PDG-based information flow analysis for object-
oriented programs and PDG-based analysis that supports declassification [HS09, Ham10].
It has been conjectured that using PDGs in an information flow analysis leads to a
better precision than what can be achieved with security type systems. However, the
connection between type-based and PDG-based security analyses had not been studied
in detail so far. In this chapter, we investigate the relationship between type-based and
PDG-based information flow analysis. The goal of the investigation is to (a) gain a better
understanding of the relationship of these analysis techniques and (b) to investigate
85
86 Chapter 6. A Bridge to PDG-based Information Flow Analysis
possibilities to exploit the relationship in the development of novel information flow
analyses, in particular for multi-threaded programs.
As a first step, we introduce a formal connection between a type-based and a PDG-
based information flow analysis for sequential programs. To be able to establish a precise
relation we consider two analyses that are fully formalized, namely a type-based analysis
from [HS06] and a PDG-based analysis from [WLS09]. We exploit the connection for
showing that the two analyses have not only roughly the same precision, but have exactly
the same precision. Secondly, we investigate how the formal connection can be used
for transferring ideas from PDG-based to type-based information flow analysis and vice
versa. We illustrate this possibility in both directions: Firstly, we transfer the concept of
summary edges to type systems. This leads to a context-sensitive type-based analysis.
We show that the security type system from [HS11] captures the intuition of summary
edges precisely. Secondly, we derive a novel compositional and scheduler-independent
PDG-based information flow analysis that is suitable for multi-threaded programs. To
this end, we exploit the ideas developed in Chapter 4 of this thesis. The analysis is the
first PDG-based information flow analysis for multi- threaded programs that is shown to
be compositional, and, thereby, enables a modular information flow analysis. Moreover,
it is the first such analysis that supports programs with nondeterministic public output.
Overview. We introduce a type-based and a PDG-based information flow analysis for
sequential programs in Sections 6.2 and 6.3, and establish a formal relation between
these analyses in Section 6.4. In Section 6.5 we illustrate the transfer of the concept of
summary edges from PDG-based to type-based analysis, and in Section 6.6 we develop a
PDG-based analysis for multi-threaded programs by transferring assumption-guarantee
based reasoning from type systems to PDGs. Section 6.7 summarizes and discusses the
relation to other PDG-based analyses for concurrent programs.
6.2 Type-based Analysis for Sequential Programs
As a starting point, we consider the security type system for sequential programs from
Hunt and Sands [HS06]. This type system provides, in contrast to many other type-
based information flow analyses for sequential programs, a flow-sensitive analysis.1 The
type system permits to type sequential programs written in the programming language
from Section 2.3 excluding the primitive for spawning new threads. We denote the
corresponding set of commands with Comseq .
Typing judgments for expressions are like in Section 4.5.2, except that an arbitrary
security lattice D is used instead of the two-level security lattice {low , high}: The
judgments are of the form Γ ` e : d where Γ : Var → D, and the interpretation of the
judgment is that d is an upper bound on the security level of the value of e, given that
Γ(x ) is an upper bound on the security level of the value of x for all x ∈ Var .
Typing judgments for commands have the form pc ` Γ {c} Γ′, where pc ∈ D is
a security domain and c ∈ Comseq is a command. Moreover, Γ,Γ′ : Var → D are
environments that map variables to security domains. The interpretation of the judgment
is as follows: Assume that pc is an upper bound on the security level of all information
that determines whether command c is executed or not and that, for each x ∈ Var , Γ(x )
is an upper bound on the security level of the value of x before c is executed. Then, for
each y ∈ Var , Γ′(y) is an upper bound on the security level of the value of y after the
execution of c.
1We discuss flow-sensitivity in more detail in Section 4.2.
6.2. Type-based Analysis for Sequential Programs 87
[EXP]
Γ ` e : ⊔x∈vars(e) Γ(x ) [SKIP] pc ` Γ {skip} Γ
[ASS]
Γ ` e : d
pc ` Γ {x :=e} Γ[x 7→ pc unionsq d ] [SEQ]
pc ` Γ {c1} Γ′ pc ` Γ′ {c2} Γ′′
pc ` Γ {c1; c2} Γ′′
[IF]
Γ ` e : d pc unionsq d ` Γ {c1} Γ′1 pc unionsq d ` Γ {c2} Γ′2
pc ` Γ {if e then c1 else c2 fi} Γ′1 unionsq Γ′2
[WHILE]
Γ′0 = Γ Γ
′
0 ` e : d0 pc unionsq d0 ` Γ′0 {c} Γ′′0
Γ′1 = Γ
′′
0 unionsq Γ Γ′1 ` e : d1 pc unionsq d1 ` Γ′1 {c} Γ′′1
...
Γ′k = Γ
′′
k−1 unionsq Γ Γ′k ` e : dk pc unionsq dk ` Γ′k {c} Γ′′k
Γ′k+1 = Γ
′′
k unionsq Γ Γ′k+1 = Γ′k k ∈ N
pc ` Γ {while e do c od} Γ′k
Figure 6.1: Type system from [HS06]
The typing rules from [HS06] are displayed in Figure 6.1, where the least upper bound
operator on D is extended to environments by (Γ unionsq Γ′)(x ) := Γ(x ) unionsq Γ′(x ). Unlike in the
security type systems in the previous chapters, there are no restrictions on conditionals
and loops with high control conditions, because there is no danger of internal timing
leaks in sequential programs. Moreover, to capture implicit information flows the security
level of control conditions is propagated via pc to the variables which are assigned to
under the control condition. The typing rule for loops is somewhat more complex than
the other rules, because it determines the environment after the loop by a fixed point
computation. Thereby, the typing rules ensure that for any given c, Γ, and pc there is
an environment Γ′ such that pc ` Γ {c} Γ′ is derivable. Moreover, this environment is
uniquely determined by c, Γ, and pc [HS06, Theorem 4.1].
For the corresponding type-based information flow analysis, we instantiate the security
lattice with the two-level security lattice.
Definition 6.1. Let c ∈ Comseq , Γ(x ) = dma(x ) for all x ∈ Varin , Γ(x ) = low for all
x ∈ Var \ Varin , and let Γ′ be the unique environment such that low ` Γ {c} Γ′ is
derivable. The command c is accepted by the type-based analysis if Γ′(x ) = low for all
public output variables x ∈ LO . ♦
Example 6.1. Consider the command c specified by the 1. if (z < 0) then
2. while (y > 0) do
3. y :=y + z od else
4. skip fi;
5. x :=y ♦
code at the right, where Varin = {y , z} and Varout = {x}.
Assume that dma(x ) = dma(y) = low and dma(z ) =
high. Let Γ(x ) = dma(x ) for all x ∈ Var . Then the
judgment low ` Γ {c} Γ′ is derivable if and only if
Γ′(x ) = Γ′(y) = Γ′(z ) = high and Γ′(x ′) = Γ(x ′) for all
other x ′ ∈ Var . Since x ∈ LO and Γ′(x ) = high command c is not accepted by
the type-based analysis. ♦
88 Chapter 6. A Bridge to PDG-based Information Flow Analysis
Theorem 6.1. If a command c ∈ Comseq is accepted by the type-based analysis then c
is S-noninterferent for any scheduler S.2 ♦
Proof. The theorem follows from Theorem 3.3 in [HS06].
6.3 PDG-based Analysis for Sequential Programs
PDG-based information flow analyses, firstly proposed in [HUM92], exploit that the
absence of certain paths in a program dependence graph (PDG) [FOW87] is a sufficient
condition for the information flow security of a program. In this section, we recall the
PDG-based analysis from [WLS09] for the language Comseq .
The PDG-based analysis is defined based on the control flow graph (CFG) of a
program. To define the PDG-based analysis, we firstly introduce the CFG of a program
and subsequently define the PDG of a program based on its CFG.
6.3.1 Control Flow Graphs
Definition 6.2. A directed graph is a pair (N , E) where N is a set of nodes and E ⊆ N ×N
is a set of edges.
A path p from node n1 to node nk is a non-empty sequence of nodes 〈n1, . . . , nk〉 ∈ N +
where (ni,ni+1) ∈ E for all i ∈ {1, . . . , k−1}. We say that a node n is on the path
〈n1, . . . ,nk〉 if n = ni for some i ∈ {1, . . . , k}. ♦
Definition 6.3. A control flow graph with def and use sets is a tuple
(N , E, def , use)
where (N , E) is a directed graph, N contains two distinguished nodes start and stop, and
def , use : N → P(Var) are functions. ♦
Nodes start and stop represent program start and termination, respectively, and the
remaining nodes represent program statements and control conditions. An edge (n, n ′)∈E
models that n ′ might immediately follow n in a program execution. Finally, the functions
def and use define the def set and use set for each node n ∈N , where the sets def (n) and
use(n) contain all variables that are defined and used, respectively, at n. In the following,
we simply write “CFG” instead of “CFG with def and use sets.”
We provide examples of CFGs after defining the construction of CFGs for programs in
the sequential fragment of the programming language from Section 2.3, i.e., for commands
in the set Comseq . Our construction of CFGs follows Wasserrab and Lochbihler [WL08].
As usual, the ith statement respectively control condition is represented by a node i ∈ N.
To define the set of nodes of the control flow graph for a command, we define the number
of statements and control conditions of a command, as well as the ith statement or control
condition of a command, abusing the corresponding notation for lists.
Definition 6.4. For c ∈ Comseq we define ](c) recursively by ](skip) = 1, ](x :=e) = 1,
](c1; c2) = ](c1)+](c2), ](if e then c1 else c2 fi) = 1+](c1)+](c2), and ](while e do c od) =
1 + ](c). ♦
The number ](c) is the number of statements and control conditions of the command c.
2Note that the choice of the scheduler is irrelevant for sequential programs.
6.3. PDG-based Analysis for Sequential Programs 89
Definition 6.5. For c ∈ Comseq and 1 ≤ i ≤ ](c) we denote with c[i] the ith statement
or control condition in c, which is recursively defined as follows:
− If c = skip or c = x :=e then c[1] = c.
− If c = c1; c2 then c[i] = c1[i] for 1 ≤ i ≤ ](c1) and c[i] = c2[i−](c1)] for ](c1) < i ≤ ](c).
− If c = if e then c1 else c2 fi then c[1] = e, c[i] = c1[i−1] for 1 < i ≤ 1 + ](c1), and
c[i] = c2[i−1−](c1)] for 1 + ](c1) < i ≤ ](c).
− If c = while e do c1 od then c[1] = e and c[i] = c1[i−1] for 1 < i ≤ ](c). ♦
Note that c[i] is either an expression, an assignment, or a skip-statement. We now
construct the CFG for a command.
Definition 6.6. For c ∈Comseq , we define Nc = {1, . . . , ](c)} ∪ {start , stop}. ♦
We define the operator 	 : Nc × Z → Z ∪ {start , stop} by n 	 z = n − z if n ∈ N and
n 	 z = n if n ∈ {start , stop}.
Definition 6.7. For c ∈ Comseq the set Ec ⊆ Nc ×Nc is defined recursively as follows:
− Eskip = Ex :=e =
{(start , stop), (start , 1), (1, stop)},
− Ec1;c2 =
{(start , stop)} ∪
{(n,n ′) | (n,n ′) ∈ Ec1 ∧ n ′ 6= stop} ∪
{(n,n ′) | (n 	 ](c1),n ′	 ](c1)) ∈ Ec2 ∧ n 6= start} ∪
{(n,n ′) | (n, stop) ∈ Ec1 ∧ (start ,n ′	 ](c1)) ∈ Ec2 ∧ n 6= start ∧ n ′ 6= stop},− Eif e then c1 else c2 fi =
{(start , stop), (start , 1)} ∪
{(1,n ′) | (start ,n ′	 1) ∈ Ec1 ∧ n ′ 6= stop} ∪
{(1,n ′) | (start ,n ′	(1+](c1))) ∈ Ec2 ∧ n ′ 6= stop} ∪
{(n,n ′) | (n 	 1,n ′	 1) ∈ Ec1 ∧ n 6= start} ∪
{(n,n ′) | (n 	(1+](c1)),n ′	(1+](c1))) ∈ Ec2 ∧n 6= start}, and− Ewhile e do c od =
{(start , stop), (start , 1), (1, stop)} ∪
{(n,n ′) | (n 	 1,n ′	 1) ∈ Ec ∧ n 6= start ∧ n ′ 6= stop} ∪
{(1,n ′) | (start ,n ′	 1) ∈ Ec ∧ n ′ 6= stop} ∪
{(n, 1) | (n 	 1, stop) ∈ Ec ∧ n 6= start}.
♦
Definition 6.8. For c ∈ Comseq we define functions defc , usec : Nc→P(Var) by
− defc(n) = {x} if n ∈ {1, . . . , ](c)} and c[n] = x :=e, and defc(n) = {} otherwise, and
− usec(n) = vars(e) if n ∈{1, . . . , ](c)} and c[n] = x :=e or c[n] = e, and usec(n) = {}
otherwise. ♦
Definition 6.9. Let c ∈ Comseq . We define the control flow graph of c by
CFGc = (Nc , Ec , defc , usec). ♦
Note that, by definition, an edge from start to stop is contained in Ec . This edge models,
as usual, the possibility that c is not executed.
We augment CFGs by two nodes in and out to capture the program’s interaction
with its environment. Two sets of variables I,O ⊆ Var specify which variables may be
initialized by the environment before the program executes and which variables may be
read by the environment after the execution. This results in the following variant of CFGs:
90 Chapter 6. A Bridge to PDG-based Information Flow Analysis
in
{z}
{} out
{}
{x,y}start
{}
{} stop
{}
{}1
{}
{z}
2
{}
{y}
3
{y}
{y,z}
4
{}
{}
5
{x}
{y}
Figure 6.2: The CFG of the command in Example 6.1
Definition 6.10. Let CFG = (N , E, def , use) be a control flow graph and I,O ⊆ Var .
Then CFGI,O is defined as (N ′, E′, def ′, use ′) where
− N ′ = N ∪ {in, out},
− E′ = {(start , stop), (start , in), (out , stop)} ∪ {(in, n ′) | (start , n ′) ∈ E ∧n ′ 6= stop} ∪
{(n, out) | (n, stop) ∈ E ∧ n 6= start} ∪ {(n,n ′) ∈ E | n 6∈ {start , stop} ∧ n ′ 6∈
{start , stop}},
− def ′(in) = I, use ′(out) = O, and use ′(in) = def ′(out) = {}, and
− def ′(n) = def (n) and use ′(n) = use(n) for n ∈ N . ♦
Definitions 6.9 and 6.10 both specialize the general notion of control flow graphs (see
Definition 6.3). In the remainder of this thesis, we use the abbreviation CFG for arbitrary
control flow graphs (including those that satisfy Definition 6.9 or 6.10).
We use a graphical representation for displaying CFGs where we depict nodes with
ellipses and edges with solid arrows. For each node n we label the corresponding ellipse
with nXY where X = def (n) and Y = use(n).
Example 6.2. Command c from Example 6.1 contains three statements and two control
conditions (i.e., ](c) = 5). Hence, Nc = {1, . . . , 5, start , stop}. Nodes 1–5 represent the
statements and control conditions in Lines 1–5 of the program, respectively. For I = {z}
and O = {x , y} (i.e., I = H and O = L for the domain assignment from Example 6.1)
the control flow graph CFGI,Oc is displayed in Figure 6.2. ♦
6.3.2 PDG-based Analysis
PDGs are directed graphs that represent dependencies in imperative programs [FOW87].
We construct the PDG from a CFG based on the following notions of data dependency
and control dependency.
Definition 6.11. Let (N , E, def , use) be a CFG and n,n ′ ∈N . If x ∈ def (n) we say that
the definition of x at n reaches n ′ if there is a path p from n to n ′ such that x 6∈ def (n ′′)
for every node n ′′ on p with n ′′ 6= n and n ′′ 6= n ′.
Node n ′ is data dependent on node n if there exists x ∈ Var such that x ∈ def (n),
x ∈ use(n ′), and the definition of x at n reaches n ′. ♦
Intuitively, a node n ′ is data dependent on a node n if n ′ uses a variable that was written
at n and has not been overwritten until being used at n ′.
Example 6.3. Consider the CFG depicted in Figure 6.2. The definition of y at Node 3
reaches Node 5 because 〈3, 2, 5〉 is a path in the CFG and y 6∈ def (2). In addition,
6.3. PDG-based Analysis for Sequential Programs 91
start
1 5
2 4
3
in out
Figure 6.3: PDG of CFG from Figure 6.2
y ∈ def (3) and y ∈ use(5), and, hence, Node 5 is data dependent on Node 3. Moreover,
Node 2 is also data dependent on Node 3 and Node 3 is data dependent on itself. ♦
Definition 6.12. Let (N , E, def , use) be a CFG. Node n ′ postdominates node n if n 6= n ′
and every path from n to stop contains n ′.
Node n ′ is control dependent on node n if n ′ does not postdominate n and there is a
path p from n to n ′ such that n ′ postdominates all nodes n ′′ on p with n ′′ 6∈ {n,n ′}. ♦
Intuitively, a node n ′ is control dependent on a node n if it depends on n whether n ′ is
executed or not.
Example 6.4. Consider the CFG depicted in Figure 6.2. Node 5 postdominates Node 1
because Node 5 is on every path from Node 1 to Node stop. Hence, Node 5 is not control
dependent on Node 1. Nodes 2, 3, and 4 do not postdominate Node 1. Since Node 3
does not postdominate Node 2 and all paths from Node 1 to Node 3 contain Node 2,
Node 3 is not control dependent on Node 1. However, Node 3 is control dependent
on Node 2. Moreover, Nodes 2 and 4 are control dependent on Node 1, because 〈1, 2〉
and 〈1, 4〉 are paths in the CFG. Finally, Node 2 is control dependent on itself, because
Node 2 postdominates Node 3 and 〈2, 3, 2〉 is a path in the CFG. I.e., a node might be
control dependent on itself. ♦
Remark 6.1. The definition of control dependency captures direct control dependency
(like the dependency of the loop body on the loop guard in the above example), but not
the indirect dependency of the loop body on the guard of the conditional that encloses
the loop. Such indirect dependencies are reflected by the notion of paths in a PDG. ♦
Definition 6.13. Let CFG = (N , E, def , use) be a control flow graph. The directed graph
(N ′, E′) is the PDG of CFG if N ′ = N and (n, n ′) ∈ E′ if and only if n ′ is data dependent
or control dependent on n in CFG . We denote this graph with PDG(CFG). ♦
We use the usual graphical representation for displaying PDGs in the remainder of
this thesis, depicting Node n with an ellipse labeled with n, edges that reflect control
dependency with solid arrows, and edges that reflect data dependency with dashed arrows.
Moreover, we do not display nodes that have neither in- nor outgoing edges.
Example 6.5. Consider the CFG from Figure 6.2. The PDG constructed from this CFG
is displayed in Figure 6.3. (Node stop is not displayed because it has neither in- nor
outgoing edges.) ♦
92 Chapter 6. A Bridge to PDG-based Information Flow Analysis
The PDG-based information flow analysis from [WLS09] for a command c ∈ Comseq
is based on the PDG of CFGHI ,LOc (cf. Definition 6.10), i.e., the CFG where node in
represents writing high input variables before program execution and node out represents
reading low output variables after program execution.
Definition 6.14. The command c ∈ Comseq is accepted by the PDG-based analysis if and
only if there is no path from in to out in PDG(CFGHI ,LOc ). ♦
Example 6.6. Consider command c and domain assignment from Example 6.1. Assume
that Varin ={y , z} and Varout ={x}. The program dependence graph PDG(CFGHI ,LOc )
is depicted in Figure 6.3. It contains a path from Node in to Node out , (e.g., the path
〈in, 3, out〉). In consequence, c is not accepted by the PDG-based analysis. ♦
Theorem 6.2. If a command c ∈ Comseq is accepted by the PDG-based analysis then c
is S-noninterferent for any scheduler.3 ♦
Proof. The theorem follows from [WLS09, Theorem 8].
6.4 Relating Type-based and PDG-based Analysis
While both the type-based analysis from Section 6.2 and the PDG-based analysis from
Section 6.3 are sound, both analyses are also incomplete. I.e., for each analysis there are
programs that satisfy S-noninterference, but that are not accepted by the analysis. In fact,
developing a complete analysis is impossible, because S-noninterference is undecidable
(this can be proved in a standard way by showing that the decidability of the property
would imply the decidability of the halting problem [SM03]). This raises the question if
any of the two analyses is more precise than the other. In this section, we answer this
question. To this end, we establish the following relation between the two analyses.
Theorem 6.3. Let c ∈ Comseq , y ∈ Var , and Γ be an environment. Let Γ′ be the unique
environment such that low ` Γ {c} Γ′ is derivable in the type system from Section 6.2.
Moreover, let X be the set of all x ∈ Var such that there exists a path from in to out in
PDG(CFG{x},{y}c ). Then Γ
′(y) =
⊔
x∈X Γ(x ). ♦
Proof Sketch. In the proof of the theorem (see Appendix A.10) we establish a more
general theorem where Γ′ is such that pc ` Γ {c} Γ′ is derivable for some arbitrary
security domain pc. In this case, Γ′(y) =
⊔
x∈X Γ(x ) if there is no path from start to
out in PDG(CFG{x},{y}c ) except the path 〈start , out〉, and Γ′(y) = pc unionsq
(⊔
x∈X Γ(x )
)
otherwise. The proof is by induction on the structure of c.
Theorem 6.3 is the key to establishing the following theorem that relates the precision of
the sound type-based analysis from Section 6.2 with the precision of the sound PDG-based
analysis from Section 6.3.
Theorem 6.4. A command c ∈ Comseq is accepted by the type-based analysis for sequen-
tial programs from Section 6.2 if and only if it is accepted by the PDG-based analysis for
sequential programs from Section 6.3. ♦
3Note that, like for the type-based analysis for sequential programs from Section 6.2, the choice of
the scheduler is irrelevant for sequential programs.
6.5. Context-sensitive Interprocedural Analysis 93
Proof. Our proof is by contraposition.
Let Γ(x ) = dma(x ) for all x ∈ Varin , Γ(x ) = low for all x ∈ Var \ Varin , and let Γ′
be the unique environment such that low ` Γ {c} Γ′ is derivable in the type system from
Section 6.2.
Assume firstly that c is not accepted by the type-based analysis, i.e., Γ′(y) = high for
some y ∈LO . Then, by Theorem 6.3, there exists a variable x with Γ(x ) = high and a
path 〈in, . . . , out〉 in PDG(CFG{x},{y}c ). By the definition of Γ it follows that x ∈ HI .
Hence, this path is also a path in PDG(CFGHI ,LOc ). Thus, c is not accepted by the
PDG-based analysis.
Assume now that c is not accepted by the PDG-based analysis, i.e., there is a path
〈in, . . . , out〉 in PDG(CFGHI ,LOc ). But then there exist variables x ∈ HI and y ∈ LO
such that there is a path 〈in, . . . , out〉 in PDG(CFG{x},{y}c ). Hence, by Theorem 6.3,
Γ′(y) = high. Thus, c is not accepted by the type-based analysis.
Theorem 6.4 demonstrates that a type-based information flow analysis, despite its
conceptual simplicity, can have the same precision as a PDG-based information flow
analysis. Moreover, since both analyses are equally precise, one can select between them
based on other features of the analyses. For instance, if one needs a compositional analysis
one would select the type-based analysis. Moreover, if a program is not accepted by
the analyses one could use the PDG-based analysis to localize the source of potential
information leakage by inspecting the path in the PDG that leads to the rejection of the
program. This path identifies the program statements and control conditions that might
cause information leakage.
Theorem 6.4 not only clarifies the connection between type-based and PDG-based
information flow analyses, but also provides a bridge to transfer concepts from one tradition
of information flow analysis to the other. In the two subsequent sections, we illustrate
how concepts can be transferred across this bridge in both directions, in particular, for
deriving a PDG-based analysis for multi-threaded programs (in Section 6.6).
6.5 Context-sensitive Interprocedural Analysis
For interprocedural information flow analysis, PDGs that are extended with summary
edges [HRB90] at nodes representing procedure calls permit a context-sensitive PDG-based
analysis. Context-sensitive analyses take the calling context of procedure calls into account
to improve the precision of the analysis.
Example 6.7. Consider the program
temp:=h; swap(temp, h ′); temp:=l ; swap(temp, l ′)
where h and h ′ are high variables, l , l ′, and temp are low variables, and procedure swap
swaps the values of its arguments. A context-sensitive analysis can detect that the
program does not leak secret information into the final values of l , l ′, and temp. A
context-sensitive analysis is needed to detect this, because temp must be treated as secret
at the first call site, but as public at the second call site. ♦
Using PDGs with summary edges for context-sensitive information flow analysis is
proposed in [HS09]. A formalization of and soundness results for such an analysis are
provided in [Was09, Was10] (following the formalization of summary edges in [RHSR94]).
In this section, we investigate how the idea underlying the notion of summary edges can
94 Chapter 6. A Bridge to PDG-based Information Flow Analysis
be adopted to a type-based analysis. As we will show, there already exists a concept in
type-based analyses that corresponds to summary edges. The main theorem of this section
is that the resulting context-sensitive security type system accepts the same programs as
the PDG-based analysis with summary edges.
6.5.1 Programs and Control Flow Graphs with Procedures
We consider programs with call-by-value, return-by-value procedures. Let P be a finite set
of procedure names. The signature for procedure name p ∈ P is the pair (lp,mp) ∈ N×N
where lp is the number of in parameters and mp the number of out parameters of
procedure p. A procedure p is defined by the term
((x p1 , . . . , x
p
lp
), (yp1 , . . . , y
p
mp), cp),
where the variables x p1 , . . . , x
p
lp
are the formal in parameters and the variables yp1 , . . . , y
p
mp
are the formal out parameters of p, and the command cp is the body of p. Like in the
previous sections, we consider sequential programs modeled by commands in Comseq .
Here, in addition, commands (including the bodies of the procedures) may contain
procedure calls, and we extend the grammar for commands from Section 2.3 by
c ::= . . . | p(e1, . . . , elp ; z1, . . . , zmp),
where p∈P , e1, . . . , elp ∈Exp, and z1, . . . , zmp ∈Var are distinct variables. The expressions
ei are the actual in parameters of the call and the variables zi its actual out parameters.
We require that for each p ∈ P the command cp, i.e., the body of procedure p, only
contains variables in the set {x p1 , . . . , x plp} ∪ {y
p
1 , . . . , y
p
mp}. When procedure p is executed,
the initial values of the variables {x p1 , . . . , x plp} are determined by the actual in parameters
of the procedure call, and the variables {yp1 , . . . , ypmp} have a default initial value. (A
formal semantics for the language with procedures is defined in Appendix C.)
The following definition extends the construction of CFGs from Definitions 6.4–6.9 to
commands with procedure calls.
Definition 6.15. For c = p(e1, . . . , elp ; z1, . . . , zmp) we define ](c) = 1 and c[1] = c.
Moreover, we modify the definition of Nc as follows:
Nc = {start , stop} ∪ {1, . . . , ](c)}
∪ {a-inn,i,p | c[n] = p(. . .) ∧ i∈{1, . . . , lp}}
∪ {a-outn,i,p | c[n] = p(. . .) ∧ i∈{1, . . . ,mp}}.
We extend the operator 	 to the additional nodes by defining a-inn,i,p	 k= a-inn−k,i,p
and a-outn,i,p	 k= a-outn−k,i,p. Moreover, we extend the recursive definition of Ec to
procedure calls as follows:
− Ep(e1,...,elp ;z1,...,zmp ) =
{(start , stop)} ∪
{(start , 1), (1, a-in1,1,p), (a-out1,mp,p, stop)} ∪{(a-in1,i,p, a-in1,i+1,p) | i ∈ {1, . . . , lp − 1}} ∪
{(a-in1,lp,p, a-out1,1,p)} ∪{(a-out1,i,p, a-out1,i+1,p) | i ∈ {1, . . . ,mp − 1}}.
If c[n] = p(e1, . . . , elp ; z1, . . . , zmp) we define
− usec(a-inn,i,p) = vars(ei),
6.5. Context-sensitive Interprocedural Analysis 95
− defc(a-outn,i,p) = {zi}, and
− defc(n) = usec(n) = defc(a-inn,i,p) = usec(a-outn,i,p) = {}. ♦
Nodes a-inn,i,p and a-outn,i,p in the CFG of a command with procedure calls represent
writing the value of the ith actual in parameter to the ith formal in parameter of
procedure p before the execution of p and writing the value of the ith formal out parameter
to the ith actual out parameter after the execution of p, respectively. The parameter n
indicates the node in the CFG that represents the corresponding procedure call.
Example 6.8. Let addOne be a procedure with signature (1, 1) that is defined by the
term ((x ), (y), y :=x + 1). I.e., procedure addOne adds 1 to its in parameter and stores
the result in its out parameter. Let c = addOne(l ; h). Then the graphical representation
of CFGc is as follows:
start
{}
{} stop
{}
{}1
{}
{} a-in1,1,p
{l}
{} a-out1,1,p
{}
{h}
6.5.2 PDG-based Interprocedural Analysis
We define a variant of PDGs for programs with procedures, the system dependence graphs
(SDGs) [HRB90], upon which we then define a PDG-based interprocedural information flow
analysis. To define the SDG we use procedure dependence graphs that are constructed from
PDGs by adding nodes representing formal in and formal out parameters, respectively.
Definition 6.16. The procedure dependence graph PDGp for procedure p is the directed
graph (Np, Ep) where Np = (Ncp × {p}) ∪ {f -inp1, . . . , f -inplp} ∪ {f -out
p
1, . . . , f -out
p
mp} and
(n,n ′) ∈ Ep if and only if one of the following conditions is satisfied:
− n = (n ′′, p), n ′ = (n ′′′, p), and (n ′′,n ′′′) is an edge in PDG(CFGcp),
− n = f -inpi and n ′ = (n ′′, p) where n ′′ ∈ {1, . . . , ](cp)} and n ′′ is data dependent on
Node in in the control flow graph CFG
{x pi },{}
cp ,
− n = (n ′′, p) where n ′′ ∈ {1, . . . , ](cp)}, n ′ = f -outpi , and Node out is data dependent
on n ′′ in the control flow graph CFG{},{y
p
i}
cp , or
− n = f -inpi , n ′= f -outpj , and Node out is data dependent on Node in in the control
flow graph CFG
{x pi },{ypj}
cp . ♦
Nodes f -inpi and f -out
p
i represent writing the initial value of the procedure’s ith
formal in parameter before and reading the final value of the procedure’s ith formal out
parameter after the procedure execution, respectively. The edges defined in the first item
in Definition 6.16 are simply carried over from the CFG of the procedure body, and model
the dependencies within the procedure body. The edges defined in the other three items
in Definition 6.16 model dependencies on the procedure’s formal in parameters as well as
dependencies of the procedure’s formal out parameters.
Example 6.9. Reconsider the definition of procedure addOne from Example 6.8. The
set EaddOne contains the edge (f -in
addOne
1 , (1, addOne)) because Node 1 is data depen-
dent on Node in in CFG
{x},{}
y:=x+1. Moreover, the graph PDGaddOne contains the edge
((1, addOne), f -outaddOne1 ) because Node out is data dependent on Node 1 in CFG
{},{y}
y:=x+1.♦
96 Chapter 6. A Bridge to PDG-based Information Flow Analysis
The SDG contains the nodes and edges of each procedure dependence graph and edges
that connect nodes representing corresponding actual and formal in and out parameters.
Definition 6.17. The set of edges ESDG is defined by (n, n ′) ∈ ESDG if and only if there
exist k, n ′′, p, and p′ such that one of the following conditions is satisfied:
− n = (a-inn′′,k,p′ , p) and n ′= f -inp
′
k or
− n = f -outp′k and n ′ = (a-outn′′,k,p′ , p).
The system dependence graph (SDG) is the directed graph (N , E) with N =
⋃
p∈P Np and
E =
(⋃
p∈P Ep
) ∪ ESDG . ♦
Now we are ready to define PDGs with summary edges.
Definition 6.18. Let (N , E) be an SDG and A = {(a-inn,i,p′ , p) | n ∈ N ∧ i ∈
{1, . . . , lp′} ∧ p, p′ ∈ P} ∪ {(a-outn,i,p′ , p) | n ∈ N ∧ i ∈ {1, . . . ,mp′} ∧ p, p′ ∈ P}.
A list of nodes r ∈ A∗ is realizable if it is generated by the following grammar:
R ::= 〈〉 | R :: 〈(a-inn,i,p′ , p)〉 :: R :: 〈(a-outn,j,p′ , p)〉
A path p ∈ N + is realizable if p|A is realizable. ♦
Definition 6.19. Let c ∈ Comseq , I,O ⊆ Var , and (N , E) = PDG(CFGI,Oc ). The
program dependence graph with summary edges for c, I, and O is defined by (N ′, E′),
where N = N ′, E′ = E ∪ E′′, and (n,n ′) ∈ E′′ if and only if there exist n ′′, i, j, and p
such that n = a-inn′′,i,p, n
′ = a-outn′′,j,p, and the SDG contains a realizable path from
f -inpi to f -out
p
j . We denote this program dependence graph with PDG
∗(CFGI,Oc ). ♦
The edges that are in PDG∗(CFGI,Oc ) but not in PDG(CFG
I,O
c ) are called summary
edges. Intuitively, the summary edge (a-inn,i,p, a-outn,j,p) captures that the execution of
procedure p leads to a dependency of the jth actual out on the ith actual in parameter.
Example 6.10. Assume that P = {addOne, proc}, that procedure addOne is defined like
in Example 6.8, and that procedure proc is defined by the term
((x1, x2), (y1, y2), addOne(x1, x1); y2:=x1; y1:=x2).
I.e., procedure proc stores its two in parameters in its two out parameters in reverse order,
adding one to the first in parameter.
Then the SDG contains a realizable path from f -inproc1 to f -out
proc
2 . This path
represents the dependency of the second formal out parameter of proc, y2, on the first
formal in parameter of proc, x1. The path is highlighted by the bold arrows in the
graphical representation of the SDG in Figure 6.4.
Consider the command c = proc(h1, h2; h1, h2); proc(l1, l2; l1, l2). Due to the realizable
path from f -inproc1 to f -out
proc
2 in the SDG, the graph PDG
∗(CFGI,Oc ) contains the
summary edges (a-in1,1,proc, a-out1,2,proc) and (a-in2,1,proc, a-out2,2,proc) (for arbitrary sets
of variables I and O). ♦
Definition 6.20. A command c is accepted by the interprocedural PDG-based analysis if
there is no path from in to out in PDG∗(CFGHI ,LOc ). ♦
Example 6.11. Reconsider the procedures and the command c from Example 6.10 and
assume that dma(h1) = dma(h2) = high, dma(l1) = dma(l2) = low , Varin = {h1, h2},
and Varout = {l1, l2}. The PDG with summary edges PDG∗(CFGHI ,LOc ) is depicted in
Figure 6.5. This graphical representation illustrates that there is no path from in to out .
Hence, c is accepted by the interprocedural PDG-based analysis. ♦
6.5. Context-sensitive Interprocedural Analysis 97
(s
ta
r
t,
p
ro
c)
(1
,p
ro
c)
(2
,p
ro
c)
(3
,p
ro
c)
(a
-i
n
1
,1
,a
d
d
O
n
e
,p
ro
c)
(a
-o
u
t 1
,1
,a
d
d
O
n
e
,p
ro
c)
f
-i
n
p
ro
c
1
f
-i
n
p
ro
c
2
f
-o
u
tp
ro
c
2
f
-o
u
tp
ro
c
1
(s
ta
r
t,
a
d
d
O
n
e)
(1
,a
d
d
O
n
e)
f
-i
n
a
d
d
O
n
e
1
f
-o
u
ta
d
d
O
n
e
1
F
ig
u
re
6.
4:
S
y
st
em
d
ep
en
d
en
ce
g
ra
p
h
fo
r
E
x
a
m
p
le
6
.1
0
,
b
o
ld
ed
g
es
h
ig
h
li
g
h
t
a
re
a
li
za
b
le
p
a
th
st
a
r
t
1
2
a
-i
n
1
,1
,p
ro
c
a
-i
n
1
,2
,p
ro
c
a
-o
u
t 1
,1
,p
ro
c
a
-o
u
t 1
,2
,p
ro
c
a
-o
u
t 2
,2
,p
ro
c
a
-o
u
t 2
,1
,p
ro
c
a
-i
n
2
,2
,p
ro
c
a
-i
n
2
,1
,p
ro
c
o
u
t
in
F
ig
u
re
6.
5:
P
D
G
w
it
h
su
m
m
a
ry
ed
g
es
(P
D
G
∗ (
C
F
G
H
,L
c
))
fo
r
E
x
a
m
p
le
6
.1
1
98 Chapter 6. A Bridge to PDG-based Information Flow Analysis
6.5.3 Type-based Interprocedural Analysis
The PDG-based interprocedural information flow analysis from Section 6.5.2 uses the
concept of summary edges to make the analysis context-sensitive. Can the idea of summary
edges also be adopted in type-based information flow analysis?
Intuitively, given a node n that represents a call of procedure p there is a summary
edge (a-inn,i,p, a-outn,j,p) if the jth out parameter of the call might depend on the ith in
parameter of the call. This information can be encoded by a function Ψp : {yp1 , . . . , ypmp} →
P({x p1 , . . . , x plp}), with the intuition that x
p
i ∈ Ψp(ypj ) if the jth out parameter of p might
depend on the ith in parameter of p.
We used such functions to develop a type-based information flow analysis for programs
with procedures based on the type system from Section 6.2. We were surprised to discover
that the solution essentially corresponds to an existing type system that is outlined by
Hunt and Sands in [HS11]. In the following, we adapt their type system to the notation
used in this thesis and establish the main theorem of this section, namely that the resulting
interprocedural type-based information flow analysis accepts exactly the same commands
as the interprocedural PDG-based information flow analysis from Section 6.5.2.
The typing judgments have the form pc `Ψ Γ {c} Γ′ where Ψ = (Ψp)p∈P is a tuple
of functions Ψp : {yp1 , . . . , ypmp} → P({x p1 , . . . , x plp}). The set of typing rules contains all
rules from Figure 6.1 in Section 6.2 in which each judgment of the form pc ` Γ {c} Γ′ is
replaced syntactically with the judgment pc `Ψ Γ {c} Γ′, as well as the following typing
rule for procedure calls:
[call]
Γ′(x ) = Γ(x ) for x 6∈ {z1, . . . , zmp}
Γ′(zj) =
⊔{Γ(x ) |∃i : x pi ∈Ψp(ypj )∧ x ∈ vars(ei)} unionsq pc
pc `Ψ Γ {p(e1, . . . , elp ; z1, . . . , zmp)} Γ′
The rule’s first condition captures that the variables that are not among the actual out
parameters are not modified by the procedure p. The second condition captures that the
security level of the actual out parameter zi after the execution of p is determined (a) by
the security level pc and (b) by the security levels of the variables that occur free in an
actual in parameter on which the actual out parameter zi depends according to Ψp.
Similar to the type system from Section 6.2, for each pc, Ψ, Γ, and c there exists a
unique environment Γ′ such that pc `Ψ Γ {c} Γ′ is derivable.
The key insight for computing the tuple Ψ that will be used in the type-based
information flow analysis is the following: Dependencies of actual out parameters on
actual in parameters that are introduced by a procedure call can be computed using the
type system where the security lattice is instantiated with the universal lattice (P(Var),⊆).
Intuitively, if {} ` Γid {c} Γ′ is derivable where Γid(x ) = {x} for all x ∈ Var then the
value of y after executing c depends at most on the initial values of the variables in the
set Γ′(y). This observation is exploited in the following iterative fixed-point computation
of the tuple Ψ that is used in the type-based information flow analysis.
Definition 6.21. We define an infinite list of tuples of functions (Ψi)i∈N recursively as
follows: For all p ∈ P and y ∈{yp1 , . . . , ypmp}, (Ψ1)p(y) = {} and (Ψi+1)p(y) = Γ′(y) ∩
{x p1 , . . . , x plp}, where Γ′ is the unique environment such that {} `Ψi Γid {cp}Γ′ is derivable.
Since (Ψi)p(y) ⊆ (Ψi+1)p(y) for all i, p, and y and the set of variables occurring in
a program is finite there exists k ∈ N such that Ψk+i = Ψk for all i ∈ N. We define
Ψ∗ = Ψk for the minimal such k. ♦
6.6. A PDG-based Analysis for Multi-threaded Programs 99
Definition 6.22. Let c ∈ Comseq and let Γ′ be the unique environment for which the
judgment {} `Ψ∗ Γid {c}Γ′ is derivable. The command c is accepted by the interprocedural
type-based analysis if Γ′(x ) ∩HI = {} for all x ∈ LO . ♦
Intuitively, requiring that Γ′(x ) ∩HI = {} for all x ∈ LO ensures that the final value
of each low output variable does not depend on the initial value of any high input variable.
To prove that the interprocedural type-based analysis accepts precisely the same
commands as the interprocedural PDG-based analysis we lift Theorem 6.3 to commands
with procedure calls.
Theorem 6.5. Let c ∈ Comseq , y ∈ Var , and Γ be an environment. Let Γ′ be the unique
environment such that {} `Ψ∗ Γ {c} Γ′ is derivable in the type system, and let X be the
set of all x ∈ Var such that there exists a path from in to out in PDG∗(CFG{x},{y}c ).
Then Γ′(y) =
⊔
x∈X Γ(x ). ♦
Proof Sketch. In the proof (see Appendix A.10) we lift the inductive proof of Theorem 6.3
to commands with procedure calls. The key step is to define an approximation of the set
of summary edges for each k ∈ N. The kth approximation contains only those summary
edges that are due to realizable paths where the derivation for showing that the path
is realizable has at most height k. We then prove a variant of the theorem where Ψ∗ is
replaced with Ψk and the PDG with summary edges is replaced by a PDG to which we
only add the summary edges in the kth approximation of summary edges. The theorem
for the actual set of summary edges and the tuple Ψ∗ then follows from the variant of the
theorem for large enough k.
Theorem 6.6. A program is accepted by the interprocedural PDG-based analysis if and
only if it is accepted by the interprocedural type-based analysis. ♦
Proof Sketch. The proof is like the proof of Theorem 6.4, exploiting Theorem 6.5 instead
of Theorem 6.3.
Like for the comparison of the type-based and the PDG-based analysis in Section 6.4,
the interprocedural type-based and the interprocedural PDG-based analysis have the same
precision. The result indicates that the context-sensitivity of PDG-based information flow
analysis is no compelling argument for abandoning type-based information flow analysis
in favor of PDG-based information flow analysis.
6.6 A PDG-based Analysis for Multi-threaded Programs
In this section, we exploit the connection between type-based and PDG-based analysis
for sequential programs from Section 6.4 to transfer ideas from type-based analysis for
multi-threaded programs to PDGs. To this end, we develop a novel provably sound
PDG-based analysis for multi-threaded programs by adopting assumption-guarantee style
reasoning from the flow-sensitive type-based analysis for multi-threaded programs from
Section 4.5.2. Thereby, advantages of the type-based information flow analysis over
existing PDG-based information flow analyses for multi-threaded programs carry over to
the novel PDG-based analysis (we discuss the advantages in Section 6.7).
Like in the type-based analysis from Section 4.5.2 that provides typing rules for
single commands we define a PDG-based analysis for single commands that is then
used to analyze multi-threaded programs in a compositional manner. To this end, for a
100 Chapter 6. A Bridge to PDG-based Information Flow Analysis
command c we extend the set of edges of the program dependence graph PDG(CFGH ,Lc ),
resulting in a novel program dependence graph that we denote with PDG ||(CFGH ,Lc ).
The additional edges model dependencies that arise if c is executed in a multi-threaded
program in which the assumptions made for c are valid and that do not necessarily exist
if c is executed in isolation. For simplicity, we assume that each command is in the set
Comseq , i.e., we consider programs that may contain multiple threads but that do not
dynamically create new threads during execution. We denote the corresponding set of
thread pools (Comseq \ {stop})∗ with Thr seq .
Before making the definition of PDG ||(CFGH ,Lc ) precise, we make two observations
explicit that we exploit to transfer ideas from the type system to the PDG. To this end,
we compare the flow-sensitive type system for sequential programs from Section 6.2 with
the flow-sensitive type system for multi-threaded programs from Section 4.5.
Observation 6.1. In both type systems, the typing judgments capture upper bounds
on the security levels of the values of variables. In contrast to the type system from
Section 6.2, the type system from Section 4.5 requires that the upper bound for variable x
is fixed to dma(x ) unless a suitable assumption is made for x (i.e., a no-write assumption
for high variables or a no-read assumption for low variables). Fixing the upper bound to
dma(x ) reflects that (a) low variables that might be read by other threads must not store
secrets because the secrets might be leaked via other threads (i.e., the upper bound must
be low), and (b) other threads might write secrets into high variables without no-write
assumption (and, hence, the upper bound cannot be low). ♦
Observation 6.2. In contrast to the type system from Section 6.2, the type system from
Section 4.5 imposes restrictions on the control conditions of conditionals and loops. With
the exception of the semantic side condition in rule [IF], the type system requires that
the security level of control conditions is low . The rationale for this restriction is that
secret control conditions might result in internal timing leaks. ♦
We now define the novel variant of program dependence graphs, PDG ||(CFGH ,Lc ), by
adding edges that capture the additional restrictions imposed by the type-based analysis
for multi-threaded programs from Section 4.5 compared to the type-based analysis for
sequential programs from Section 6.2. In the remainder of this section we use concepts
like, for instance, modes, that are used in the definition of the flow-sensitive type-based
information flow analysis for multi-threaded programs, for which we refer to Chapter 4.
Definition 6.23. Let m ∈ Mod be a mode and x ∈ Var . Command c does not acquire
respectively release m for x if c is not of the form //ann//c′. The command //acq(x ,m)//c
acquires m for x if and only if c does not release m for x . The command //rel(x ,m)//c
releases m for x if and only if c does not acquire m for x .
For c ∈ Comseq and mds ∈ Mds we define functions CFG-mdsc,mds : Nc → Mds by
x ∈ CFG-mdsc,mds(n)(m) if and only if for all paths 〈start , . . . ,n〉 in CFGc one of the
following two conditions is satisfied:
− there exists n ′ on the path such that c[n ′] acquires m for x , and for all nodes n ′′
following n ′ on the path c[n ′′] does not release m for x , or
− x ∈ mds(m) and for all nodes n ′ on the path c[n ′] does not release m for x . ♦
Intuitively, CFG-mdsc,mds(n) is a lower bound on the modes at the program statement
or control condition in c represented by node n, assuming initial mode state mds.
6.6. A PDG-based Analysis for Multi-threaded Programs 101
start
1 2in out
start
1 2in out
Figure 6.6: PDGs for Example 6.12 (to the left with, to the right without assumption)
Definition 6.24. Let c ∈ Comseq , mds ∈ Mds, and (N , E) = PDG(CFGH ,Lc ). We define
the program dependence graph PDG ||(CFGH ,Lc ,mds) by (N , E ∪ E′) where (n,n ′)∈E′
if and only if one of the following conditions is satisfied:
1. n = in, there exists x ∈ usec(n ′) with dma(x ) = high, and there exists n ′′ ∈ N with
x 6∈ CFG-mdsc,mds(n ′′)(asm-no-w), such that there is a path p from n ′′ to n ′ with
x 6∈ defc(n ′′′) for every node n ′′′ on p with n ′′′ 6= n ′′ and n ′′′ 6= n ′,
2. n ′ = out , there exists x ∈ defc(n) with dma(x ) = low , and there exists n ′′ ∈ N with
x 6∈ CFG-mdsc,mds(n ′′)(asm-no-r), such that there is a path p from n to n ′′ with
x 6∈ defc(n ′′′) for every node n ′′′ on p with n ′′′ 6= n and n ′′′ 6= n ′′, or
3. n ∈ {1, . . . , ](c)}, c[n] ∈ Exp, and n ′ = out . ♦
The edges defined in Items 1 and 2 of Definition 6.24 capture dependencies on the initial
values of high variables and of the final values of low variables that might occur if c is
executed as a thread in a multi-threaded program. The assumptions (represented by
modes) are exploited to exclude dependencies that only exist if c is executed in a multi-
threaded programs for which the assumptions are not valid. The edges defined in Item 3
capture dependencies on control conditions that might result from internal timing leaks.
The definition of the additional edges is inspired by Observations 6.1 and 6.2. According
to Observation 6.1, secret values in low variables that might be read by other threads
may be leaked into the final values of low variables. This is captured by the edge (n, out)
whenever Node n defines a low variable such that the value might eventually be read by
another thread. Moreover, according to Observation 6.1, writing a public value into a high
variable does not guarantee that the value remains public if other threads might write
the value. This is captured by edges (in, n) whenever Node n uses a high variable whose
value might have been written by another thread. Finally, according to Observation 6.2,
conditionals with high control conditions might lead to internal timing leaks, which is
captured by the edges (n, out) whenever n represents a control condition.
Example 6.12. Consider the following command, where h is a secret input variable and l
is a public output variable:
c = //acq(asm-no-r , l)//; l :=h; l :=0; //rel(asm-no-r , l)//
Then PDG ||(CFGH ,Lc ,mds0) = PDG(CFG
H ,L
c ), where mds0(m) ={} for all m ∈Mod .
This PDG is displayed at the left of Figure 6.6.
Let c′ = l :=h; l :=0. Then PDG ||(CFGH ,Lc′ ,mds0) contains an edge from the node
representing the assignment l :=h to Node out (see the PDG at the right of Figure 6.6).
This edge is due to Item 2 in Definition 6.24. Intuitively, the edge captures that the value
assigned to l in c′ might be leaked to low outputs via other threads because no no-read
assumption is made. In particular, PDG ||(CFGH ,Lc′ ,mds0) 6= PDG(CFGH ,Lc′ ). ♦
Definition 6.25. Let thr ∈ Thr seq and let mdss ∈ Mds∗. The thread pool thr is accepted
by the PDG-based analysis for multi-threaded programs for the list of mode states mds
102 Chapter 6. A Bridge to PDG-based Information Flow Analysis
and scheduler S if and only if for each i ∈ {1, . . . , ](thr)} there is no path from in to out
in the program dependence graph PDG ||(CFGH ,Lthr [i],mdss[i]) and (thr ,mdss) has sound
modes for S. ♦
Example 6.13. Reconsider the commands c and c′ from Example 6.12. The thread
pool 〈c〉 is accepted by the PDG-based analysis for multi-threaded programs for the
initial mode state mds0. However, the thread pool 〈c′〉 is not accepted because due to
the additional edge described in Example 6.12 the graph PDG ||(CFGH ,Lc′ ,mds0) contains
a path from Node in to Node out . ♦
Not accepting 〈c′〉 is crucial for the compositionality of the PDG-based analysis
because another thread executing l ′:=l could copy the intermediate secret value of l into a
public variable l ′. We prove the soundness of the PDG-based analysis for multi-threaded
program by relating it to the soundness of the security type system from Section 4.5.
Theorem 6.7. Assume that the observation function obs is confined to L. If the thread
pool thr is accepted by the PDG-based analysis for multi-threaded programs for the list
of mode states mdss then the thread pool is S-noninterferent for any scheduler S. ♦
Proof Sketch. To prove the theorem, we show that ` thr is derivable in the type system
from Section 4.5. Then the theorem follows immediately from the soundness result for
the type system (Theorem 4.8).
The proof (see Appendix A.10) shows that the non-derivability of the judgment
` Λi {thr [i]} Λ′i for a partial environment Λi consistent with mdss [i] guarantees the exis-
tence of a path from in to out in the program dependence graph PDG ||(CFGH ,Lthr [i],mdss [i])
(exploiting the relation between PDG-based and type-based analysis from Theorem 6.3).
In consequence, for all i ∈ {1, . . . , ](thr)} there exists Λ′i such that ` Λi {thr [i]} Λ′i is
derivable, and, hence, all conditions of the typing rule [PAR] are satisfied.
The novel PDG-based analysis is compositional, which follows directly from its
definition (Definition 6.25). In consequence, it permits concurrent writes to public
variables. This is an advantage over existing PDG-based analyses for multi-threaded
programs that forbid such useful nondeterministic program behavior (see the comparison
to related work in Section 6.7). Moreover, the novel PDG-based analysis is also scheduler-
independent. This follows directly from Theorem 6.7 that establishes soundness of the
analysis with respect to a scheduler-independent information flow property.
6.7 Summary and Comparison to Related Work
In this chapter, we have investigated the relation between type-based and PDG-based
information flow analysis. To this end, we have established a formal connection between
the type-based information flow analysis for sequential programs from [HS06] and the
PDG-based information flow analysis for sequential programs from [WLS09]. We were
able to use this connection in different directions. Firstly, we showed that the type-based
information flow analysis has exactly the same precision as the PDG-based information
flow analysis. This result is somewhat surprising, in particular, because a motivation for
using PDGs in an information flow analysis was their precision (e.g., [HS09]). Secondly,
we used the relation to transfer techniques and ideas from one tradition of information
flow analysis to the other. In the one direction, we transferred the concept of summary
edges from PDG-based analysis to type-based analysis, resulting in a context-sensitive
6.7. Summary and Comparison to Related Work 103
type-based information flow analysis. In the other direction, we transferred the concept
of assumption-guarantee reasoning that was the basis for the type-based analysis of
multi-threaded programs in Chapter 4 to PDG-based analysis. This transfer resulted
in a provably sound PDG-based information flow analysis for multi-threaded programs
that inherits benefits of the type-based analysis over existing PDG-based information
flow analyses for multi-threaded programs. This shows that the connection between
type-based and PDG-based information flow analysis is suitable to facilitate learning by
one research sub-community from the other. For instance, this also gives hope that results
on controlling declassification with security type systems can be used to develop semantic
foundations for PDG-based analysis that permit declassification. Though there are PDG-
based analyses that permit declassification (e.g., [HS09]), they yet lack a soundness result,
and, hence, it is unclear which noninterference-like property they certify.
We are aware of only two approaches to PDG-based information flow analysis for
multi-threaded programs. Hammer [Ham09] presents an implementation of a PDG-based
analysis for concurrent Java programs, where edges between the PDGs of the individual
Java threads are computed following the extension of PDGs to concurrent programs from
Krinke [Kri03]. However, since this PDG construction does not capture dependencies
between nodes in the PDG that are a result of internal timing leaks, the resulting
PDG-based information flow analysis does not detect such information leaks.
Giffhorn and Snelting [GS12] present a PDG-based information flow analysis for
multi-threaded programs that does not accept programs with internal timing leaks. The
analysis enforces an information flow property defined in the tradition of observational
determinism [RWW94, ZM03], and, therefore, classifies all programs as insecure that have
nondeterministic public output. Hence, the analysis forbids useful nondeterminism, which
occurs, for instance, when multiple threads append entries to the same log file (compare
also the examples in Sections 3.5 and 4.6). Our novel analysis permits concurrent writes
to public variables and, hence, accepts secure programs that are not accepted by the
analysis from [GS12]. Moreover, in contrast to the analysis from [GS12] our novel analysis
is compositional.

C
H
A
P
T
E
R
7
Conclusions and Outlook
7.1 Conclusions
The motivation for this thesis was that existing information flow analyses for multi-
threaded programs were not as satisfactory as existing information flow analyses for
sequential programs, in particular (a) that existing scheduler-independent properties were
overly restrictive, and (b) that existing properties were not suitable for flow-sensitive
information flow analyses. Moreover, these deficiencies were already caused by the
underlying semantic characterizations of information flow security. These characterizations
classify multi-threaded programs as insecure if the programs have certain properties
that indicate potential for but do not necessarily result in information flow (like, e.g.,
nondeterministic public program output or secret control conditions).
In this thesis we have developed novel compositional and scheduler-independent
semantic characterizations of information flow security for multi-threaded programs that
overcome deficiencies of existing solutions. Moreover, we have exploited the improvements
in the semantic characterizations in the development of novel type-based program analysis
techniques for information flow security. We have shown that both the novel security
properties and the novel type-based analyses can be integrated with each other, resulting
in properties and analyses that combine the benefits of the single properties and analyses.
Finally, we have developed a bridge between type-based and PDG-based information flow
analysis that we have exploited for illustrating that the novel properties are also suitable
for developing sound PDG-based information flow analysis for multi-threaded programs.
The benefit of the novel property FSI-security from Chapter 3 is that FSI-security
(a) does not unconditionally classify programs with nondeterministic public output as
insecure and (b) does not unconditionally classify programs with secret control conditions
as insecure. That such a compositional and scheduler-independent information flow
property exists was rather surprising in the light of Sabelfeld’s result that a more restrictive
information flow property, strong security, is the least restrictive compositional information
flow property that is scheduler-independent for a natural class of schedulers [Sab03]. The
key insight for developing the less restrictive property FSI-security was the characterization
105
106 Chapter 7. Conclusions and Outlook
of another natural but smaller class of schedulers, the robust schedulers, that excludes
some non-relevant schedulers. We defined FSI-security using the Per-approach, which
enables an integration with other information flow properties defined using that approach.
We believe that this approach simplifies the integration of FSI-security with information
flow properties resulting from research efforts in other directions that are also based on
the Per-approach, like, e.g., properties that support controlled declassification. Such
properties have been shown to be scheduler independent, but they share deficiencies of
scheduler-independent properties predating FSI-security (e.g., [LMP12]).
SIFUM-security (Chapter 4) is the basis for a flow-sensitive information flow analysis for
multi-threaded programs. The key for developing SIFUM-security and the corresponding
flow-sensitive security type system was the adoption of assumption-guarantee based
reasoning in the information flow analysis. Assumption-guarantee based reasoning has
been used widely in other application domains (see, e.g., [Sta85, Var95, HQR98, PDH99,
Din03]), but was previously not used for language-based information flow security. We
have shown with a realistic example program that flow-sensitive information flow analysis
can significantly improve the precision of the analysis compared to flow-insensitive
information flow analysis. Moreover, we have shown that SIFUM-security and the
flow-sensitive security type system can be integrated with the improvements regarding
scheduler-independence from Chapter 3 (in Chapter 5), and we believe that the resulting
property can be further integrated with properties that support controlled declassification.
We hope that our contributions initiate the adoption of both flow-sensitivity as well as
assumption-guarantee based reasoning in information flow analysis and lead to more
widely and better applicable information flow analyses for multi-threaded programs.
SIFUM-security is one of the two pillars on which we base the development of a
sound, compositional, and scheduler-independent PDG-based information flow analysis
for multi-threaded programs in Chapter 6. The second pillar is a formal bridge between
existing type-based and PDG-based information flow analyses for sequential programs.
Besides enabling the development of a PDG-based information flow analysis for multi-
threaded programs, with this bridge we could also show that the flow-sensitivity and
the context-sensitivity of PDGs are no compelling reasons for favoring PDG-based over
type-based information flow analyses. We believe that our results on the relation between
PDG-based and type-based information flow analysis can be further used as basis for the
communication between the sub-communities advancing the respective analysis techniques,
to help learning from each other, and possibly even to jointly advance the state of the art
on language-based information flow analysis.
7.2 Outlook
There are multiple promising avenues for building on the results developed in this thesis.
Some of them arise from the possibility to further combine results from this thesis, and
some of them arise as natural continuations of the presented work. In the remainder of
this chapter we briefly discuss possibilities that we believe are most promising.
Exploiting Concrete Synchronization Primitives. To ensure that assumptions and guar-
antees that are used in the security analyses from Chapters 4, 5, and 6 are valid for
the analyzed program, usually threads have to be properly synchronized. While we
defined the corresponding security analyses such that they are independent of concrete
synchronization primitives, the properties provide the basis for exploiting synchronization
7.2. Outlook 107
primitives in the analysis. In particular, assumptions and guarantees could be derived
directly from the synchronization primitives in the program. For instance, using critical
regions that ensure exclusive access for a variable could be exploited by making no-read
and no-write assumptions while in the critical region, as well as providing no-read and
no-write guarantees when outside the critical region. The benefit of this approach is that
assumptions and guarantees would no longer be needed to be specified manually.
Extending Assumptions and Guarantees. In this thesis, we considered no-read and no-write
assumptions for shared variables. Beyond this, assumptions and guarantees could also
characterize other aspects of program behavior. For instance, another type of assumptions
and guarantees could be used to further increase the precision of FSI-security from
Chapter 3: FSI-security requires that threads do not write low variables if the number of
execution steps before such a write depends on a secret. The corresponding security type
system ensures this by forbidding writes to low variables after a high control condition.
This requirement prevents internal timing channels that might occur if the low variable is
also written by other threads. Under the assumption that the written low variables will
not be written by other threads, however, the requirement could be relaxed. For instance,
the thread while (secret > 0) do secret:=secret− 1 od; l :=0 could be classified as secure
under the assumption that after the execution of the loop no other thread writes l .
Further Exploiting the Bridge between PDG-based and Type-based Information Flow Analysis.
We have used the bridge between PDG-based and type-based information flow analysis
from Chapter 6 for comparing the precision of analyses and for transferring concepts
from type-based to PDG-based analysis and vice versa. We believe that the bridge is also
useful for further transfers of this kind. For instance, the ideas exploited in the definition
of FSI-security from Chapter 3 could also be transferred to PDGs. Intuitively, it suffices
to remove edges in the PDG for multi-threaded programs from Section 6.6 that represent
dependencies of the final values of low variables on control conditions if no low assignments
occur after the corresponding conditional or loop. Beyond this, it would be desirable to
use results on controlling declassification with security type systems to develop semantic
foundations for PDG-based analysis that permit declassification. Moreover, it would also
be desirable to transfer further concepts from PDG-based to type-based information flow
analysis. For instance, object-sensitive information flow analyses have been investigated
in detail for PDGs (e.g., [HS09]), but not for type-based analysis.
Controlled Declassification. We believe that information flow properties and analyses
developed in this thesis can be integrated with existing properties and analyses that
support controlled declassification (e.g., [MR07, LM09]). These properties are also defined
using the Per-approach, and, hence, we expect them to be compatible with the properties
developed in this thesis.

A
P
P
E
N
D
IX
Detailed Proofs
A.1 Properties of Low Bisimulation Modulo Low Matching
This appendix proves several lemmas that establish that certain relations are low bisimu-
lations modulo low matching.
The proofs in this appendix make frequent use of the following property of low matches:
Lemma A.1. Let thr1, thr2, and thr3 be thread pools with i2 = l -matchthr1,thr2(i1) and
i3 = l -matchthr2,thr3(i2). Then i3 = l -matchthr1,thr3(i1). ♦
Proof. The lemma follows immediately from the fact that low matchings are order-
preserving bijections.
Lemma A.2. Define the relation R on thread pools by thr1 R thr2 if and only if there
exists thr ′ such that thr1 ∼lm thr ′ and thr ′ ∼lm thr2. Then R is a low bisimulation
modulo low matching. ♦
Proof. Assume that thr1 R thr2, mem1 =L mem2, and 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉
where α1 = new(thr1). By the definition of R there exists thr ′ such that thr1 ∼lm thr ′
and thr ′ ∼lm thr2.
Assume that thr1[k1] ∈ LCom. Since thr1 ∼lm thr ′ there exist c′2, mem ′2, and
α2 = new(thr
′
2) such that the following conditions are satisfied:
− 〈thr ′[k′],mem2〉 α2−_ 〈c′2,mem ′2〉 where k′ = l -matchthr1,thr ′(k1),
− mem ′1 =L mem ′2,
− ∣∣{i ∈ {1, . . . , ](thr ′1)} | thr ′1[i] ∈ LCom}∣∣ = ∣∣{i ∈ {1, . . . , ](thr ′2)} | thr ′2[i] ∈ LCom}∣∣,
and
− updatek1(thr1, c′1, α1) ∼lm updatek′(thr ′, c′2, α2).
With thr ′ ∼lm thr2 it follows that the following conditions are satisfied:
− 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉 where k2 = l -matchthr ′,thr2(k′) and
− updatek′(thr ′, c′1, α1) ∼lm updatek2(thr2, c′2, α2).
109
110 Appendix A. Detailed Proofs
Hence, updatek1(thr1, c
′
1, α1) R updatek2(thr2, c′2, α2). Moreover, since low matchings are
order-preserving bijections it follows from the equalities k′ = l -matchthr1,thr ′(k1) and
k2 = l -matchthr ′,thr2(k
′) that k2 = l -matchthr1,thr2(k1).
Assume now that thr1[k1] ∈ HCom. Then updatek1(thr1, c′1, α1) ∼lm thr ′ because
thr1 ∼lm thr ′. Since also thr ′ ∼lm thr2 it follows that updatek1(thr1, c′1, α1) R thr2.
Lemma A.3. Define thr1 R thr2 if and only if there exist thr1,1, thr1,2, thr2,1, and
thr2,2 such that thr1 = thr1,1 :: thr1,2, thr2 = thr2,1 :: thr2,2, thr1,1 ∼lm thr2,1, and
thr1,2 ∼lm thr2,2. Then the relation R is a low bisimulation modulo low matching. ♦
Proof. Assume that thr1 R thr2, mem1 =L mem2, and 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉.
As thr1 R thr2 there exist thr1,1, thr1,2, thr2,1, and thr2,2 such that thr1 = thr1,1 :: thr1,2,
thr2 = thr2,1 :: thr2,2, thr1,1 ∼lm thr2,1, and thr1,2 ∼lm thr2,2. We distinguish between
the cases thr1[k1] ∈ LCom and thr1[k1] ∈ HCom, as well as between the cases k1 ∈
{1, . . . , ](thr1,1)} and k1 ∈ {](thr1,1) + 1, . . . , ](thr1)}, resulting in four different cases.
− Case 1: thr1[k1] ∈ LCom and k1 ∈ {1, . . . , ](thr1,1)}.
In this case, thr1,1[k1] ∈ LCom and 〈thr1,1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉. Hence, as
thr1,1 ∼lm thr2,1 there exist c′2, mem ′2, and α2 such that
1. 〈thr2,1[k2],mem2〉 α2−_ 〈c′2,mem ′2〉,
2. mem ′1 =L mem
′
2, and
3. updatek1(thr1,1, c
′
1, α1) ∼lm updatek2(thr2,1, c′2, α2),
where k2 = l -matchthr1,1,thr2,1(k1).
The thread pools thr1,1 and thr2,1 contain the same number of low threads as
thr1,1 ∼lm thr2,1. Hence, l -matchthr1,1,thr2,1(k1) = l -matchthr1,thr2(k1). With
Items (1)–(3) above, thr1 = thr1,1 :: thr1,2, and thr2 = thr2,1 :: thr2,2 it follows that
∗ 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉, and
∗ updatek1(thr1, c′1, α1) R updatek2(thr2, c′2, α2),
where k2 = l -matchthr1,thr2(k1). This concludes the proof for this case.
− Case 2: thr1[k1] ∈ LCom and k1 ∈ {](thr1,1) + 1, . . . , ](thr1)}.
In this case, thr1,2[k1 − ](thr1,1)] ∈ LCom and 〈thr1,2[k1 − ](thr1,1)],mem1〉 α1−_
〈c′1,mem ′1〉. The proof is as in the previous case, using that thr1,2 ∼lm thr2,2 and
that l -matchthr1,2,thr2,2(k1 − ](thr1,1)) = l -matchthr1,thr2(k1)− ](thr2,1).
− Case 3: thr1[k1] ∈ HCom and k1 ∈ {1, . . . , ](thr1,1)}.
In this case, thr1,1[k1] ∈ HCom and 〈thr1,1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉. Hence,
it follows with thr1,1 ∼lm thr2,1 that updatek1(thr1,1, c′1, α1) ∼lm thr2,1. Since
thr1 = thr1,1 :: thr1,2, thr2 = thr2,1 :: thr2,2, and thr1,2 R thr2,2, it follows that
updatek1(thr1, c
′
1, α1) R thr2. This concludes the proof for this case.
− Case 4: thr1[k1] ∈ HCom and k1 ∈ {](thr1,1) + 1, . . . , ](thr1)}.
In this case, thr1,2[k1 − ](thr1,1)] ∈ HCom and 〈thr1,2[k1 − ](thr1,1)],mem1〉 α1−_
〈c′1,mem ′1〉. The proof is as in the previous case, using that thr1,2 ∼lm thr2,2.
A.1. Properties of Low Bisimulation Modulo Low Matching 111
Lemma A.4. Define the relation R′ on thread pools by thr1 R′ thr2 if and only if there
exists thrp2 such that thr2|LCom = thrp2|LCom and thr1 ∼lm thrp2. Moreover, define the
relation R as the symmetric closure of R′. Then relation R is a low bisimulation modulo
low matching. ♦
Proof. Assume that thr1 R thr2, mem1 =L mem2, and 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉
where α1 = new(thr1). By the definition of R there are the two cases that thr1 R′ thr2
and that thr2 R′ thr1. We distinguish between these two cases in the following.
Assume that thr1 R′ thr2. We distinguish between the cases that thr1[k1] ∈ LCom
and that thr1[k1] ∈ HCom.
− Case 1: Assume that thr1[k1] ∈ LCom.
Since thr1 R′ thr2 there exists thrp2 with thr2|LCom = thrp2|LCom and thr1 ∼lm thrp2.
Since thr1 ∼lm thrp2 there exist c′2, mem ′2, and α2 = new(thr ′2) such that the following
conditions are satisfied for k2 = l -matchthr1,thrp2 (k1):
∗ 〈thrp2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉,
∗ mem ′1 =L mem ′2,
∗ ](thr ′1|LCom) = ](thr ′2|LCom), and
∗ updatek1(thr1, c′1, α1) ∼lm updatek2(thrp2, c′2, α2).
With thr2|LCom = thrp2|LCom it follows that the following conditions are satisfied:
∗ 〈thr2[k3],mem2〉 α2−_ 〈c′2,mem ′2〉 where k3 = l -matchthrp2 ,thr2(k2), and
∗ (updatek3(thr2, c′2, α2))|LCom = (updatek2(thrp2, c′2, α2))|LCom
Hence, updatek1(thr1, c
′
1, α1) R′ updatek2(thr2, c′2, α2) and hence, by the definition
of R, updatek1(thr1, c′1, α1) R updatek2(thr2, c′2, α2). Moreover, it follows from k2 =
l -matchthr1,thrp2 (k1) and k3 = l -matchthr
p
2 ,thr2
(k2) that k3 = l -matchthr1,thr2(k1).
− Case 2: Assume that thr1[k1] ∈ HCom.
Since thr1 R′ thr2 there exists thrp2 with thr2|LCom = thrp2|LCom and thr1 ∼lm thrp2.
Since thr1 ∼lm thrp2 it follows from the definition of low bisimulations modulo low
matching that updatek1(thr1, c
′
1, α1) ∼lm thrp2, i.e., updatek1(thr1, c′1, α1) R′ thr2.
Hence, by the definition of R, updatek1(thr1, c′1, α1) R thr2.
Assume now that thr2 R′ thr1. We distinguish between the cases that thr2[k1] ∈ LCom
and that thr2[k1] ∈ HCom.
− Case 1: Assume that thr1[k1] ∈ LCom.
Since thr2 R′ thr1 there exists thrp1 with thr1|LCom = thrp1|LCom and thr2 ∼lm thrp1.
By symmetry of ∼lm it follows that thrp1 ∼lm thr2.
From thr1|LCom = thrp1|LCom and 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉 it follows that
〈thrp1[k2],mem1〉 α1−_ 〈c′1,mem ′1〉, where k2 = l -matchthr1,thrp1 (k1). Hence, it follows
with thrp1 ∼lm thr2 that there exist c′2, mem ′2, and α2 = new(thr ′2) such that the
following conditions are satisfied for k3 = l -matchthrp1 ,thr2(k2):
∗ 〈thr2[k3],mem2〉 α2−_ 〈c′2,mem ′2〉,
∗ mem ′1 =L mem ′2,
∗ ](thr ′1|LCom) = ](thr ′2|LCom), and
∗ updatek2(thrp1, c′1, α1) ∼lm updatek3(thr2, c′2, α2).
112 Appendix A. Detailed Proofs
Then updatek3(thr2, c
′
2, α2) ∼lm updatek2(thrp1, c′1, α1) by symmetry of ∼lm. More-
over, (updatek1(thr1, c
′
1, α1))|LCom = (updatek2(thrp1, c′1, α1))|LCom follows from k2 =
l -matchthr1,thrp1 (k1) and thr1|LCom = thr
p
1|LCom . In consequence,
updatek3(thr2, c
′
2, α2) R′ updatek1(thr1, c′1, α1) (set thrp2 = updatek2(thrp1, c′1, α1) in
the definition of R′), and, hence, updatek1(thr1, c′1, α1) R updatek3(thr2, c′2, α2).
Moreover, k3 = l -matchthr1,thr2(k1), because k2 = l -matchthr1,thrp1 (k1) and k3 =
l -matchthrp1 ,thr2(k2).
− Case 2: Assume that thr1[k1] ∈ HCom.
Since thr2 R′ thr1 there exists thrp1 with thr1|LCom = thrp1|LCom and thr2 ∼lm
thrp1. Moreover, (updatek1(thr1, c
′
1, α1))|LCom = thrp1|LCom because high threads
only spawn high threads. In consequence, thr2 R′ (updatek1(thr1, c′1, α1))|LCom and,
hence, (updatek1(thr1, c
′
1, α1))|LCom R′ thr2.
Lemma A.5. If thr1 ∼lm thr2 then thr1 ∼lm thr2|LCom . ♦
Proof. We define the relation R′ on thread pools by thr1 R′ thr2 if and only if there
exists thrp2 such that thr2|LCom = thrp2|LCom and thr1 ∼lm thrp2. Moreover, we define the
relation R as the symmetric closure of R′. Then R is a low bisimulation modulo low
matching by Lemma A.4.
Assume that thr1 ∼lm thr2. Then thr1 R thr2|LCom . Since R is a low bisimulation
modulo low matching it follows from the definition of ∼lm that thr1 ∼lm thr2|LCom .
A.2 Scheduler Simulations
This appendix contains the proofs that the simulation relations used in the proofs of
Theorems 3.10–3.12 that establish the robustness of Round-Robin, uniform, and lottery
schedulers are actually S-simulations for the respective schedulers.
Lemma A.6. We define relation ≺ by 〈thr1,mem1, sst1〉 ≺ 〈thr2,mem2, sst2〉 if and only
if the following conditions are satisfied:
1. thr1 ∼lm thr2,
2. mem1 =L mem2,
3. thr1|LCom = thr2, and
4. if k1 = [(sst1(choice) + (](thr1)− sst1(size)) mod ](thr1)] + 1 and thr1[k1] ∈ LCom
then l -matchthr1,thr2(k1) = [(sst2(choice) + (](thr2)− sst2(size)) mod ](thr2)] + 1.
Then the relation ≺ is an RR-simulation. ♦
Proof. Let sc1 = 〈thr1,mem1, sst1〉 ≺ sc2 = 〈thr2,mem2, sst2〉.
Then ](thr1|LCom) = ](thr2) holds due to Item 3 of the definition of ≺ and the fact
that (thr |LCom)|LCom = thr |LCom for all thread pools thr .
Let k1, p1, and sc
′
1 = 〈thr ′1,mem ′1, sst ′1〉 such that sc1 k1,p1===⇒RR sc′1. Then, by the
derivation rule for transitions of system configurations there exist c′1 and α1 such that
the following conditions are satisfied:
(a) 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉 and
(b) thr ′1 = updatek1(thr1, c
′
1, α1)
A.2. Scheduler Simulations 113
Moreover, it follows from the derivation rule for transitions of system configurations that
(sst1, ](thr1))
k1,p1 RR sst ′1. Hence, by the definition of RR, the following conditions are
satisfied:
(c) k1 = [(sst1(choice) + (](thr1)− sst(size))) mod ](thr1)] + 1 and
(d) p1 = 1
We distinguish between the cases that thr1[k1] ∈ LCom and thr1[k1] ∈ HCom.
Assume that thr1[k1] ∈ LCom. Then, due to Items 1 and 2 in the definition of ≺,
there exist c′2, mem
′
2, and α2 such that the following conditions are satisfied:
(e) 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉 where k2 = l -matchthr1,thr2(k1),
(f) mem ′1 =L mem
′
2, and
(g) updatek1(thr1, c
′
1, α1) ∼lm updatek2(thr2, c′2, α2)
From (c), k2 = l -matchthr1,thr2(k1) (in (e)), and Item 4 in the definition of ≺ it follows
that k2 = [(sst2(choice)+(](thr2)−sst2(size)) mod ](thr2)]+1. Hence, by the definition
of RR there exists sst ′2 such that (sst2, ](thr2))
k2,1 RR sst ′2. Hence, by the derivation rule
for transitions of system configurations sc2
k2,p2
===⇒RR sc′2 for sc′2 = 〈thr ′2,mem ′2, sst ′2〉 and
thr ′2 = updatek2(thr2, c
′
2, α2), and p2 = 1. From p1 = 1 it follows that l -ρRR(sc1) = 1,
and, hence, p2 = p1/l -ρRR(sc1).
It remains to show that sc′1 ≺ sc′2|LCom .
From (g) and Lemma A.5 it follows that thr ′1 ∼lm thr ′2|LCom , i.e., Item 1 of the
definition of ≺ holds for sc′1 and sc′2|LCom . Moreover, Item 2 holds due to (f) and Item 3
holds because (thr |LCom)|LCom = thr |LCom for all thread pools.
To show that Item 4 is satisfied, let k′1 = [(sst
′
1(choice) + (](thr
′
1) − sst ′1(size))
mod ](thr ′1)] + 1 and assume that thr
′
1[k
′
1] ∈ LCom. By the definition of RR, it follows
that k′1 =[(k1 + (](thr
′
1)− ](thr1))) mod ](thr ′1)] + 1. We distinguish between the cases
that k1 = ](thr1) and that k1 < ](thr1), and write thr
′′
2 for thr
′
2|LCom in the following.
Assume that k1 = ](thr1). Then k
′
1 = 1. Hence, l -matchthr ′1,thr ′′2 (k
′
1) = 1 because thr
′′
2
does not contain high threads. Moreover, k2 = ](thr2) because k2 = l -matchthr1,thr2(k1)
and thr2 does not contain any high threads. Hence, k
′
2 =[(k2 + (](thr
′′
2) − ](thr2)))
mod ](thr ′′2)] + 1 = 1. Thus, [(sst
′
2(choice) + (](thr
′′
2)− sst ′2(size)) mod ](thr ′′2)] + 1 = 1
by the definition of RR. I.e., l -matchthr ′1,thr ′2|LCom (k
′
1) = [(sst
′
2(choice) + (](thr
′
2|LCom)−
sst ′2(size)) mod ](thr
′
2|LCom)] + 1.
Assume that k1 < ](thr1). Then k1 + (](thr
′
1) − ](thr1)) < ](thr ′1), and, hence,
k′1 = k1 + (](thr
′
1) − ](thr1)) + 1. Moreover, it follows from k2 = l -matchthr1,thr2(k1),
thr ′1[k
′
1] ∈ LCom, and k1 < ](thr1) that k2 < ](thr2) (if k2 = ](thr2) would hold then k1
would be the largest index of a low thread in thr1, and, hence, k
′
1 would be the index of
a high thread in thr ′1). Hence, k2 + (](thr
′′
2) − ](thr2)) < ](thr ′′2), and, in consequence,
[(k2 + (](thr
′′
2) − ](thr ′1))) mod ](thr ′′2)] + 1 = k2 + (](thr ′′2) − ](thr ′1)) + 1. It follows
from l -matchthr1,thr2(k1) = k2 that l -matchthr ′1,thr ′′2 (k
′
1) = k2 + (](thr
′′
2)− ](thr ′1)) + 1 (k′1
is obtained by increasing k1 by 1 plus the number of new threads, and k2 is increased
by 1 plus the number of new low threads) . Hence, it follows with the definition of
RR that l -matchthr ′1,thr ′′2 (k
′
1) = (sst
′
2(choice) + (](thr
′′
2) − sst ′2(size)) mod ](thr ′′2)] + 1.
I.e., we have shown l -matchthr ′1,thr ′2|LCom (k
′
1) = [(sst
′
2(choice) + (](thr
′
2|LCom)− sst ′2(size))
mod ](thr ′2|LCom)] + 1.
Assume now that thr1[k1] ∈ HCom. We have to show that sc′1 ≺ sc2. From Items 1
and 2 in the definition of ≺ and the definition of ∼lm it follows that thr ′1 ∼lm thr2 (i.e.,
Item 1 of the definition of ≺ holds for sc′1 and sc2). That Item 2 holds follows from
114 Appendix A. Detailed Proofs
thr1[k1] ∈ HCom. Items 3 and 4 follow from the fact that an execution step of a high
thread does not change the order of low threads in the thread pool, and, in consequence,
thr1|LCom = thr ′1|LCom .
Lemma A.7. We define relation ≺ by 〈thr1,mem1, sst1〉 ≺ 〈thr2,mem2, sst2〉 if and only
if the following conditions are satisfied:
1. thr1 ∼lm thr2,
2. mem1 =L mem2, and
3. thr1|LCom = thr2.
Then the relation ≺ is a Uni -simulation. ♦
Proof. Let sc1 = 〈thr1,mem1, sst1〉 ≺ sc2 = 〈thr2,mem2, sst2〉.
Then ](thr1|LCom) = ](thr2) holds due to Item 3 of the definition of ≺ and the fact
that (thr |LCom)|LCom = thr |LCom for all thr .
Let k1, p1, and sc
′
1 = 〈thr ′1,mem ′1, sst ′1〉 such that sc1 k1,p1===⇒Uni sc′1. Then by the
derivation rule for transitions of system configurations there exist c′1 and α1 such that
the following conditions are satisfied:
(a) 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉 and
(b) thr ′1 = updatek1(thr1, c
′
1, α1).
Moreover, it follows from the derivation rule for transitions of system configurations that
(sst1, ](thr1))
k1,p1 Uni sst ′1. It follows by the definition of Uni that p1 = 1/](thr1).
We distinguish between the cases that thr1[k1] ∈ LCom and that thr1[k1] ∈ HCom.
Assume that thr1[k1] ∈ LCom. Then, due to Items 1 and 2 in the definition of ≺,
there exist c′2, mem
′
2, and α2 such that the following conditions are satisfied:
(c) 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉 where k2 = l -matchthr1,thr2(k1),
(d) mem ′1 =L mem
′
2, and
(e) updatek1(thr1, c
′
1, α1) ∼lm updatek2(thr2, c′2, α2).
From the definition of Uni it follows that there are p2 and sst
′
2 with (sst2, ](thr2))
k2,p2 Uni
sst ′2, where p2 = 1/](thr2). Hence, by the derivation rule for transitions of system
configurations we have sc2
k2,p2
===⇒Uni sc′2 where sc′2 = 〈updatek2(thr2, c′2, α2),mem ′2, sst ′2〉.
From p2 = 1/](thr2) and Item 3 in the definition of ≺ it follows p2 = 1/](thr1|LCom).
Hence, by the definition of Uni it follows that l -ρUni(sc1) = ](thr1|LCom)/](thr1). In
consequence, p1/l -ρUni(sc1) = (1/](thr1))/(](thr1|LCom)/](thr1)) = p2.
It remains to show that sc′1 ≺ sc′2|LCom . From (e) and Lemma A.5 it follows that
updatek1(thr1, c
′
1, α1) ∼lm (updatek2(thr2, c′2, α2))|LCom ,
i.e., Item 1 of the definition of ≺ holds for sc′1 and sc′2. Moreover, Item 2 holds due to
(d) and Item 3 holds because (thr |LCom)|LCom = thr |LCom for all thr .
Lemma A.8. We define relation ≺ by 〈thr1,mem1, sst1〉 ≺ 〈thr2,mem2, sst2〉 if and only
if the following conditions are satisfied:
1. thr1 ∼lm thr2,
2. mem1 =L mem2, and
3. thr1|LCom = thr2.
Then the relation ≺ is a Lot-simulation. ♦
A.3. Scheduler-independence of FSI-security 115
Proof. The proof is in large parts the same as the proof of Lemma A.7. The only difference
is in the argument that p1/l -ρUni(sc1) = p2 in the case that thr1[k1] ∈ LCom.
For the lottery scheduler, p1 = ticketsk1(sin1)/
[∑](thr1)
i=1 ticketsi(sin1)
]
and p2 =
ticketsk2(sin2)/
[∑](thr2)
i=1 ticketsi(sin2)
]
, where sin1 = obs(thr1,mem1) and
sin2 = obs(thr2,mem2). Moreover, by the definition of Lot it follows that
l -ρLot(sc1) =
[ ∑
i∈{1,...,](thr1)|thr1[i]∈LCom}
ticketsi(sin1)
]
/
[](thr1)∑
i=1
ticketsi(sin1)
]
.
Hence, p1/l -ρLot(sc1) = ticketsk1(sin1)/
[∑
i∈{1,...,](thr1)|thr1[i]∈LCom} ticketsi(sin1)
]
. As
the observation function is confined the number of tickets is stored in low variables.
Hence, it follows from mem1 =L mem2 that ticketsi(sin1) = tickets l-match thr1,thr2 (sin2).
In consequence, p1/l -ρUni(sc1) = p2.
A.3 Scheduler-independence of FSI-security
This section contains the proof of Theorem 3.14 from Section 3.3.4. Theorem 3.14 is the
key for proving the scheduler independence of FSI-security.
Before proving Theorem 3.14, we prove two lemmas that relate the probability that
a run starting in some system configuration terminates with a given memory to the
probabilities that a run starting in a system configuration reached from that system
configuration in one step terminates in that memory.
Lemma A.9. Let sc be a system configuration that is not final and let J ⊂ N be the set
of j ∈ N for which there exist sc′ ∈ SysConf and p > 0 with sc j,p=⇒S sc′.
By the definition of schedulers and the semantics for execution steps of system
configurations, the system configuration sc′ is uniquely determined by sc and j, and we
denote that system configuration for j ∈ J with sc′j .
Then for every scheduler S, every memory mem, and every k ∈ N the following
equation is satisfied:
ρS({(str , dtr) ∈ TS(sc)⇓mem | ](str) = k + 1}) =∑
j∈J
ρSsc(j) ∗ ρS({(str , dtr) ∈ TS(sc′j)⇓mem | ](str) = k}) ♦
Proof. In the proof, we denote the set {(str , dtr) ∈ TS(sc)⇓mem | ](str) = k} with
TS(sc)k⇓mem for every k ∈ N.
Since sc is not final, J 6= {}.
By the definition of ρS (cf. Definition 2.15) and the definition of induced probability
measures (cf. Definition 2.4) we have
ρS(TS(sc)k⇓mem) =
∑
tr∈TS(sc)k⇓mem
ρ(tr)
116 Appendix A. Detailed Proofs
for every k ∈ N, where ρ(tr) is the trace probability defined in Definition 2.12. Since
J 6= {}, we can rewrite this sum as
ρS(TS(sc)k⇓mem) =
∑
j∈J

∑
(str ,dtr)∈TS(sc)k⇓mem
str [2]=sc′j
ρ(tr)
 . (A.1)
Let tr = (str , dtr) ∈ TS(sc)k⇓mem . Then, by Definition 2.12,
ρ(tr) =
](dtr)∏
i=1
pi,dtr(i)
where pi,k is the probability p for which str [i]
k,p
=⇒S str [i + 1] is derivable. Hence, if
str [2] = sc′j then
ρ(tr) = ρSsc(j) ∗
](dtr)∏
i=2
pi,dtr(i). (A.2)
Moreover, for every k ∈ N and every j ∈ J , one obtains the set TS(sc′j)k⇓mem by taking
each element (str , dtr) from the set TS(sc)k+1⇓mem and removing the first element of str
and the first element of dtr . Hence, with Definition 2.12 we have for every j ∈ J that
ρS(TS(sc′j)k⇓mem) =
∑
(str ,dtr)∈TS(sc)k+1⇓mem
str [2]=sc′j
](dtr)∏
i=2
pi,dtr(i)
 (A.3)
where pi,k is the probability p for which str [i]
k,p
=⇒S str [i+ 1] is derivable.
From Equations (A.1), (A.2), and (A.3) we obtain that
ρS(TS(sc)k+1⇓mem) =
∑
j∈J
ρSsc(j) ∗ ρS(TS(sc′j)k⇓mem)
Lemma A.10. Let sc be a system configuration that is not final, and let J ⊂ N be the
set of j ∈ N for which there exist sc′ ∈ SysConf and p > 0 with sc j,p=⇒S sc′.
By the definition of schedulers and the semantics for execution steps of system
configurations, the system configuration sc′ is uniquely determined by sc and j, and we
denote that system configuration for j ∈ J with sc′j .
Then for every scheduler S and every memory mem the following equation is satisfied:
ρS(TS(sc)⇓mem) =
∑
j∈J
ρSsc(j) ∗ ρS(TS(sc′j)⇓mem)
Proof. It follows from Lemma A.9 that∑
k∈N
ρS({(str , dtr) ∈ TS(sc)⇓mem | ](str) = k + 1}) =∑
k∈N
∑
j∈J
ρSsc(j) ∗ ρS({(str , dtr) ∈ TS(sc′j)⇓mem | ](str) = k}).
A.3. Scheduler-independence of FSI-security 117
Since sc is not final, there is no (str , dtr) ∈ TS(sc)⇓mem with ](str) = 1. Hence, we
can rewrite the equation as follows, replacing (k + 1) with k on the left hand side, and
reordering the sums on the right hand side:∑
k∈N
ρS({(str , dtr) ∈ TS(sc)⇓mem | ](str) = k}) =
∑
j∈J
ρSsc(j) ∗
(∑
k∈N
ρS({(str , dtr) ∈ TS(sc′j)⇓mem | ](str) = k})
)
Since
TS(sc)⇓mem =
⋃
k∈N
{(str , dtr) ∈ TS(sc)⇓mem | ](str) = k}
for every system configuration sc, every scheduler S, and every memory mem, it follows
with the properties of the probability measure ρSsc(j) that
ρS(TS(sc)⇓mem) =
∑
j∈J
ρSsc(j) ∗ ρS(TS(sc′j)⇓mem).
Now we prove Theorem 3.14.
Proof of Theorem 3.14. Let mem ∈ Mem. We must show that∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem′) =
∑
mem′∈[mem]LO
ρS(TS(sc2)⇓mem′).
In the remainder of the proof, we write P (sc) for
∑
mem′∈[mem]LO ρS(TS(sc)⇓mem′).
I.e., we must show P (sc1) = P (sc2).
Let ](T ) =
∑
tr∈T ](tr) be the sum of the lengths of all traces in a finite set of
terminating traces T . Our proof is by induction on n = ](TS(sc1)) + ](TS(sc2)). (Both
sets ](TS(sc1)) and ](TS(sc2)) contain only terminating traces because sc1 and sc2 are
terminating. Moreover, both sets are finite because the set of terminating traces for a
given configuration is finite.)
Induction basis (n = 2):
Note that n < 2 is not possible because for an arbitrary system configuration sc the set
TS(sc) contains at least one trace of length 1, namely the trace (〈sc〉, 〈〉) with system
trace 〈sc〉 and decision trace 〈〉.
If n = 2 then both TS(sc1) and TS(sc1) contain exactly one trace of length 1. In
consequence, both sc1 and sc2 are final configurations, and TS(sc1) and TS(sc1) contain
only the trace (〈sc1〉, 〈〉) and (〈sc2〉, 〈〉), respectively.
In consequence, P (sc1) = 1 if and only if mem1 =L mem and P (sc1) = 0 otherwise,
and P (sc2) = 1 if and only if mem2 =L mem and P (sc2) = 0 otherwise. Since mem1 =L
mem2, it follows that P (sc1) = P (sc2).
Induction step (n > 2):
Let us at first briefly elaborate on the idea of the proof of the induction step: We consider
transitions of low and high threads in sc1 and sc2 separately. If sc1 makes a transition in
a high thread to sc′1, we prove that sc
′
1, sc2, sc1,p, and sc2,p satisfy all the preconditions
of the induction hypothesis, and, hence, P (sc′1) = P (sc2). We proceed likewise for
transitions of low threads, showing that P (sc′1) = P (sc
′
2), where sc
′
1 and sc
′
2 are reached
118 Appendix A. Detailed Proofs
from sc1 and sc2 by transitions of low threads linked by l -matchthr1,thr2 . Summing over
the probabilities of the possible execution steps in sc1 and sc2 yields a system of two
linear equations with unknowns P (sc1) and P (sc2). We solve the equation system using
the relation on probabilities given by S-simulations for robust schedulers, resulting in
P (sc1) = P (sc2), which concludes the proof.
We now prove the induction step.
1. For each system configuration sc, we denote with enabled(sc) ⊂ N the set of j ∈ N
for which there exist sc′ ∈ SysConf and p > 0 with sc j,p=⇒S sc′.
By the definition of schedulers and the semantics for system configurations, sc′ is
uniquely determined by sc and j. We denote this system configuration with succj(sc).
2. By Lemma A.10 the following equation holds for every memory mem:
ρS(TS(sc1)⇓mem) =
∑
j∈enabled(sc1)
ρSsc1(j) ∗ ρS(TS(succj(sc1))⇓mem)
Hence, the following holds:∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem) =
∑
mem′∈[mem]LO
∑
j∈enabled(sc1)
ρSsc1(j)∗ρS(TS(succj(sc1))⇓mem)
Switching the sums on the right hand side of the equation, we obtain∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem) =
∑
j∈enabled(sc1)
ρSsc1(j) ∗
∑
mem′∈[mem]LO
ρS(TS(succj(sc1))⇓mem).
Using the notation introduced for this proof, we write this equation as follows:
P (sc1) =
∑
j∈enabled(sc1)
ρSsc1(j) ∗ P (succj(sc1)).
3. We rewrite this sum as P (sc1) = P (sc1, high) + P (sc1, low), where
P (sc1, high) =
∑
j∈enabled(sc1)
∧thr1[j]∈HCom
ρSsc1(j) ∗ P (succj(sc1))
and
P (sc1, low) =
∑
j∈enabled(sc1)
∧thr1[j]∈LCom
ρSsc1(j) ∗ P (succj(sc1)).
4. Let j ∈ enabled(sc1). Then there exist c′1,mem ′1, α, p, and sst ′1 such that
〈thr1[j],mem1〉 α−_ 〈c′1,mem ′1〉 and (sst1, obs(thr1,mem1)) j,p S sst ′1. Moreover,
succj(sc1) = 〈updatej(thr1, c′1, α),mem ′1, sst ′1〉.
5. Assume firstly that thr1[j] ∈ HCom. We show that this implies P (succj(sc1)) =
P (sc2).
a) Since thr1 ∼lm thr2, by the definition of low bisimulations modulo low matching
getThr(succj(sc1)) ∼lm thr2 holds.
b) From thr1[j] ∈ HCom it follows that getMem(succj(sc1)) =L mem2.
c) From sc1 ≺S sc1,p and the definition of S-simulations it follows that
succj(sc1) ≺S sc1,p.
A.3. Scheduler-independence of FSI-security 119
d) From sc1 ∼lm sc1,p and the definition of ∼lm it follows that
succj(sc1) ∼lm sc1,p.
e) Since sc1 makes a transition to succj(sc1) it follows that
](TS(succj(sc1))) + ](TS(sc2)) < n,
and that succj(sc1) is also terminating.
f) From (a), (b), (c), (d), (e), and the induction hypothesis for the configurations
succj(sc1), sc2, sc1,p, and sc2,p it follows that
P (succj(sc1)) = P (sc2).
6. Using (5.), we rewrite P (sc1, high) as follows:
P (sc1, high) = P (sc2) ∗
∑
j∈enabled(sc1)
∧thr1[j]∈HCom
ρSsc1(j).
By the definition of l -ρS , it follows that
1− l -ρS(sc1) =
∑
j∈enabled(sc1)
∧thr1[j]∈HCom
ρSsc1(j).
Hence, P (sc1, high) = P (sc2) ∗ (1− l -ρS(sc1)).
Analogously, it follows that P (sc2, high) = P (sc1) ∗ (1− l -ρS(sc2)).
7. Assume now that thr1[j] ∈ LCom and that k = l -matchthr1,thr2(j).
8. We show that ρSsc1(j)/l -ρS(sc1) = ρ
S
sc2(k)/l -ρS(sc2).
a) Since sc1 ≺S sc1,p it follows from the definition of S-simulations that
ρSsc1(j)/l -ρS(sc1) = ρ
S
sc1,p(j
′),
where j′ = l -matchthr1,thr1,p(j).
b) Analogously, it follows that
ρSsc2(k)/l -ρS(sc2) = ρ
S
sc2,p(k
′),
where k′ = l -matchthr2,thr2,p(k).
c) Let m be such that thr1[j] is the mth low thread in thr1. Then thr2[k] is the
mth low thread in thr2 because k = l -matchthr1,thr2(j). Since sc1 ≺S sc1,p
and sc2 ≺S sc2,p, sc1,p and sc2,p do not contain low threads. It follows that
m = j′ = k′.
d) It follows from sc1 ∼lm sc2 that ](thr1|LCom) = ](thr2|LCom). Hence, because
sc1 ≺S sc1,p and sc2 ≺S sc2,p, it follows that ](thr1,p) = ](thr2,p). With
mem1,p =L mem2,p and the fact that obs is confined to L it follows that
obs(thr1,p,mem1,p) = obs(thr2,p,mem2,p).
In consequence, ρSsc1,p(m) = ρ
S
sc2,p(m).
120 Appendix A. Detailed Proofs
e) Combining the equalities from (a), (b), and (d), and the fact that m = j′ = k′
(from (c)), it follows that
ρSsc1(j)/l -ρS(sc1) = ρ
S
sc2(k)/l -ρS(sc2).
9. The inequality ρSsc1(j) > 0 holds because j ∈ enabled(sc1). Hence, by (8.), the
inequality ρSsc2(k) > 0 holds. Moreover, since sc1 ∼lm sc2, j ∈ enabled(sc1), thr1[j] ∈
LCom, and k = l -matchthr1,thr2(j), by the definition of low bisimulations modulo low
matching there exists c′, mem ′, and α′ such that 〈thr2[k],mem2〉 α
′−_ 〈c′,mem ′〉.
In consequence, k ∈ enabled(sc2).
10. We now show that P (succj(sc1)) = P (succk(sc2)).
a) Since thr1 ∼lm thr2 and mem1 =L mem2 it follows from the definition of low
bisimulations modulo low matching that the following conditions are satisfied:
− getThr(succj(sc1)) ∼lm getThr(succk(sc2)) and
− getMem(succj(sc1)) =L getMem(succk(sc2)).
b) From sc1 ≺S sc1,p and thr1 ∼lm thr1,p it follows that
− succj(sc1) ≺S (succl-match thr1,thr1,p (j)(sc1,p))|LCom ,
− getThr(succj(sc1)) ∼lm getThr(succl-match thr1,thr1,p (j)(sc1,p)), and
− getMem(succj(sc1)) =L getMem(succl-match thr1,thr1,p (j)(sc1,p)).
By Lemma A.5 it follows that
− getThr(succj(sc1)) ∼lm (getThr(succl-match thr1,thr1,p (j)(sc1,p)))|LCom .
c) Moreover, from sc2 ≺S sc2,p and thr2 ∼lm thr2,p it follows that
− succj(sc2) ≺S (succl-match thr2,thr2,p (k)(sc2,p))|LCom ,
− getThr(succj(sc2)) ∼lm getThr(succl-match thr2,thr2,p (k)(sc2,p)), and
− getMem(succj(sc2)) =L getMem(succl-match thr2,thr2,p (k)(sc2,p)).
By Lemma A.5 it follows that
− getThr(succk(sc2)) ∼lm (getThr(succl-match thr2,thr2,p (k)(sc2,p)))|LCom .
Since obs is confined to L, it follows from ](getThr(sc1,p)) = ](getThr(sc2,p))
and mem1,p =L mem2,p that
getSst(succl-match thr1,thr1,p (j)(sc1,p)) = getSst(succl-match thr2,thr2,p (k)(sc2,p)).
d) Since sc1 and sc2 are both terminating, succj(sc1) and succk(sc2) are also
terminating. Moreover, ](TS(succj(sc1))) + ](TS(succk(sc2))) < n.
e) With (a), (b), (c), (d), and the induction hypothesis for succj(sc1), succk(sc2),
(succl-match thr1,thr1,p (j)(sc1,p))|LCom , and (succl-match thr2,thr2,p (k)(sc2,p))|LCom it
follows that
P (succj(sc1)) = P (succk(sc2)).
11. Expressing P (sc1) and P (sc2) using the equations from (6.) results in the following
equation system in X = P (sc1) and Y = P (sc2):
X = Y ∗ (1− l -ρS(sc1)) +
∑
j∈enabled(sc1)
∧thr1[j]∈LCom
ρSsc1(j) ∗ P (succj(sc1))
Y = X ∗ (1− l -ρS(sc2)) +
∑
k∈enabled(sc2)
∧thr2[k]∈LCom
ρSsc2(k) ∗ P (succk(sc2))
A.4. Security Type System for FSI-Security 121
To complete the induction step it remains to show that each solution (x, y) of this
equation system satisfies x = y.
12. For solving the equation system, we introduce abbreviations to make the formulas
more readable. We define Si = P (sci, low) and ρi = 1 − l -ρS(sci) for i ∈ {1, 2}.
Using these notations, the equation system reads as follows:
X = Y ∗ ρ1 + S1
Y = X ∗ ρ2 + S2
13. Solving the above equation system for X and Y yields
X =
ρ1 ∗ S2 + S1
1− ρ1 ∗ ρ2 and Y =
ρ2 ∗ S1 + S2
1− ρ1 ∗ ρ2 .
14. To show that X = Y it hence suffices to show that ρ1 ∗ S2 + S1 = ρ2 ∗ S1 + S2. This
is equivalent to showing that (1− ρ2) ∗ S1 = (1− ρ1) ∗ S2. Expanding the definitions
of ρ1 and ρ2 this equation reads l -ρS(sc2) ∗ S1 = l -ρS(sc1) ∗ S2.
After expanding S1 and S2 the equation reads as
l -ρS(sc2) ∗
∑
j∈enabled(sc1)
∧thr1[j]∈LCom
ρSsc1(j) ∗ P (succj(sc1))
= l -ρS(sc1) ∗
∑
k∈enabled(sc2)
∧thr2[k]∈LCom
ρSsc2(k) ∗ P (succk(sc2)).
That this equation is satisfied follows directly from the equalities derived in (8.) and
in (10.), viz
ρSsc1(j)/l -ρS(sc1) = ρ
S
sc2(k)/l -ρS(sc2),
and
P (succj(sc1)) = P (succk(sc2)),
where k = l -matchthr1,thr2(j). This shows that X = Y , i.e., P (sc1) = P (sc2).
A.4 Security Type System for FSI-Security
This appendix contains the soundness proof of the security type system for FSI-security.
The proof uses Lemmas 3.1, 3.2, and 3.3 from Section 3.4, and we start by proving these
lemmas.
Proof of Lemma 3.1. By assumption, c is typable, i.e., ` c : (mdf , stp) is derivable
for some mdf , stp ∈ {low , high}. We proceed by induction over the derivation of this
judgment.
− [STOP]. Assume that ` c : (mdf , stp) is derived with rule [STOP]. Then c = stop.
Since stop cannot perform a transition, nothing has to be shown.
− [SKIP]. Assume that ` c : (mdf , stp) is derived with rule [SKIP]. Then c = skip, and,
hence, c′ = stop and thr = 〈〉. Moreover, mdf = high and stp = low . Hence, c′ is
typable with (mdf , stp) by rule [STOP].
122 Appendix A. Detailed Proofs
− [ASS]. Assume that ` c : (mdf , stp) is derived with rule [ASS]. Then c = x :=e, and,
hence, c′ = stop and thr = 〈〉. Moreover, mdf = dma(x ) and stp = low . Hence, c′
is typable with type (mdf ′, stp) where mdf v mdf ′ (namely mdf ′ = high) by rule
[STOP].
− [IF]. Assume that ` c : (mdf , stp) is derived with rule [IF]. In this case, c =
if e then c1 else c2 fi and, hence, c
′ ∈ {c1, c2} and thr = 〈〉. Moreover, both
` c1 : (mdf , stp′) and ` c2 : (mdf , stp′) are derivable and stp = stp′ unionsq d for some
security domain d . I.e., both c1 and c2 are typable with (mdf , stp
′) with stp′ v stp.
− [WHILE]. Assume that ` c : (mdf , stp) is derived with rule [WHILE]. Then c =
while e do c1 od and, hence, c
′ = if e then c1; c else stop fi and thr = 〈〉. Moreover,
` c1 : (mdf , stp′) is derivable with stp = stp′unionsqd and stp′unionsqd v mdf for some security
domain d .
Since stp′ v mdf , c1 is typable with type (mdf , stp′), and c is typable with type
(mdf , stp), it follows that c1; c is typable with type (mdf , stp) by rule [SEQ]. Moreover,
stop is typable with (mdf , stp) by rule [STOP] and rule [SUB]. Hence, since d v mdf ,
c′ is typable with type (mdf , stp) by rule [IF].
− [SPAWN]. Assume that ` c : (mdf , stp) is derived with rule [SPAWN]. Then c =
spawn(c1, . . . , cn). Hence, c
′ = stop and thr = 〈c1, . . . , cn〉. Moreover, ci is typable
for each i ∈ {1, . . . , n} due to the conditions of rule [SPAWN].
− [SEQ]. Assume that ` c : (mdf , stp) is derived with rule [SEQ]. Then c = c1; c2, and
c1 and c2 are typable with types (mdf 1, stp1) and (mdf 2, stp2), respectively, where
stp1 v mdf 2, mdf = mdf 1 umdf 2, and stp = stp1 unionsq stp2.
We distinguish between c1 = stop and c1 6= stop.
If c1 = stop then c
′ = c2, and, hence, c′ is typable with (mdf 2, stp2). Moreover,mdf v
mdf 2 and stp2 v stp follow from mdf = mdf 1 umdf 2 and stp = stp1 unionsq stp2.
If c1 6= stop then 〈c1,mem〉 α−_ 〈c′1,mem ′〉 and c′ = c′1; c2. Then, by the induction
hypothesis for c1, c
′
1 is typable with type (mdf
′
1, stp
′
1) where mdf 1 v mdf ′1 and
stp′1 v stp1. Hence, c′1; c2 is typable with type (mdf ′1umdf 2, stp′1unionsqstp2) by rule [SEQ],
and mdf v mdf ′1umdf 2 as well as stp′1unionsqstp2 v stp follows from mdf = mdf 1umdf 2,
and stp = stp1 unionsq stp2.
− [SUB]. Assume that ` c : (mdf , stp) is derived with rule [SUB]. In this case, c
is typable with type (mdf ′, stp′) where mdf v mdf ′ and stp′ v stp. Hence, by
the induction hypothesis, c′ is typable with (mdf ′′, stp′′) where mdf ′ v mdf ′′ and
stp′′ v stp′. Moreover, the inequations mdf v mdf ′′ and stp′′ v stp follows from
these inequations.
Proof of Lemma 3.2. By assumption, ` c : (high, stp) is derivable for some stp ∈
{low , high}. We prove the lemma by induction over the derivation of this judgment.
− [STOP]. Assume that ` c : (high, stp) is derived with rule [STOP]. Then c = stop,
and stop ∈ HCom holds trivially.
− [SKIP]. Assume that ` c : (high, stp) is derived with rule [SKIP]. Then c = skip, and
skip ∈ HCom holds trivially.
A.4. Security Type System for FSI-Security 123
− [ASS]. Assume that ` c : (high, stp) is derived with rule [ASS]. Then c = x :=e and
dma(x ) = high. Hence, c ∈ HCom by the definition of HCom and the operational
semantics of the programming language.
− [IF]. Assume that ` c : (high, stp) is derived with rule [IF]. In this case, c =
if e then c1 else c2 fi and both c1 and c2 are typable with (high, stp
′) for some stp′.
Hence, by the induction hypothesis, both c1 ∈ HCom and c2 ∈ HCom. Since one
execution step of c either results in c1 or in c2 and does not modify the memory,
c ∈ HCom by the definition of high commands.
− [WHILE]. Assume that ` c : (high, stp) is derived with rule [WHILE]. Then c =
while e do c1 od and c1 is typable with (high, stp
′) for some stp′ ∈ {low , high}. Hence,
by the induction hypothesis, c1 ∈ HCom. But then c ∈ HCom by the operational
semantics for while loops.
− [SPAWN]. Assume that ` c : (high, stp) is derived with rule [SPAWN]. Then
c = spawn(c1, . . . , ck), and ` ci : (high, stpi) is derivable for some stpi for all
i ∈ {1, . . . , k}. Hence, all ci are high commands by the induction hypothesis. More-
over, spawn(c1, . . . , ck) makes a transition to stop. Hence, spawn(c1, . . . , ck) ∈ HCom.
− [SEQ]. Assume that ` c : (high, stp) is derived with rule [SEQ]. Then c = c1; c2, and
c1 and c2 are both typable with (high, stp
′) for some stp′. Hence, by the induction
hypothesis, both c1 ∈ HCom and c2 ∈ HCom. By the operational semantics for
sequential composition, the sequential composition of high commands is a high
command, and, hence c1; c2 ∈ HCom.
− [SUB]. Assume that ` c : (mdf , stp) is derived with rule [SUB]. Then ` c : (mdf ′, stp′)
is derivable where high v mdf ′. In consequence, mdf ′ = high, and, hence, c ∈ HCom
by the induction hypothesis.
Proof of Lemma 3.3. We start by proving the first statement of the lemma. Assume that
stp = low . Then, by assumption, ` c : (mdf , low) is typable for some mdf ∈ {low , high}.
We prove the statement by induction over the derivation of this judgment.
− [STOP]. Assume that ` c : (mdf , low) is derived with rule [STOP]. Then c = stop,
for which the statement is trivially satisfied.
− [SKIP]. Assume that ` c : (mdf , low) is derived with rule [SKIP]. Then c = skip, for
which the statement is trivially satisfied.
− [ASS]. Assume that ` c : (mdf , low) is derived with rule [ASS]. Then c = x :=e
and dma(y) v dma(x ) for each y ∈ vars(e). In consequence, if dma(x ) = low then
eval(e,mem1) = eval(e,mem2) whenever mem1 =L mem2. Hence, mem
′
1 =L mem
′
2
because c only modifies the value of x . The remaining statements of the lemma follow
trivially.
− [IF]. Assume that ` c : (mdf , low) is derived with rule [IF]. In this case, c =
if e then c1 else c2 fi and ` e : low . As the first execution step of a conditional does
not modify the memory we have mem ′1 =L mem
′
2. Moreover, as mem1 =L mem2 and
` e : low the expression e evaluates to the same value in mem1 and mem2. Hence,
c′1 = c
′
2.
124 Appendix A. Detailed Proofs
− [WHILE]. Assume that ` c : (mdf , low) is derived with rule [WHILE]. Then c =
while e do c1 od and ` e : low . As the first execution step of a while loop does not
modify the memory we have mem ′1 =L mem
′
2. Moreover, as mem1 =L mem2 and
` e : low the expression e evaluates to the same value in mem1 and mem2. Hence,
c′1 = c
′
2.
− [SPAWN]. Assume that ` c : (mdf , low) is derived with rule [SPAWN]. Then
c = spawn(c1, . . . , cn). For spawn-commands, the statements from the lemma are
trivial.
− [SEQ]. Assume that ` c : (mdf , low) is derived with rule [SEQ]. Then c = c1; c2, and
both c1 and c2 are typable with (mdf
′, low) for some mdf ′. Hence, the statement for
the lemma follow using the induction hypothesis for c1 and the operational semantics
for sequential composition.
− [SUB]. Assume that ` c : (mdf , low) is derived with rule [SUB]. Then ` c : (mdf ′, stp′)
is derivable where stp′ v low , i.e., stp′ = low . Thus, we conclude using the induction
hypothesis.
We now prove the second statement of the lemma by induction over the derivation of the
typing of c.
− [STOP]. Assume that ` c : (mdf , stp) is derived with rule [STOP]. Then c = stop.
Hence, 〈c,mem1〉 α1−_ 〈c′1,mem ′1〉 is not derivable for any mem1, α1, c′1, and mem ′1,
which violates the assumptions of the lemma.
− [SKIP]. Assume that ` c : (mdf , stp) is derived with rule [SKIP]. Then c = skip.
Hence, c′1 = c
′
2 = stop, i.e., the assumption of the statement, inequality of c
′
1 and c
′
2,
is false.
− [ASS]. Assume that ` c : (mdf , stp) is derived with rule [ASS]. Then c = x :=e.
Hence, c′1 = c
′
2 = stop, i.e., the assumption of the statement, inequality of c
′
1 and c
′
2,
is false.
− [IF]. Assume that ` c : (mdf , stp) is derived with rule [IF]. In this case, c =
if e then c1 else c2 fi and ` e : d for some d with d v stp. Assume that c′1 6= c′2.
Then eval(e,mem1) 6= eval(e,mem2) due to the semantics of conditionals. Hence,
since mem1 =L mem2, there must be some high variable on which the value of e
depends, i.e., there exists x ∈ vars(e) ∩ H . In consequence, d = high since ` e : d is
derived using typing rule [EXP]. Hence, stp = high since d v stp.
− [WHILE]. Assume that ` c : (mdf , stp) is derived with rule [WHILE]. Then c =
while e do c1 od and ` e : low . Hence, c′1 = c′2 = if e then c1; while e do c1 od else stop fi,
i.e., the assumption of the statement, inequality of c′1 and c
′
2, is false.
− [SPAWN]. Assume that ` c : (mdf , stp) is derived with rule [SPAWN]. Then c =
spawn(c1, . . . , cn). In consequence, c
′
1 = c
′
2 = stop. I.e., the assumption of the
statement, inequality of c′1 and c
′
2, is false.
− [SEQ]. Assume that ` c : (mdf , stp) is derived with rule [SEQ]. Then c = c1; c2,
and c1 is typable with (mdf 1, stp1) for some mdf 1 and stp1, where stp1 v stp.
By the semantics of sequential composition, c′1 = c
′′
1 ; c2 and c
′
2 = c
′′
2 ; c2 where
〈c1,mem1〉 α1−_ 〈c′′1 ,mem ′1〉 and 〈c1,mem2〉 α2−_ 〈c′′2 ,mem ′2〉. From c′1 6= c′2 it follows
A.4. Security Type System for FSI-Security 125
that c′′1 6= c′′2 . Hence, by the induction hypothesis, stp1 = high. It follows with
stp1 v stp that stp = high.
− [SUB]. Assume that ` c : (mdf , stp) is derived with rule [SUB]. Then ` c : (mdf ′, stp′)
is derivable where stp′ v stp. By the induction hypothesis, stp′ = high. Hence,
stp = high.
Proof of Theorem 3.15. We must show that every typable command is FSI-secure. To
this end, we define a relation R on thread pools such that 〈c〉 R 〈c〉 for every typable
command c, and we show that R is a low bisimulation modulo low matching.
We define thr1 R thr2 if and only if ](thr1|LCom) = ](thr2|LCom), thr1[i] = thr2[j]
for all i ∈ {1, . . . , ](thr1)} with thr1[i] ∈ LCom and j = l -matchthr1,thr2(i), and thr1[i] is
typable for all i ∈ {1, . . . , ](thr1)} with thr1[i] ∈ LCom.
By definition, R is symmetric and relates only thread pools with equally many low
threads. Hence, to show that R is a low bisimulation modulo low matching it remains to
show the following statement:
If thr1 R thr2, mem1 =L mem2, k1 ∈ {1, . . . , ](thr1)}, α1 = new(thr ′1) ∈ Lab,
c′1 ∈ Com, and 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉, then the following conditions are
satisfied:
1. if thr1[k1] ∈ LCom then there exist c′2 ∈ Com, mem ′2 ∈ Mem, and α2 = new(thr ′2) ∈
Lab with
a) 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉,
b) mem ′1 =L mem
′
2,
c) ](thr ′1|LCom) = ](thr ′2|LCom), and
d) updatek1(thr1, c
′
1, α1) R updatek2(thr2, c′2, α2)
where k2 = l -matchthr1,thr2(k1); and
2. if thr1[k1] ∈ HCom, then updatek1(thr1, c′1, α1) R thr2.
If thr1[k1] ∈ HCom then this statement is satisfied because execution steps of high threads
do not modify the values of low variables, result in a high thread, and spawn only high
threads (Theorem 3.2).
In the case that thr1[k1] ∈ LCom it follows from thr1 R thr2 that thr1[k1] is typable,
and we prove the statement by induction over the derivation of the corresponding judgment
` thr1[k1] : (mdf , stp). Note that mdf = low because otherwise thr1[k1] ∈ HCom would
hold by Lemma 3.2.
− [STOP]. Assume that ` thr1[k1] : (low , stp) is derived with rule [STOP]. Then
thr1[k1] = thr2[k2] = stop. Hence, 〈thr1[k1],mem1〉 α1−_ 〈c′1,mem ′1〉 cannot hold, and,
hence, nothing needs to be shown.
− [SKIP]. Assume that ` thr1[k1] : (low , stp) is derived with rule [SKIP]. Then
thr1[k1] = thr2[k2] = skip. Hence, c
′
1 = stop, thr
′
1 = 〈〉 and mem ′1 = mem1. We
define c′2 = stop, thr
′
2 = 〈〉, and mem ′2 = mem2. Then all the conditions we have to
prove are satisfied.
− [ASS]. Assume that ` thr1[k1] : (low , stp) is derived with rule [ASS]. Then thr1[k1] =
thr2[k2] = x :=e, dma(x ) = low , and dma(y) = low for all y ∈ vars(e).
Hence, thr ′1 = 〈〉, c′1 = stop, and mem ′1 = mem1[x 7→ v1] where v1 = eval(e,mem1).
Define thr ′2 = 〈〉, c′2 = stop, and mem ′2 = mem2[x 7→ v2] where v2 = eval(e,mem2).
126 Appendix A. Detailed Proofs
Then 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉. Moreover, since dma(y) = low for all y ∈
vars(e), v1 = v2. In consequence, mem
′
1 =L mem
′
2. Conditions (c) and (d) are
evidently also satisfied.
− [IF]. Assume that ` thr1[k1] : (low , stp) is derived with rule [IF]. Then thr1[k1] =
thr2[k2] = if e then c1 else c2 fi, both ` c1 : (low , stp) and ` c2 : (low , stp) are
derivable, and ` e : low .
Let mem1 =L mem2. Because ` e : low the expression e evaluates to the same value
in mem1 and mem2, i.e., eval(e,mem1) = eval(e,mem2). Let v ∈ Val be this value.
Assume firstly that v = true. Then c′1 = c1, thr
′
1 = 〈〉, and mem ′1 = mem1. Define
c′2 = c1, thr
′
2 = 〈〉, and mem ′2 = mem2. Then 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉.
Moreover, mem ′1 =L mem
′
2 holds because mem1 =L mem2. Condition (c) is trivially
satisfied. Condition (d) is satisfied due to the derivability of ` c1 : (low , stp).
Assume now that v = false. Then we conclude as in the case for v = true, exploiting
the derivability of ` c2 : (low , stp).
− [SPAWN]. Assume that ` thr1[k1] : (low , stp) is derived with rule [SPAWN]. Then
thr1[k1] = thr2[k2] = spawn(c1, . . . , cn), and for all i ∈ {1, . . . , n} there exists stpi
such that ` ci : (low , stpi) is derivable.
Then thr ′1 = 〈c1, . . . , cn〉, c′1 = stop, and mem ′1 = mem1. Define thr ′2 = 〈c1, . . . , cn〉,
c′2 = stop, and mem
′
2 = mem2. Hence, 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉, and
mem ′1 =L mem
′
2 follows from mem1 =L mem2. Condition (c) is trivially satis-
fied, and Condition (d) is satisfied because ` ci : (low , stpi) is derivable for all
i.
− [SEQ]. Assume that ` thr1[k1] : (low , stp) is derived with rule [SEQ]. Then thr1[k1] =
thr2[k2] = c1; c2, and there are mdf 1,mdf 2, stp1, stp2 such that low = mdf 1 umdf 2,
stp = stp1 unionsq stp2, stp1 v mdf 2, and both ` c1 : (mdf 1, stp1) and ` c2 : (mdf 2, stp2)
are derivable.
We distinguish between the two cases c1 = stop and c1 6= stop.
If c1 = stop then c
′
1 = c2, thr
′
1 = 〈〉, and mem ′1 = mem1. Define c′2 = c2, thr ′2 = 〈〉,
and mem ′2 = mem2. Then Conditions (a), (b), and (c) are immediately satisfied.
Moreover, Condition (d) is satisfied because ` c2 : (mdf 2, stp2) is derivable.
Assume now that c1 6= stop. Then, by the operational semantics for sequen-
tial composition, there exists a command c′′1 and a thread pool thr
′
1 such that
〈c1,mem1〉 α1−_ 〈c′′1 ,mem ′1〉 with α1 = new(thr ′1) and such that c′1 = c′′1 ; c2. Then,
by the induction hypothesis for the derivation of ` c1 : (mdf 1, stp1), there ex-
ists c′′2 and α2 = new(thr
′
2) such that 〈c1,mem2〉 α2−_ 〈c′′2 ,mem ′2〉, mem ′1 =L mem ′2,
](thr ′1|LCom) = ](thr ′2|LCom), and update1(〈c1〉, c′′1 , α1) R update1(〈c1〉, c′′2 , α2) (i.e.,
〈c′′1 〉 :: thr ′1 R 〈c′′2 〉 :: thr ′2).
Define c′2 = c
′′
2 ; c2. Then 〈thr2[k2],mem2〉 α2−_ 〈c′2,mem ′2〉. Hence, Conditions (a)–(c)
are satisfied.
It remains to show that Condition (d) is satisfied. Since 〈c′′1 〉 :: thr ′1 R 〈c′′2 〉 :: thr ′2 and
](thr ′1|LCom) = ](thr ′2|LCom), by the definition of R this means that we must show
that c′1 and c
′
2 are either both high commands, or that c
′
1 and c
′
2 are equal typable
low commands.
Since c1 is typable with (mdf 1, stp1) and 〈c1,mem1〉 α1−_ 〈c′′1 ,mem ′1〉 it follows from
Lemma 3.1 that c′′1 is typable with (mdf
′′
1 , stp
′′
1) for some mdf
′′
1 and stp
′′
1 where
A.5. Properties of Strong Low Bisimulation Modulo Modes 127
stp′′1 v stp1. Moreover, since 〈c1,mem2〉 α2−_ 〈c′′2 ,mem ′2〉 it follows from Lemma 3.1
that c′′2 is typable with (mdf
′′
2 , stp
′′
2) for some mdf
′′
2 and stp
′′
2 where stp
′′
2 v stp1. Since
stp1 v mdf 2 it follows that stp′′1 v mdf 2 and stp′′2 v mdf 2. Hence, both c′1 = c′′1 ; c2
and c′2 = c
′′
2 ; c2 are both typable by rule [SEQ].
Moreover, from 〈c′′1 〉 :: thr ′1 R 〈c′′2 〉 :: thr ′2 and ](thr ′1|LCom) = ](thr ′2|LCom) it follows
with the definition of R that either c′′1 and c′′2 are both high commands, or that they
are equal typable low commands.
Consider firstly the case that c′′1 and c
′′
2 are both high commands. If c
′′
1 = c
′′
2 then
c′1 = c
′
2 by the definition of c
′
1 and c
′
2. Hence, c
′
1 and c
′
2 are either both high or
both low commands; i.e., c′1 and c
′
2 are either both high commands, or they are
equal typable low commands. If c′′1 6= c′′2 then, by Lemma 3.3, stp1 = high. Hence,
mdf 2 = high since stp1 v mdf 2. But then c2 is a high command by Lemma 3.2. In
consequence, c′1 and c
′
2 are both high commands.
Consider now the case that c′′1 and c
′′
2 are equal typable low commands. Since they
are equal, it follows that c′1 = c
′
2, i.e., c
′
1 and c
′
2 are equal typable low commands.
− [WHILE]. Assume that ` thr1[k1] : (low , stp) is derived with rule [WHILE]. Then
thr1[k1] = thr2[k2] = while e do c1 od, ` c1 : (low , stp) is derivable, ` e : d , and
stp unionsq d v low .
It follows that stp = d = low .
Moreover, it follows that c′1 = if e then c1; c else stop fi, thr
′
1 = 〈〉, and mem ′1 = mem1.
Define c′2 = if e then c1; c else stop fi, thr
′
2 = 〈〉, and mem ′2 = mem2. Then
〈c,mem2〉 α2−_ 〈c′2,mem ′2〉, and mem ′1 =L mem ′2 follows from mem1 =L mem2.
Condition (c) is trivially satisfied.
To prove Condition (d), it suffices to prove that if e then c1; c else stop fi is typable.
This can be seen as follows: The judgment ` c1; c : (low , low) is typable with rule
[SEQ] because the judgments ` c1 : (low , stp) and ` c : (low , stp) are derivable and
stp = low . Hence, the judgment ` if e then c1; c else stop fi : (low , stp) is derivable
with rule [IF], using rule [STOP] for typing stop and the fact that ` e : d is derivable.
− [SUB]. Assume that ` c : (low , stp) is derived with rule [SUB]. Then ` c : (mdf ′, stp′)
is derivable where low v mdf ′ and stp′ v stp.
Then, by the induction hypothesis for the derivation of ` c : (mdf ′, stp′), Condi-
tions (a)–(d) are all satisfied.
A.5 Properties of Strong Low Bisimulation Modulo Modes
This appendix contains the proofs of some properties of strong low bisimulations modulo
modes.
Proof of Theorem 4.1. We must show that ∼mm is symmetric, closed under globally con-
sistent changes, and that whenever 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉 the following
conditions are satisfied:
1. mem1 =
mds
L mem2,
2. for all c′1 ∈Com, mds ′ ∈Mds, mem ′1 ∈Mem, and α1 = new(thr1,mdss1) ∈ Labm, if
〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉 then there exist c′2 ∈ Com, mem ′2 ∈ Mem, and
α2 = new(thr2,mdss2) ∈ Labm such that the following conditions are satisfied:
128 Appendix A. Detailed Proofs
a) 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
b) 〈c′1,mds ′,mem ′1〉 ∼mm 〈c′2,mds ′,mem ′2〉,
c) ](thr1) = ](thr2), and
d) 〈thr1[i],mdss1[i],mem ′1〉 ∼mm 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
The relation ∼mm is symmetric because it is the union of symmetric relations.
Assume that 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉. Then by definition of ∼mm there is
a strong low bisimulation modulo modes R such that 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉.
Since R is closed under globally consistent changes,
− 〈c1,mds,mem1[x 7→ v1]〉 R 〈c2,mds,mem2[x 7→ v2]〉 holds for all v1, v2 ∈ Val when-
ever x 6∈ mds(asm-no-w) and dma(x ) = high, and
− 〈c1,mds,mem1[x 7→ v ]〉 R 〈c2,mds,mem2[x 7→ v ]〉 holds for all v ∈ Val whenever
x 6∈ mds(asm-no-w) and dma(x ) = low .
Hence, by definition of ∼mm,
− 〈c1,mds,mem1[x 7→ v1]〉 ∼mm 〈c2,mds,mem2[x 7→ v2]〉 holds for all v1, v2 ∈ Val
whenever x 6∈ mds(asm-no-w) and dma(x ) = high, and
− 〈c1,mds,mem1[x 7→ v ]〉 ∼mm 〈c2,mds,mem2[x 7→ v ]〉 holds for all v ∈ Val whenever
x 6∈ mds(asm-no-w) and dma(x ) = low .
Thus, ∼mm is closed under globally consistent changes.
Moreover, since R is a strong low bisimulation modulo modes, mem1 =L mem2.
Assume that 〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉. Since R is a strong low bisimula-
tion modulo modes there exist c′2 ∈ Com, mem ′2 ∈ Mem, and α2 = new(thr2,mdss2) ∈
Labm such that the following hold:
1. 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
2. 〈c′1,mds ′,mem ′1〉 R 〈c′2,mds ′,mem ′2〉,
3. ](thr1) = ](thr2), and
4. 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
By the definition of ∼mm it follows that 〈c′1,mds ′1,mem ′1〉 ∼mm 〈c′2,mds ′2,mem ′2〉 and
that 〈thr1[i],mdss1[i],mem ′1〉∼mm 〈thr2[i],mdss2[i],mem ′2〉 for all i∈{1, . . . , ](thr1)}.
Proof of Theorem 4.2. Symmetry of the relation ∼mm follows directly from the definition
of strong low bisimulations modulo modes.
To show transitivity of ∼mm, we define a relation R on thread configurations with
modes by tcm1 R tcm2 if and only if there exists tcm ′ such that tcm1 ∼mm tcm ′ and
tcm ′ ∼mm tcm2. We show that R is a strong low bisimulation modulo modes, from which
the transitivity of ∼mm follows with the definition of ∼mm.
The symmetry of R follows from the definition of R and the symmetry of ∼mm.
Assume that 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉. Then by definition of R there exist
c′ and mem ′ such that 〈c1,mds,mem1〉 ∼mm 〈c′,mds,mem ′〉 and 〈c′,mds,mem ′〉 ∼mm
〈c2,mds,mem2〉.
We show that R is closed under globally consistent changes:
− Let x ∈ L with x 6∈ mds(asm-no-w) and let v ∈ Val . Then
〈c1,mds,mem1[x 7→ v ]〉 ∼mm 〈c′,mds,mem ′[x 7→ v ]〉
and
〈c′,mds,mem ′[x 7→ v ]〉 ∼mm 〈c2,mds,mem2[x 7→ v ]〉
because ∼mm is closed under globally consistent changes. Hence,
〈c1,mds,mem1[x 7→ v ]〉 ∼mm 〈c2,mds,mem2[x 7→ v ]〉.
A.6. Compositionality and Scheduler-independence Result for SIFUM-security 129
− Let x ∈ H with x 6∈ mds(asm-no-w) and let v1, v2 ∈ Val . Then
〈c1,mds,mem1[x 7→ v1]〉 ∼mm 〈c′,mds,mem ′〉
and
〈c′,mds,mem ′〉 ∼mm 〈c2,mds,mem2[x 7→ v2]〉
because ∼mm is closed under globally consistent changes. Hence,
〈c1,mds,mem1[x 7→ v1]〉 ∼mm 〈c2,mds,mem2[x 7→ v2]〉.
We now show that mem1 =
mds
L mem2. From 〈c1,mds,mem1〉 ∼mm 〈c′,mds,mem ′〉 and
〈c′,mds,mem ′〉 ∼mm 〈c2,mds,mem2〉 it follows that mem1 =mdsL mem ′ and mem ′ =mdsL
mem2, respectively. Hence, mem1 =
mds
L mem2.
Assume now that 〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉. From 〈c1,mds,mem1〉 ∼mm
〈c′,mds,mem ′〉 it follows that there exist c′′, mem ′′, and α′ = new(thr ′,mdss ′) such that
the following conditions are satisfied:
− 〈c′,mds,mem ′〉 α′−_ 〈c′′,mds ′,mem ′′〉,
− 〈c′1,mds ′,mem ′1〉 ∼mm 〈c′′,mds ′,mem ′′〉,
− ](thr1) = ](thr ′), and
− 〈thr1[i],mdss1[i],mem ′1〉 ∼mm 〈thr ′[i],mdss ′[i],mem ′′〉 for all i ∈ {1, . . . , ](thr1)}.
It follows with 〈c′,mds,mem ′〉 ∼mm 〈c2,mds,mem2〉 that there exist c′2, mem ′2, and
α2 = new(thr2,mdss2) such that the following conditions are satisfied:
− 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
− 〈c′′,mds ′,mem ′′〉 ∼mm 〈c′2,mds ′,mem ′2〉,
− ](thr ′) = ](thr2), and
− 〈thr ′[i],mdss ′[i],mem ′′〉 ∼mm 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr ′)}.
Hence, 〈c′1,mds ′,mem ′1〉 R 〈c′2,mds ′,mem ′2〉 and, for all i ∈ {1, . . . , ](thr1)},
〈thr1[i],mdss1[i],mem ′1〉 ∼mm 〈thr2[i],mdss2[i],mem ′2〉.
This concludes the proof that R is a strong low bisimulation modulo modes.
To show that ∼mm is transitive, assume that tcm1 ∼mm tcm2 and tcm2 ∼mm tcm3.
Then tcm1 R tcm3. Since R is a strong low bisimulation modulo modes, it follows that
tcm1 ∼mm tcm3.
A.6 Compositionality and Scheduler-independence Result
for SIFUM-security
This appendix contains the proofs of the lemmas and theorems that are used for proving
compositionality and scheduler independence of SIFUM-security (Theorem 4.3).
We firstly establish a result on the possible transitions of a command that does not
read any variable in a given set of variables X ⊆ Var . For this result and also in the
remainder of this section we use the notation introduced in the following definition.
Definition A.1. Given two partial functions f, g : X ⇀ Y we write f ≤ g if and only if
f = g|dom(f). Moreover, we write f [g] for the function f [x 7→ g(x ) | x ∈ dom(g)]. ♦
Lemma A.11. Let c, c′ ∈ Com, mds,mds ′ ∈ Mds, mem,mem ′ ∈ Mem, and α ∈ Labm
such that 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉. Let X ⊆ Var such that c does not read x
for all x ∈ X. Then there exists a family of partial functions (gf )f∈{f :Var⇀Val|dom(f)=X}
with the following properties:
130 Appendix A. Detailed Proofs
1. gf ≤ f for all f : Var ⇀ Val with dom(f) = X,
2. dom(gf ) = dom(gf ′) for all f, f
′ : Var ⇀ Val with dom(f) = X, and
3. 〈c,mds,mem[f ]〉 α−_ 〈c′,mds ′,mem ′[gf ]〉 for all f : Var ⇀ Val with dom(f) = X. ♦
Intuitively, the variables in the domain of the functions gf are those variables in X that
are not modified in the execution step, and the remaining variables in X are those that
are modified in the execution step.
Proof. The proof is by induction on
∣∣X∣∣.
Induction basis: Assume that
∣∣X∣∣ = 0. Then X = {}. There is exactly one partial
function f : {} ⇀ Val . This function has the property that mem[f ] = mem for all
mem ∈ Mem. Define gf = f . Then all properties stated by the lemma are satisfied.
Induction step: Assume that
∣∣X∣∣ > 0. Then there exists x ∈ X. Define X = X \ {x}.
Then
∣∣X∣∣ < ∣∣X∣∣. Let (gf )f∈{f :Var⇀Val|dom(f)=X} be the family of partial functions that
exists due to the induction hypothesis for X.
Based on this family we now define the family (gf )f∈{f :Var⇀Val|dom(f)=X} and show
that all properties stated by the lemma for this family are satisfied.
Let f : Var ⇀ Val with dom(f) = X and define f = f |X . Then, by the properties of
the functions gf , 〈c,mds,mem[f ]〉 α−_ 〈c′,mds ′,mem ′[gf ]〉. Since x ∈ X, c does not read
x, and, hence, one of the following two conditions is satisfied:
(1) ∀v ∈ Val : 〈c,mem[f ][x 7→ v ]〉 α−_ 〈c′,mem ′[gf ][x 7→ v ]〉, or
(2) ∀v ∈ Val : 〈c,mem[f ][x 7→ v ]〉 α−_ 〈c′,mem ′[gf ]〉.
If Condition (2) is satisfied and Condition (1) is not satisfied then we define gf = gf .
Moreover, if Condition (1) is satisfied we define gf as the partial function with dom(gf ) =
dom(gf ) ∪ {x}, gf (x ) = gf (x ) for x ∈ X, and gf (x ) = f(x ).
Since mem[f ] = mem[f ][x 7→ f(x)], if Condition (1) is satisfied it follows that
〈c,mem[f ]〉 α−_ 〈c′,mem ′[gf ][x 7→ f(x)]〉 = 〈c′,mem ′[gf ]〉. Moreover, if Condition (2) is
satisfied it follows that 〈c,mem[f ]〉 α−_ 〈c′,mem ′[gf ]〉 = 〈c′,mem ′[gf ]〉. Hence, in both
cases 〈c,mds,mem[f ]〉 α−_ 〈c′,mds ′,mem ′[gf ]〉, i.e., property (3) required by the lemma
is satisfied.
From the properties of the functions gf it follows that gf ≤ f for all f : Var ⇀ Val
with dom(f) = X, it follows from the construction of the family (gf )f :X⇀Val that gf ≤ f
for all f : X ⇀ Val (because either x 6∈ dom(gf ) or gf (x ) = f(x )). I.e., Property (1)
required by the lemma is satisfied.
Let f, f ′ : Var ⇀ Val with dom(f) = dom(f ′) = X, and assume that Condition (1) is
not satisfied for f = f |X (i.e., Condition (2) is satisfied for f), and that Condition (1) is
satisfied for f
′
= f ′|X . Assume that there are mem ′,mem with mem ′(x ) 6= mem(x ) and
〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉. By Condition (1) for f ′ it follows that 〈c,mem[f ]〉 α−_
〈c′,mem ′[gf ][x 7→ mem(x )]〉. By Condition (2) for f it follows that 〈c,mem[f ]〉 α−_
〈c′,mem ′[gf ]〉. But this contradicts that 〈c,mds,mem[f ]〉 α−_ 〈c′,mds ′,mem ′[gf ]〉 and
〈c,mds,mem[f ′]〉 α−_ 〈c′,mds ′,mem ′[gf ′ ]〉 by the properties of the functions gf . Hence,
if 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉 then mem ′(x ) = mem(x ). But then Condition (1)
is satisfied for f .
Hence, for f, f ′ : Var ⇀ Val with dom(f) = dom(f ′) = X the same case in the
construction of gf applies, and, hence, it follows from the construction of gf and the
A.6. Compositionality and Scheduler-independence Result for SIFUM-security 131
properties of the functions gf that dom(gf ) = dom(gf ′) for all f, f
′ : Var ⇀ Val with
dom(f) = X. I.e., Property (2) required by the lemma is satisfied.
Proof of Lemma 4.1. Since the lists of memories mems1 and mems2 make the thread
configurations 〈thr1,mdss,mem1〉 and 〈thr2,mdss,mem2〉 compatible with strong low
bisimulation modulo modes, Items (1)–(3) from Definition 4.18 hold for mems1, mems2,
〈thr1,mdss,mem1〉, and 〈thr2,mdss,mem2〉.
Let n be the length of thr1 and thr2 (i.e., n = ](thr1), which by assumption equals
](thr2)). If n = 0 then there is nothing to prove, since Lemma 4.1 makes a statement
about all i ∈ {1, . . . , ](thr1)}. Assume hence that n 6= 0. Let i ∈ {1, . . . , n} and x ∈ Xi.
Since x ∈ Xi, by Item (2) in Definition 4.18 it follows that
(a) x ∈ L and
(b) mem1(x ) 6= mem2(x ).
Moreover, since n 6= 0, by Item (3) in Definition 4.18 there exists j ∈ {1, . . . , n} such that
x 6∈ Xj (where j 6= i because x ∈ Xi). By Item (1) in Definition 4.18 the following holds
for all f : Var ⇀ Val with dom(f) = Xj :
(c) 〈thr1[j],mdss[j],mems1[j][x 7→ f(x) | x ∈ Xj ]〉 ∼mm 〈thr2[j],mdss[j],mems2[j][x 7→
f(x) | x ∈ Xj ]〉
I.e., using the more compact notation from Definition A.1:
(d) 〈thr1[j],mdss[j],mems1[j][f ]〉 ∼mm 〈thr2[j],mdss[j],mems2[j][f ]〉
Let f : Var ⇀ Val be a partial function with dom(f) = Xj . It follows from (d) and the
definition of strong low bisimulations modulo modes that
(e) mems1[j][f ] =
mdss[j]
L mems2[j][f ].
It follows from x 6∈ Xj and dom(f) = Xj that
(f) mems1[j][f ](x ) = mems1[j](x ) and mems2[j][f ](x ) = mems2[j](x ).
Assume that x 6∈ mdss[j](asm-no-r). Then it follows with x 6∈ Xj , x ∈ L (see (a)),
(e), and (f) that mems1[j](x ) = mems2[j](x ). Since x 6∈ Xj we have mems1[j](x ) =
mem1(x )∧mems2[j](x ) = mem2(x ), and, hence, it follows that mem1(x ) = mem2(x ). But
mem1(x ) 6= mem2(x ) (see (b)), and, hence, our assumption that x 6∈ mdss[j](asm-no-r)
must be wrong. Hence,
(g) x ∈ mdss[j](asm-no-r) .
The list of mode states mdss has compatible modes (cf. Definition 4.10) because
(thr1,mdss) has sound modes by assumption. Hence,
(h) x ∈ mdss[i](guar -no-r)
follows from (g). Moreover, the configuration 〈thr1[i],mdss [i],mem1〉 respects guarantees
because 〈thr1,mdss,mem1, sst〉 has sound modes. Hence, due to (h), thr1[i] does not
read x . With the same argument it follows that thr2[i] does not read x because (thr2,mdss)
has sound modes.
Proof of Lemma 4.2. Let n be the length of thr1 and thr2. Define Xi = {x ∈ Var |
mems1[i](x ) 6= mem1(x ) ∨ mems2[i](x ) 6= mem2(x )} for all i ∈ {1, . . . , n}. Then the
following holds by Lemma 4.1:
(a) For all i ∈ {1, . . . , n}, if x ∈ Xi then thr1[i] and thr2[i] do not read x .
132 Appendix A. Detailed Proofs
We now show that there exist thr ′2 with ](thr
′
1) = ](thr
′
2) and mem
′
2 such that
〈thr2,mdss,mem2, sst〉 k,p=⇒S 〈thr ′2,mdss ′,mem ′2, sst ′〉. Since
〈thr1,mdss,mem1, sst〉 k,p=⇒S 〈thr ′1,mdss ′,mem ′1, sst ′〉
there exist c′1 ∈ Com, mds ′ ∈ Mds, and α1 = new(thr ′′1 ,mdss ′′) ∈ Labm with
(b1) 〈thr1[k],mdss[k],mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉,
(b2) thr ′1 = updatek(thr1, c
′
1, thr
′′
1),
(b3) mdss ′ = updatek(mdss,mds
′,mdss ′′), and
(b4) (sst , sin)
k,p S sst ′ where sin = obs(thr1,mem1).
Due to (a) thr1[k] does not read x if x ∈ Xk. Hence, by (b1) and Lemma A.11 there
exists a family of partial functions (g1f )f ∈{f :Var⇀Val|dom(f) =Xk} such that
(c1) g1f ≤ f for all f : Var ⇀ Val with dom(f) = Xk,
(c2) dom(g1f ) = dom(g
1
f ′) for all f, f
′ : Var ⇀ Val with dom(f) = dom(f ′) =Xk, and
(c3) 〈thr1[k],mdss[k],mem1[f ]〉 α1−_ 〈c′1,mds ′,mem ′1[g1f ]〉 for all f : Var ⇀ Val with
dom(f) = Xk.
By the definition of Xk, mems1[k][f ] = mem1[f ] for all f : Var ⇀ Val with dom(f) =
Xk, and, hence, by (c3) 〈thr1[k],mdss[k],mems1[k][f ]〉 α1−_ 〈c′1,mds ′,mem ′1[g1f ]〉 for all
such f . Moreover, 〈thr1[k],mdss[k],mems1[k][f ]〉 ∼mm 〈thr2[k],mdss[k],mems2[k][f ]〉
for all such f follows from Item 3 in Definition 4.18. Hence, by the definition of strong
low bisimulations modulo modes for all such f there exist cf , αf = new(thrf ,mdssf ),
and memf such that
(d1) 〈thr2[k],mdss[k],mems2[k][f ]〉 αf−−_ 〈cf ,mds ′,memf 〉,
(d2) 〈c′1,mds ′,mem ′1[g1f ]〉 ∼mm 〈cf ,mds ′,memf 〉,
(d3) ](thr ′′1) = ](thrf ), and
(d4) 〈thr ′′1 [j],mdss ′′2 [j],mem ′1[g1f ]〉 ∼mm 〈thrf [j],mdss ′′2 [j],memf 〉 for all
j ∈ {1, . . . , ](thr ′′1)}.
The set {f : Var ⇀ Val | dom(f) =Xk} is non-empty, let h be an element of the set. Due
to (a) thr2[k] does not read x if x ∈ Xk. Hence, by (d1) and Lemma A.11 there exists a
family of partial functions (g2f )f∈{f :Var⇀Val|dom(f)=Xk} such that
(e1) g2f ≤ f for all f : Var ⇀ Val with dom(f) = Xk,
(e2) dom(g2f ) = dom(g
2
f ′) for all f, f
′ : Var ⇀ Val with dom(f) = dom(f ′) = Xk, and
(e3) 〈thr2[k],mdss[k],mems2[k][h][f ]〉 αh−−_ 〈ch,mds ′,memh[g2f ]〉 for all f : Var ⇀ Val
with dom(f) = Xk.
Since mem[h][f ] = mem[f ] for all memories mem and all partial functions f and h with
dom(f) = dom(h) = Xk it follows from (e3) that
(f) 〈thr2[k],mdss[k],mems2[k][f ]〉 αh−−_ 〈ch,mds ′,memh[g2f ]〉 for all f : Var ⇀ Val with
dom(f) = Xk.
Hence, it follows from (d1), (f), and Requirement 2.2 (determinism of transitions of
commands) that ch = cf and αf = αh for all f, h : Var ⇀ Val with dom(f) = dom(h) =
Xk. We denote this command and this label with c
′
2 and α2 = new(thr
′′
2 ,mdss
′
2) in the
following. Moreover, it follows that memf = memh[g
2
f ], and we can hence rewrite (d4) as
follows:
(g) 〈c′1,mds ′,mem ′1[g1f ]〉 ∼mm 〈c′2,mds ′,memh[g2f ]〉
A.6. Compositionality and Scheduler-independence Result for SIFUM-security 133
We define
(h) mem ′2 = memh[g
2
mem2 |Xk
].
It follows from the definition of Xk that mem2 = mems2[k][mem2 |Xk ]. Hence, by (f)
and (h),
(i) 〈thr2[k],mdss[k],mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉.
Since 〈thr1,mdss,mem1, sst〉 has sound modes it follows that 〈thr1[k],mdss [k],mem1〉 is
compatible with obs. Hence, since S is confined to L, it follows from ](thr1) = ](thr2)
and (a) that obs(thr1,mem1) = obs(thr2,mem2). Hence, it follows from (b4) that
(sst , sin)
k,p S sst ′ for sin = obs(thr2,mem2). We define thr ′2 = updatek(thr2, c′2, thr ′′2).
Then 〈thr2,mdss,mem2, sst〉 k,p=⇒S 〈thr ′2,mdss ′,mem ′2, sst ′〉 by (i) and the definition of
mem ′2 in (h). Moreover, ](thr
′
1) = ](thr
′
2) by (d3), (d2), and the fact that configurations
with command stop are only related to configurations with command stop by ∼mm. We
denote ](thr ′1) by n
′. Moreover, we define X ′i = {x ∈ Var | mems ′1[i](x ) 6= mem ′1(x ) ∨
mems ′2[i](x ) 6= mem ′2(x )} for all i ∈ {1, . . . , n′}.
Note that due to (c2) and (e2) neither the domain of g1f nor the domain of g
2
f depends
on f . Hence, we may omit the subscript, and we denote these two domains with dom(g1)
and dom(g2) in the following.
It remains to define mems ′1 and mems
′
2 and to show that they make 〈thr ′1,mds ′,mem ′1〉
and 〈thr ′2,mds ′,mem ′2〉 compatible with strong low bisimulation modulo modes. We firstly
define the lists of memories and show that Items (1) and (2) in Definition 4.18 are satisfied
for mem ′1,mem
′
2,mems
′
1, and mems
′
2, distinguishing three cases: (a) that i = k is the
index of the thread that performed the execution step and did not terminate after the
execution step, (b) that i is the index of a spawned thread, and (c) that i is the index
of some other thread. (We show that Item (3) in Definition 4.18 is also satisfied for
mem ′1,mem
′
2,mems
′
1, and mems
′
2 afterwards.)
We consider firstly the thread index k in case that the thread at this index did not
terminate in the considered execution step, i.e., c′1 6= stop.
We define mems ′1[k] and mems
′
2[k] as follows:
(j1) If x 6∈ Xk then mems ′1[k](x ) = mem ′1(x ) and mems ′2[k](x ) = mem ′2(x ).
(j2) If x ∈ Xk and x 6∈ dom(g1) ∨ x 6∈ dom(g2) then mems ′1[k](x ) = mem ′1(x ) and
mems ′2[k](x ) = mem
′
2(x ).
(j3) If x ∈ Xk and x ∈ dom(g1) ∧ x ∈ dom(g2) then mems ′1[k](x ) = mems1[k](x ) and
mems ′2[k](x ) = mems2[k](x ).
We now show that Item (2) in Definition 4.18 is satisfied for i = k, i.e., that [mem ′1(x ) =
mem ′2(x ) ∨ x ∈ H ]⇒ x 6∈ X ′k for all x ∈ Var .
− If x 6∈ Xk, if x 6∈ dom(g1), or if x 6∈ dom(g2) then x 6∈ X ′k by the definition of
mems ′1[k] and mems
′
2[k] in (j1) and (j2).
− Assume that x ∈ Xk, x ∈ dom(g1) and x ∈ dom(g2). We show that this leads to a
contradiction if [mem ′1(x ) = mem
′
2(x ) ∨ x ∈ H ] is satisfied.
Setting f = mem1 |Xk in (c3) 〈thr1[k],mdss [k],mem1〉
α1−_ 〈c′1,mds ′,mem ′1[g1mem1 |Xk ]〉
holds. Then, due to (b1) and Requirement 2.2, mem ′1 = mem
′
1[g
1
mem1 |Xk
]. In conse-
134 Appendix A. Detailed Proofs
quence, mem ′1(x ) = mem1(x ) because x ∈ dom(g1).
Setting f = mem2 |Xk in (f) 〈thr1[k],mdss [k],mem2〉
α2−_ 〈c′2,mds ′,mem ′2[g2mem2 |Xk ]〉
holds. Then, due to (i) and Requirement 2.2, mem ′2 = mem
′
2[g
2
mem2 |Xk
]. In conse-
quence, mem ′2(x ) = mem2(x ) because x ∈ dom(g2).
With mem ′1(x ) = mem
′
2(x ) it follows from mem
′
1(x ) = mem1(x ) and mem
′
2(x ) =
mem2(x ) that mem1(x ) = mem2(x ). I.e., if mem
′
1(x ) = mem
′
2(x ) ∨ x ∈ H then
mem1(x ) = mem2(x ) ∨ x ∈ H . Hence, it follows from Item (2) in Definition 4.18 for
mem1,mem2,mems1, and mems2 that x 6∈ Xk, a contradiction to x ∈ Xk.
We now show that Item (1) in Definition 4.18 is satisfied for i = k, i.e., we show that
〈thr ′1[k],mdss ′[k],mems ′1[k][f ]〉 ∼mm 〈thr ′2[k],mdss ′[k],mems ′2[k][f ]〉 for all f : Var ⇀
Val with dom(f) = X ′k. Let such a function f be given. We lead the proof by defining a
function f∗ : Var ⇀ Val with dom(f∗) = Xk such that mems ′1[k][f ] = mem
′
1[g
1
f∗ ] and
mems ′2[k][f ] = memh[g
2
f∗ ], from which the statement we have to prove follows from (g).
We define the function f∗ : Var ⇀ Val with dom(f∗) = Xk as follows, where v ∈ Val
is an arbitrary value:
f∗(x ) =

f(x) x ∈ X ′k
mems ′1[k](x ) x 6∈ X ′k ∧ x ∈ dom(g1)
mems ′2[k](x ) x 6∈ X ′k ∧ x ∈ dom(g2)
v x ∈ Xk \ (X ′k ∪ dom(g1) ∪ dom(g2))
The function f∗ is well-defined because if x ∈ dom(f∗) and x 6∈ X ′k then x can-
not be contained in both dom(g1) and dom(g2), and, hence, for each x ∈ dom(f∗)
exactly one of the four cases in the definition of f∗ applies. To show this, assume
that x ∈ dom(f∗), x 6∈ X ′k, and x ∈ dom(g1) ∩ dom(g2). As shown above (when prov-
ing that Item (2) in Definition 4.18 is satisfied for i = k), it follows that mem ′1(x ) =
mem1(x ) and mem
′
2(x ) = mem2(x ). Moreover, by (j3), mems
′
1[k](x ) = mems1[k](x )
and mems ′2[k](x ) = mems2[k](x ). But then it follows with x 6∈ X ′k that x 6∈ Xk, which
contradicts that x ∈ dom(f∗) = Xk.
We now show that mems ′1[k][f ] = mem
′
1[g
1
f∗ ]. Assume firstly that x ∈ X ′k. Then,
since dom(f) = X ′k, mems
′
1[k][f ](x ) = f(x ), and, hence, mems
′
1[k][f ](x ) = f
∗(x ) by
the definition of f∗. Moreover, by x ∈ X ′k and (j1)–(j3) it follows that x ∈ dom(g1).
Hence, g1f∗(x ) = f
∗(x ) by (c1) and, in consequence, f∗(x ) = mem ′1[g
1
f∗ ](x ). Thus,
mems ′1[k][f ](x ) = mem
′
1[g
1
f∗ ](x ). Assume secondly that x 6∈ X ′k. Then, since dom(f) =
X ′k, mems
′
1[k][f ](x ) = mems
′
1[k](x ). If x ∈ dom(g1) then mems ′1[k](x ) = f∗(x ) by the
definition of f∗, and, hence, mems ′1[k](x ) = g
1
f∗(x ) by (c1). Moreover, if x 6∈ dom(g1)
then mems ′1[k](x ) = mem
′
1(x ) by (j1) and (j2). Hence, mems
′
1[k](x ) = mem
′
1[g
1
f∗ ](x ). In
consequence,
(k) mems ′1[k][f ] = mem
′
1[g
1
f∗ ].
We now show that mems ′2[k][f ] = memh[g
2
f∗ ]. Assume firstly that x ∈ X ′k. Then,
since dom(f) = X ′k, mems
′
2[k][f ](x ) = f(x ), and, hence, mems
′
2[k][f ](x ) = f
∗(x ) by
the definition of f∗. Moreover, by x ∈ X ′k and (j1)–(j3) it follows that x ∈ dom(g2).
Hence, g2f∗(x ) = f
∗(x ) by (e1) and, in consequence, f∗(x ) = memh[g2f∗ ](x ). Thus,
mems ′2[k][f ] = memh[g
2
f∗ ](x ). Assume secondly that x 6∈ X ′k. Then, since dom(f) = X ′k,
mems ′2[k][f ](x ) = mems
′
2[k](x ). If x ∈ dom(g2) then mems ′2[k](x ) = f∗(x ) by the
A.6. Compositionality and Scheduler-independence Result for SIFUM-security 135
definition of f∗, and, hence, mems ′2[k](x ) = g
2
f∗(x ) by (e1). Moreover, if x 6∈ dom(g2)
then mems ′2[k](x ) = mem
′
2(x ) by (j1) and (j2). Hence, mems
′
2[k](x ) = mem
′
2[g
2
f∗ ](x ). By
the definition of mem ′2, it follows that mems
′
2[k](x ) = memh[g
2
mem2 |Xk
][g2f∗ ](x ), which
equals memh[g
2
f∗ ](x ). In consequence,
(l) mems ′2[k][f ] = memh[g
2
f∗ ].
That 〈c′1,mds ′,mem ′1[f ]〉 ∼mm 〈c′2,mds ′,mem ′2[f ]〉 for all f : Var ⇀ Val with dom(f) =
X ′k follows now from (g), (k), and (l). Since thr
′
1[k] = c
′
1, thr
′
2[k] = c
′
2, and mdss
′[k] =
mds ′, it follows that
〈thr ′1[k],mdss ′[k],mem ′1[f ]〉 ∼mm 〈thr ′2[k],mdss ′[k],mem ′2[f ]〉
for all f : Var ⇀ Val with dom(f) = X ′k.
Now we consider the case that i is the index of a thread that was created in the
execution step.
Let s = ](thr ′′1)− r, where r = 0 if c′1 6= stop and r = 1 if c′1 = stop. That is, s is the
number by which the thread index of a thread with an index i > k before the execution
steps from thr1 to thr
′
1 and thr2 to thr
′
2, respectively, differs from its new index after
the execution step. We consider i ∈ {k + 1− r, . . . , k + ](thr ′′1)− r}, i.e., i is the index
of a thread that was spawned in the execution step. We define mems ′1[i] and mem
′
2[i]
exactly as the memories mems ′1[k] and mems
′
2[k] above. That Item (2) in Definition 4.18
is satisfied follows as in the case for i = k above. That Item (1) in Definition 4.18 is
satisfied, i.e., that 〈thr ′1[i],mdss ′2[i],mems ′1[i][f ]〉 ∼mm 〈thr ′2[i],mdss ′2[i],mems ′2[i][f ]〉 is
satisfied for all f : Var ⇀ Val with dom(f) = X ′i follows with the same argumentation
as in the case for i = k above, exploiting (d4) instead of (g) in the argument.
We finally consider i such that i < k or i > k + s, i.e., i is the index of a thread that
was in the thread pool before the execution step considered above and did not perform
that execution step. Without loss of generality, we assume that i < k (for i > k + s the
remaining argumentation is the same but for shifts of the index by s).
We define mems ′1[i] and mems
′
2[i] as follows:
(m1) If mem1(x ) 6= mem ′1(x ) ∨mem2(x ) 6= mem ′2(x ) and mem ′1(x ) = mem ′2(x ) ∨ x ∈ H
then mems ′1[i](x ) = mem
′
1(x ) and mem
′
2[i](x ) = mem
′
2(x ).
(m2) If mem1(x ) 6= mem ′1(x )∨mem2(x ) 6= mem ′2(x ) and mem ′1(x ) 6= mem ′2(x ) ∧ x ∈ L
then mems ′1[i](x ) = mem
′
2[i](x ) = v for some v ∈ Val .
(m3) If mem1(x ) = mem
′
1(x ) ∧ mem2(x ) = mem ′2(x ) then mems ′1[i](x ) = mems1[i](x )
and mem ′2[i](x ) = mems2[i](x ).
We show that Item (2) in Definition 4.18 is satisfied. The proof is by contraposition, i.e.,
assuming x ∈ X ′i we show that mem ′1(x ) 6= mem ′2(x ) and x ∈ L. If x ∈ X ′i the definition
of mems ′1[i](x ) and mem
′
2[i](x ) is by (m2) or by (m3), because otherwise x 6∈ X ′i holds.
If the definition is by (m2) then mem ′1(x ) 6= mem ′2(x ) and x ∈ L. Assume now that the
definition is by (m3). From x ∈ X ′i it follows that mems ′1[i](x ) 6= mem ′1(x )∨mem ′2[i](x ) 6=
mem ′2(x ). If mems
′
1[i](x ) 6= mem ′1(x ) then mems1[i](x ) 6= mem1(x ) because by (m3)
mem1(x ) = mem
′
1(x ) and mems1[i](x ) = mems
′
1[i](x ). Moreover, if mems2[i]
′(x ) 6=
mem ′2(x ) then mems2[i](x ) 6= mem2(x ) because by (m3) mem1(x ) = mem ′1(x ) and
mems1[i](x ) = mems
′
1[i](x ). Hence, x ∈ Xi. Then, because mems1 and mems2 make
〈thr1,mdss1,mem1〉 and 〈thr2,mdss2,mem2〉 compatible with strong low bisimulation
136 Appendix A. Detailed Proofs
modulo modes, x ∈ L ∧ mem1(x ) 6= mem2(x ). But then, because by (m3) mem1(x ) =
mem ′1(x ) ∧ mem2(x ) = mem ′2(x ), it follows that x ∈ L ∧ mem ′1(x ) 6= mem ′2(x ).
We now show that Item (1) in Definition 4.18 is satisfied, i.e.,
〈thr ′1[i],mdss ′[i],mems ′1[i][f ]〉 ∼mm 〈thr ′2[i],mdss ′[i],mems ′2[i][f ]〉
holds for all f : Var ⇀ Val with dom(f) = X ′i. By (b2), (b3), and the defini-
tion of thr ′2 this means that we have to show that 〈thr1[i],mdss[i],mems ′1[i][f ]〉 ∼mm
〈thr2[i],mdss[i],mem ′2[i][f ]〉 for all f : Var ⇀ Val with dom(f) = X ′i. Let such a
function f be given.
We define a function f∗ : Var ⇀ Val with dom(f∗) = Xi as follows:
(n1) If x ∈ Xi ∩X ′i then f∗(x ) = f(x ).
(n2) If x ∈ Xi \X ′i then f∗(x ) = mem ′1(x )
We show that if mems ′1[i][f ](x ) 6= mems1[i][f∗](x ) or if mem ′2[i][f ](x ) 6= mems2[i][f∗](x )
for x ∈ Var then mem ′1(x ) 6= mem1(x ) or mem ′2(x ) 6= mem2(x ). The proof is by
contraposition. Assume that mem ′1(x ) = mem1(x ) and mem
′
2(x ) = mem2(x ). Then
the definition of mems ′1[i](x ) and mem
′
2[i](x ) is by (m3) because (m1) and (m2) require
that mem1(x ) 6= mem ′1(x ) ∨mem2(x ) 6= mem ′2(x ). I.e., mems ′1[i](x ) = mems1[i](x ) and
mem ′2[i](x ) = mems2[i](x ).
We distinguish the cases x ∈ X ′i and x 6∈ X ′i. Assume firstly that x ∈ X ′i,
i.e., mems ′1[i](x ) 6= mem ′1(x ) ∨ mem ′2[i](x ) 6= mem ′2(x ). With mem1(x ) = mem ′1(x ),
mem2(x ) = mem
′
2(x ), mems
′
1[i](x ) = mems1[i](x ) and mem
′
2[i](x ) = mems2[i](x ) it
follows that mems1[i](x ) 6= mem1(x ) ∨ mems2[i](x ) 6= mem2(x ), i.e., x ∈ Xi. Hence,
mems ′1[i][f ](x ) = mems1[i][f
∗](x ) ∧ mem ′2[i][f ](x ) = mems2[i][f∗](x ) by (n1).
Assume now that x 6∈ X ′i, i.e., mems ′1[i](x ) = mem ′1(x ) and mem ′2[i](x ) = mem ′2(x ).
With mem1(x ) = mem
′
1(x ), mem2(x ) = mem
′
2(x ), mems
′
1[i](x ) = mems1[i](x ) and
mem ′2[i](x ) = mems2[i](x ) it follows that mems1[i](x ) = mem1(x ) ∧ mems2[i](x ) =
mem2(x ), i.e., x 6∈ Xi. Hence mems ′1[i][f ](x ) = mems1[i][f∗](x ) and mem ′2[i][f ](x ) =
mems2[i][f
∗](x ) because mems ′1[i](x ) = mems1[i](x ) and mem
′
2[i](x ) = mems2[i](x ).
I.e., we have shown the following implication:
(o) For all x ∈ Var , mems ′1[i][f ](x ) 6= mems1[i][f∗](x )∨mem ′2[i][f ](x ) 6= mems2[i][f∗](x )
implies mem ′1(x ) 6= mem1(x ) or mem ′2(x ) 6= mem2(x ).
Let x be such that mems ′1[i][f ](x ) 6= mems1[i][f∗](x ) or mem ′2[i][f ](x ) 6= mems2[i][f∗](x ).
Then, by (o), (b1), and (i), “thr1[k] does not write x“ and “thr2[k] does not write x“ are
not both satisfied. Since 〈thr1,mdss,mem1, sst〉 and 〈thr2,mdss,mem2, sst〉 have sound
modes it follows that x 6∈ mdss[k](guar -no-w), and, hence, x 6∈ mdss[i](asm-no-w). I.e.,
the following holds:
(p) For all x ∈ Var , mems ′1[i][f ](x ) 6= mems1[i][f∗](x )∨mem ′2[i][f ](x ) 6= mems2[i][f∗](x )
implies x 6∈ mdss[i](asm-no-w).
We now show that if mems ′1[i][f ](x ) 6= mems1[i][f∗](x )∨mem ′2[i][f ](x ) 6= mems2[i][f∗](x ),
x ∈ L, and x 6∈ X ′i then mem ′1(x ) = mem ′2(x ). If the definition of mems ′1[i](x ) and
mem ′2[i](x ) is by (m1) then mem
′
1(x ) = mem
′
2(x ) holds because x ∈ L. If the definition
is by (m2) then mems ′1[i](x ) = mem
′
2[i](x ), and, hence, mem
′
1(x ) = mem
′
2(x ) follows
with x 6∈ X ′i. Finally, the definition cannot be by (m3) because (m3) requires mem1(x ) =
mem ′1(x ) ∧ mem2(x ) = mem ′2(x ), which contradicts (p). I.e., we have shown the
following:
(q) For all x ∈ L, mems ′1[i][f ](x ) 6= mems1[i][f∗](x ) ∨mem ′2[i][f ](x ) 6= mems2[i][f∗](x )
and x 6∈ X ′i implies that mem ′1(x ) = mem ′2(x ).
A.6. Compositionality and Scheduler-independence Result for SIFUM-security 137
By Item (1) in Definition 4.18 for mem1,mem2,mdss1, and mdss2, the following holds:
〈thr1[i],mdss[i],mems1[i][f∗]〉 ∼mm 〈thr2[i],mdss[i],mems2[i][f∗]〉
Exploiting that ∼mm is closed under globally consistent changes, we derive that also
〈thr1[i],mdss[i],mems ′1[i][f ]〉 ∼mm 〈thr2[i],mdss[i],mems ′2[i][f ]〉.
To show this, we must show that we can adapt the values of mems1[i][f
∗] and mems2[i][f∗]
with a globally consistent change for all x with mems ′1[i][f ](x ) 6= mems1[i][f∗](x ) ∨
mem ′2[i][f ](x ) 6= mems2[i][f∗](x ). That x 6∈ mdss[i](asm-no-w) follows from (p). I.e.,
we can adapt the values if x ∈ H with globally consistent changes. For x ∈ L dis-
tinguish the cases that x ∈ X ′i and x 6∈ X ′i. If x ∈ X ′i then, since dom(f) = X ′i,
mems ′1[i][f ](x ) = mems
′
2[i][f ](x ) = f(x ), i.e., the value of x can be adapted with a globally
consistent change. If x 6∈ X ′i then, since dom(f) = X ′i, mems ′1[i][f ](x ) = mems ′1[i](x ) and
mems ′2[i][f ](x ) = mems
′
2[i](x ). Hence, by the definition of X
′
i, mems
′
1[i][f ](x ) = mem
′
1(x )
and mems ′2[i][f ](x ) = mem
′
2(x ). Moreover, by (q), mem
′
1(x ) = mem
′
2(x ), and, hence,
mems ′1[i][f ](x ) = mems
′
2[i][f ](x ). I.e., the value of x can be adapted with a globally
consistent change.
Finally, we show that Item (3) from Definition 4.18 is satisfied for mem ′1,mem
′
2,mems
′
1,
and mems ′2, i.e., that either n
′ = 0 and mem1 =L mem2, or that for every x ∈ Var there
exists some i ∈ {1, . . . , n′} such that x 6∈ X ′i. Let x ∈ Var . We distinguish the cases
that (a) mem1(x ) 6= mem ′1(x ) or mem2(x ) 6= mem ′2(x ) and (b) mem1(x ) = mem ′1(x )
and mem2(x ) = mem
′
2(x ).
Assume firstly that mem1(x ) 6= mem ′1(x ) or mem2(x ) 6= mem ′2(x ). If c′1 6= stop
then n′ > 0, and we show that x 6∈ X ′k: If the definition of mems ′1[k] and mems ′2[k] is
by (j1) or by (j2) then, by the definition of X ′k, x 6∈ X ′k. If the definition of mems ′1[k]
and mems ′2[k] is by (j3) then x ∈ dom(g1), x ∈ dom(g2), and x ∈ Xk. But then, as
established in the second item after (j3), mem ′1(x ) = mem1(x ) and mem
′
2(x ) = mem2(x ),
which contradicts our assumption that mem1(x ) 6= mem ′1(x ) or mem2(x ) 6= mem ′2(x ). If
c′1 = stop then mem
′
1 =L mem
′
2 because sound modes ensure that threads do not have
modes upon termination. Hence, if n′ = 0 then Item (3) holds. Assume that n′ > 0.
If threads have been spawned in the execution step then by the definition of mems ′1[i]
and mems ′2[i] if i is the index of a spawned thread then x 6∈ X ′i is satisfied. Assume now
that no threads were spawned. If x ∈ L then mem ′1(x ) = mem ′2(x ). In consequence, the
definition of mems ′1[i](x ) and mems
′
2[i](x ) is by (m1) for all x ∈ Var , and, hence, x ∈ Xi
for all x ∈ {1, . . . , n′}.
Assume secondly that mem1(x ) = mem
′
1(x ) and mem2(x ) = mem
′
2(x ). By assumption
there exists i ∈ {1, . . . , n} such that x 6∈ Xi. If i 6= k then x 6∈ X ′i by the definition of
mems ′1[i] and mems
′
2[i] in (m3). Assume that i = k. If c
′
1 6= stop then x 6∈ X ′k by the
definition of mems ′1[k] and mems
′
2[k] in (j1)–(j3). If c
′
1 = stop we conclude as in the
previous case (using that mem ′1 =L mem
′
2).
Hence, Item (3) from Definition 4.18 is also satisfied for mem ′1,mem
′
2,mems
′
1, and
mems ′2, which concludes the proof.
Proof of Theorem 4.4. The proof is by induction on k. In the remainder of the proof,
we write s1,k =
∑
mem′∈[mem]LO ρS({(str , dtr) ∈ TS(sc1)⇓mem′ | ](str) = k}) and s2,k =
138 Appendix A. Detailed Proofs
∑
mem′∈[mem]LO ρS({(str , dtr) ∈ TS(sc2)⇓mem′ | ](str) = k}). Moreover, we write n for
the length of the thread pools thr1 and thr2 (by assumption, ](thr1) = ](thr2)).
Induction basis. Assume that k = 1. We distinguish between the case that sc1 is final
and the case that sc1 is not final.
If sc1 is final then n = 0. Moreover, the set {(str , dtr) ∈ TS(sc1)⇓mem′ | ](str) = 1}
equals {(〈sc1〉, 〈〉)} if mem1 = mem ′ and the set equals {} if mem1 6= mem ′. Hence,
s1,1 = 1 if mem1 =LO mem and s1,1 = 0 if mem1 6=LO mem. Moreover, sc2 is final
because n = 0. Hence, the set {(str , dtr) ∈ TS(sc2)⇓mem′ | ](str) = 1} equals {(〈sc2〉, 〈〉)}
if mem2 = mem
′ and {} if mem2 6= mem ′. Hence, s2,1 = 1 if mem2 =LO mem and
s2,1 = 0 if mem2 6=LO mem. It follows from n = 0 and the fact that mems1 and mem2
make 〈thr1,mdss,mem1〉 and 〈thr2,mdss,mem2〉 compatible with strong low bisimulation
modulo modes (Item (2) in Definition 4.18) that mem1 =L mem2. With LO ⊆ L it
hence follows that mem1 =LO mem2. In consequence, mem1 =LO mem if and only if
mem2 =LO mem, and, hence, s1,1 = s2,1.
Assume now that sc1 is not final. Then {(str , dtr) ∈ TS(sc1)⇓mem′ | ](str) = 1} = {}
for all mem ′ ∈ Mem, and, hence, s1,1 = 0. Moreover, since sc1 is not final it follows
from Lemma 4.2 that sc2 is not final (because the possibility of a step of sc1 implies the
possibility of a step of sc2 by Lemma 4.2). In consequence, {(str , dtr) ∈ TS(sc2)⇓mem′ |
](str) = 1} = {} for all mem ′ ∈ Mem, and, hence, s2,1 = 0. Thus, s1,1 = s2,1.
Induction step. Assume that k > 1.
Define A1 = {(sc, j, p) | sc1 j,p=⇒S sc} and A2 = {(sc, j, p) | sc2 j,p=⇒S sc}. Then the
following equality is satisfied due to Lemma A.9:
ρS({(str , dtr) ∈ TS(sc1)⇓mem′ | ](str) = k}) =∑
(sc,j,p)∈A1
[p ∗ ρS({(str , dtr) ∈ TS(sc)⇓mem′ | ](str) = k − 1})
By summing up this equation for each mem ′ ∈ [mem]LO we hence obtain the equation
s1,k =
∑
mem′∈[mem]LO
∑
(sc,j,p)∈A1
[p ∗ ρS({(str , dtr) ∈ TS(sc)⇓mem′ | ](str) = k − 1})].
Analogously, for the system configuration sc2 we obtain the equation
s2,k =
∑
mem′∈[mem]LO
∑
(sc,j,p)∈A2
[p ∗ ρS({(str , dtr) ∈ TS(sc)⇓mem′ | ](str) = k − 1})].
By Lemma 4.2, the sets A1 and A2 are in one-to-one correspondence, where an element
(sc, j, p) ∈ A1 corresponds to some element (sc′, j, p). Moreover, by Lemma 4.2 the
assumptions of this theorem are also satisfied for for corresponding sc and sc′. Hence,
applying the induction hypothesis yields s1,k = s2,k.
A.7 Security Type System for SIFUM-security
This appendix contains the soundness proofs for the type systems for SIFUM-security
from Section 4.5.
In the proofs, we denote the set of mode states that are consistent with the partial
environment Λ with cons(Λ), and the set of mode states that are consistent with the
dependent partial environment ∆ with cons(∆).
A.7. Security Type System for SIFUM-security 139
Proof of Theorem 4.6. The proof is by induction on the derivation of ` Λ {c} Λ′.
− [ANNO]: Assume that ` Λ {c} Λ′ is derived with the rule [ANNO]. Then c = //ann// c1
for some annotation ann and some command c1 and ` Λ′′ {c1} Λ′ is derivable where
Λ′′ = adjust-pe(Λ, ann).
Since 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉, it follows from the operational semantics
that 〈c1,mds-update(mds, ann),mem〉 α−_ 〈c′,mds ′,mem ′〉. Since ` Λ′′ {c1} Λ′ is
derivable by the induction hypothesis there exists Λ′′′ such that ` Λ′′′ {c′} Λ′ is
derivable, and if mds-update(mds, ann) ∈ cons(Λ′′) then mds ′ ∈ cons(Λ′′).
Moreover, mds-update(mds, ann)∈ cons(Λ′′) follows from mds ∈ cons(Λ) with the
definitions of adjust-pe and mds-update and the equality Λ′′ = adjust-pe(Λ, ann).
Hence, if mds ∈ cons(Λ) then mds ′ ∈ cons(Λ′′′).
− [STOP]: Assume that ` Λ {c} Λ′ is derived with the rule [STOP]. Then c = stop,
and, hence, nothing needs to be shown.
− [SKIP]: Assume that ` Λ {c} Λ′ is derived with the rule [SKIP]. Then c = skip and
Λ = Λ′. Since c = skip it follows that c′ = stop and mds ′ = mds . Hence, ` Λ {c′} Λ′
is derivable with rule [STOP] because Λ = Λ′. Moreover, if mds ∈ cons(Λ) then
mds ′ ∈ cons(Λ) because mds ′ = mds.
− [ASS1] and [ASS2]: Assume that ` Λ {c} Λ′ is derived with rule [ASS1] or rule
[ASS2]. Then c = x :=e, and Λ
′ is such that dom(Λ) = dom(Λ′). Since c = x :=e
it follows that c′ = stop and mds ′ = mds. By typing rule [STOP] ` Λ′ {c′} Λ′
is derivable. Moreover, since dom(Λ) = dom(Λ′) and mds ′ = mds it follows from
mds ∈ cons(Λ) that mds ′ ∈ cons(Λ′).
− [IF]: Assume that ` Λ {c} Λ′ is derived with the rule [IF]. Then c = if e then c1 else c2 fi,
` Λ {c1} Λ′, and ` Λ {c2} Λ′.
Then, by the operational semantics for conditionals, c′ = c1 or c′ = c2 and mds ′ =
mds. In both cases, ` Λ {c′} Λ′ is derivable, and mds ∈ cons(Λ)⇒ mds ′ ∈ cons(Λ)
is satisfied as mds = mds ′.
− [WHILE]: Assume that ` Λ {c} Λ′ is derived with the rule [WHILE]. Then c =
while e do c1 od, Λ
′ = Λ, and ` Λ {c1} Λ.
By the definition of the operational semantics for while loops it follows that c′ =
if e then c1; c else stop fi and that mds = mds
′.
Since ` Λ {c1} Λ and ` Λ {c} Λ are derivable, ` Λ {c1; c} Λ is derivable by rule
[SEQ]. Then, since Λ〈·〉 ` e : low and ` Λ {stop} Λ is derivable, the judgment
` Λ {if e then c1; c else stop fi} Λ is derivable by rule [IF], i.e., ` Λ {c′1} Λ is derivable.
Moreover, mds ∈ cons(Λ)⇒ mds ′ ∈ cons(Λ) is satisfied because mds = mds ′.
− [SEQ]: Assume that ` Λ {c} Λ′ is derived with the rule [SEQ]. Then c = c1; c2, and
there is an environment Λ′′ such that ` Λ {c1} Λ′′ and ` Λ′′ {c2} Λ′ are derivable.
We distinguish the cases c1 = stop and c1 6= stop.
Assume that c1 = stop. Then, by the operational semantics for sequential composition,
c′ = c2 and mds = mds ′, and we conclude as ` Λ′′ {c2} Λ′ is derivable. Moreover,
since ` Λ {c1} Λ′′ can only have been derived with rules [SUB] and [STOP], Λ v Λ′′,
and, hence, dom(Λ) = dom(Λ′′). In consequence, mds ∈ cons(Λ)⇒ mds ′ ∈ cons(Λ′′)
is satisfied as mds = mds ′.
140 Appendix A. Detailed Proofs
Assume that c1 6= stop. Then, by the definition of the operational semantics for
sequential composition, there exists c′1 such that 〈c1,mds,mem1〉 α−_ 〈c′1,mds ′,mem ′1〉
and such that c′ = c′1; c2. By the induction hypothesis and ` Λ {c1} Λ′′ there exists
Λ′′′ such that ` Λ′′′ {c′1} Λ′′ is derivable, and if mds ∈ cons(Λ) then mds ′ ∈ cons(Λ′′′).
Hence, by rule [SEQ] and the derivability of ` Λ′′ {c2} Λ′, ` Λ′′′ {c} Λ′ is derivable.
− [SUB]: Assume that ` Λ {c} Λ′ is derived with the rule [SUB]. Then there are partial
environments Λ1 and Λ
′
1 such that ` Λ1 {c} Λ′1, Λ v Λ1, and Λ′1 v Λ′. Hence, by the
induction hypothesis, there exists a partial environment Λ′′ such that ` Λ′′ {c′} Λ′1
is derivable and if mds ∈ cons(Λ) then mds ′ ∈ cons(Λ′′). But then, by rule [SUB],
` Λ′′ {c′} Λ′ is derivable because Λ′1 v Λ′.
− [SPAWN]: Assume that ` Λ {c} Λ′ is derived with the rule [SPAWN]. Then c =
spawn(thr), Λ′ = Λ, c′ = stop, and mds ′ = mds, and we can conclude as in case for
rule [SKIP].
Proof of Theorem 4.7.
Outline: We construct a family of relations on thread configurations with modes consist-
ing of a relation for each partial environment Λ, (RΛ)Λ:Var⇀{low ,high}, such that
〈c,mds,mem1〉 RΛ′ 〈c,mds,mem2〉
and such that R = ⋃Λ:Var⇀{low ,high}RΛ is a strong low bisimulation modulo modes. In
consequence, 〈c,mds,mem1〉 ∼mm 〈c,mds,mem2〉 because ∼mm is the union of all strong
low bisimulations modulo modes.
We now construct the relation R. For defining R, we write mem1 =Λ mem2 if mem1(x ) =
mem2(x ) for all x ∈ Var with Λ〈x 〉 = low .
For each partial environment Λ′ we define RΛ′ = RΛ′1 ∪RΛ
′
2 ∪RΛ
′
3 , where
RΛ′1 = {(〈c,mds,mem1〉 , 〈c,mds,mem2〉) | ∃Λ :
` Λ {c} Λ′ ∧mds ∈ cons(Λ) ∧mem1 =Λ mem2},
RΛ′2 = {(〈c1,mds,mem1〉 , 〈c2,mds,mem2〉) |
〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉 ∧ [∀x ∈ dom(Λ′) : Λ′(x ) = high]
∧ [∃Λ1,Λ2 : ` Λ1 {c1} Λ′∧ ` Λ2 {c2} Λ′∧
mds ∈ cons(Λ1) ∧mds ∈ cons(Λ2)]}, and
RΛ′3 = {(〈c1; c,mds,mem1〉 , 〈c2; c,mds,mem2〉) | ∃Λ :
〈c1,mds,mem1〉 RΛ2 〈c2,mds,mem2〉∧ ` Λ {c} Λ′}.
We define R = ⋃Λ′:Var⇀{low ,high}RΛ′ .
We now show that 〈c,mds,mem1〉 R 〈c,mds,mem2〉 is satisfied.
It follows from the assumptions of the theorem that 〈c,mds,mem1〉 RΛ′1 〈c,mds,mem2〉.
Hence, 〈c,mds,mem1〉 R 〈c,mds,mem2〉 by the definition of R.
We now show that R is a strong low bisimulation modulo modes.
A.7. Security Type System for SIFUM-security 141
It follows from the definitions of RΛ′1 , RΛ
′
2 , and RΛ
′
3 that RΛ
′
is symmetric for each Λ′.
In consequence, R is symmetric.
To show that R is closed under globally consistent changes it suffices to show that
RΛ′ is closed under globally consistent changes for all Λ′. To show that RΛ′ is closed
under globally consistent changes assume that 〈c1,mds,mem1〉RΛ′〈c2,mds,mem2〉. We
must show that for all x ∈ Var with x 6∈ mds(asm-no-w) the following conditions are
satisfied:
(1) 〈c1,mds,mem1[x 7→ v ]〉 RΛ′ 〈c2,mds,mem2[x 7→ v ]〉 for all x ∈ L and all v ∈ Val
(2) 〈c1,mds,mem1[x 7→ v1]〉 RΛ′ 〈c2,mds,mem2[x 7→ v2]〉 for all x ∈ H and all v1, v2 ∈
Val
To show that (1) and (2) are satisfied we distinguish between the three cases arising from
the definition of RΛ′ , i.e., that the configurations are related by RΛ′1 , by RΛ
′
2 , or by RΛ
′
3 .
− Case 1: Assume that 〈c1,mds,mem1〉 RΛ′1 〈c2,mds,mem2〉. Then c1 = c2 and there
exists Λ such that ` Λ {c1} Λ′ ∧mds ∈ cons(Λ) ∧mem1 =Λ mem2.
For x ∈Var and v ∈Val it follows from mem1 =Λ mem2 that mem1[x 7→ v ] =Λ
mem2[x 7→ v ]. In consequence,
〈c1,mds,mem1[x 7→ v ]〉 RΛ′1 〈c2,mds,mem2[x 7→ v ]〉,
and, hence,
〈c1,mds,mem1[x 7→ v ]〉 RΛ′ 〈c2,mds,mem2[x 7→ v ]〉.
Assume now that x ∈ H and let v1, v2 ∈ Val . Since x 6∈ mds(asm-no-w) and
mds ∈ cons(Λ) it follows from x ∈ H that x 6∈ dom(Λ). Hence, Λ〈x 〉 = high, and it
follows that mem1[x 7→ v1] =Λ mem2[x 7→ v2]. In consequence,
〈c1,mds,mem1[x 7→ v1]〉 RΛ′1 〈c2,mds,mem2[x 7→ v2]〉,
and, hence,
〈c1,mds,mem1[x 7→ v1]〉 RΛ′ 〈c2,mds,mem2[x 7→ v2]〉.
− Case 2: Assume that 〈c1,mds,mem1〉 RΛ′2 〈c2,mds,mem2〉. By the definition of
RΛ′2 , 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉, [∀x ∈ dom(Λ′) : Λ′(x ) = high], and
[∃Λ1,Λ2 : ` Λ1 {c1} Λ′∧ ` Λ2 {c2} Λ′ ∧ mds ∈ cons(Λ1) ∧ mds ∈ cons(Λ2)] are
satisfied.
Since ∼mm is a strong low bisimulation modulo modes it is closed under globally
consistent changes, and, hence, the following two conditions are satisfied:
∗ 〈c1,mds,mem1[x 7→ v ]〉 RΛ′2 〈c2,mds,mem2[x 7→ v ]〉 for all x ∈ L and all v ∈ Val
∗ 〈c1,mds,mem1[x 7→ v1]〉 RΛ′2 〈c2,mds,mem2[x 7→ v2]〉 for all x ∈ H and all
v1, v2 ∈ Val
But then the two conditions (1) and (2) that we set out to prove are also satisfied
(by the definition of RΛ′).
− Case 3: Assume that 〈c1,mds,mem1〉 RΛ′3 〈c2,mds,mem2〉. Then there exist c′1, c′2,
and c such that c1 = c
′
1; c, c2 = c
′
2; c, 〈c′1,mds,mem1〉 RΛ
′
2 〈c′2,mds,mem2〉, and
` Λ {c} Λ′. But then, by the previous case (Case 2) the following two conditions are
satisfied:
∗ 〈c′1,mds,mem1[x 7→ v ]〉 RΛ
′
2 〈c′2,mds,mem2[x 7→ v ]〉 for all x ∈ L and all v ∈ Val
∗ 〈c′1,mds,mem1[x 7→ v1]〉 RΛ
′
2 〈c′2,mds,mem2[x 7→ v2]〉 for all x ∈ H and all
v1, v2 ∈ Val
142 Appendix A. Detailed Proofs
But then, by the definition of RΛ′3 ,the following two conditions are satisfied.
∗ 〈c1,mds,mem1[x 7→ v ]〉 RΛ′3 〈c2,mds,mem2[x 7→ v ]〉 for all x ∈ L and all v ∈ Val
∗ 〈c1,mds,mem1[x 7→ v1]〉 RΛ′3 〈c2,mds,mem2[x 7→ v2]〉 for all x ∈ H and all
v1, v2 ∈ Val
But then the two conditions (1) and (2) that we set out to prove are also satisfied
(by the definition of RΛ′).
Now we show that whenever 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 then mem1 =mdsL
mem2. For arbitrary Λ
′ we distinguish the cases that the two thread configurations with
modes are related by RΛ′1 , by RΛ
′
2 , and by RΛ
′
3 .
− Case 1: Assume that 〈c1,mds,mem1〉 RΛ′1 〈c2,mds,mem2〉. By the definition of RΛ
′
1
there exists Λ such that mds ∈ cons(Λ) and mem1 =Λ mem2. Let x ∈ Var with
x ∈ L and x 6∈ mds(asm-no-r). We must show that mem1(x ) = mem2(x ). Since
mds ∈ cons(Λ) it follows from x ∈ L and x 6∈ mds(asm-no-r) that x 6∈ dom(Λ).
Then, mem1(x ) = mem2(x ) follows directly from mem1 =Λ mem2.
− Case 2: Assume that 〈c1,mds,mem1〉 RΛ′2 〈c2,mds,mem2〉. Then by the definition of
RΛ′2 it follows that 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉. Hence, mem1 =mdsL mem2
follows directly from the definition of strong low bisimulations modulo modes.
− Case 3: Assume that 〈c1,mds,mem1〉 RΛ′3 〈c2,mds,mem2〉. Then by the definition
of RΛ′3 there exist commands c′1 and c′2 such that
〈c′1,mds,mem1〉 RΛ
′
3 〈c′2,mds,mem2〉. We can hence conclude as in Case 2.
We now show that whenever 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 and
〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉 with α1 = new(thr1,mdss1), then there exist c′2,
α2 = new(thr2,mdss2), and mem
′
2 such that the following conditions are satisfied:
− 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
− 〈c′1,mds ′,mem ′1〉 R 〈c′2,mds ′,mem ′2〉,
− ](thr1) = ](thr2), and
− 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
For arbitrary Λ′ we distinguish the three cases that 〈c1,mds,mem1〉 and 〈c2,mds,mem2〉
are related by RΛ′1 , RΛ
′
2 , and RΛ
′
3 , respectively.
Case 1: Assume that 〈c1,mds,mem1〉 RΛ′1 〈c2,mds,mem2〉.
We prove the following statement, from which the statement we need to prove in this
case follows immediately:
For all c, c′1 ∈ Com, all mds,mds ′ ∈ Mds, all mem1,mem2,mem ′1 ∈ Mem, all α1 =
new(thr1,mdss1) ∈ Labm, and all Λ,Λ′ : Var ⇀ {low , high} with 〈c,mds,mem1〉 α1−_
〈c′1,mds ′,mem ′1〉, ` Λ {c} Λ′, mds ∈ cons(Λ), and mem1 =Λ mem2, there exist c′2,
α2 = new(thr2,mdss2), and mem
′
2 such that the following conditions are satisfied:
− 〈c,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
− 〈c′1,mds ′,mem ′1〉 RΛ
′ 〈c′2,mds ′,mem ′2〉,
− ](thr1) = ](thr2), and
− 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
The proof is by induction on the derivation of the judgment ` Λ {c} Λ′.
− [ANNO]: Assume that ` Λ {c} Λ′ is derived with rule [ANNO]. Then c = //ann// c1
for some annotation ann and some command c1. Moreover, ` Λ′′ {c1} Λ′ and
A.7. Security Type System for SIFUM-security 143
[∀x ∈ Var : Λ〈x 〉 v Λ′′〈x 〉] hold for Λ′′ = adjust-pe(Λ, ann).
Since 〈c,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉 is satisfied it follows that
〈c1,mds-update(mds, ann),mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉. With the definitions of
mds-update and adjust-pe it follows from Λ′′ = adjust-pe(Λ, ann) and mds ∈ cons(Λ)
that mds-update(mds, ann) ∈ cons(Λ′′). Since Λ〈x 〉 v Λ′′〈x 〉 for all x ∈ Var
and mem1 =Λ mem2, it follows that mem1 =Λ′′ mem2. Hence, by the induc-
tion hypothesis for the derivation of the judgment ` Λ′′ {c1} Λ′ there exist c′2,
α2 = new(thr2,mdss2), and mem
′
2 such that the following properties are satisfied:
∗ 〈c1,mds-update(mds, ann),mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
∗ 〈c′1,mds ′,mem ′1〉 RΛ
′ 〈c′2,mds ′,mem ′2〉,
∗ ](thr1) = ](thr2), and
∗ 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
By the derivation rules for the judgments 〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉 it follows
that 〈//ann// c1,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉. This concludes the proof for rule
[ANNO].
− [SKIP]: Assume that ` Λ {c} Λ′ is derived with rule [SKIP]. Then c = skip and
Λ = Λ′. Then c′1 = stop, α1 = new(〈〉), mds ′ = mds, and mem ′1 = mem1 by the
operational semantics for skip. We define c′2 = stop, α2 = α1, and mem
′
2 = mem2.
Then 〈c,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉.
Moreover, mem1 =
mds
L mem2 follows from mds ∈ cons(Λ) and mem1 =Λ mem2. In
consequence, 〈stop,mds,mem1〉 RΛ1 〈stop,mds,mem2〉 because ` Λ {stop} Λ, mds ∈
cons(Λ), and mem1 =
mds
L mem2. Hence, 〈stop,mds,mem1〉 RΛ
′
1 〈stop,mds,mem2〉
because Λ = Λ′, and, in consequence, 〈stop,mds,mem1〉 RΛ′ 〈stop,mds,mem2〉.
− [ASS1]: Assume that ` Λ {c} Λ′ is derived with rule [ASS1]. Then c = x :=e,
x 6∈ dom(Λ), Λ〈·〉 ` e : d , d v dma(x ), and Λ = Λ′.
Let v1, v2 ∈ Val be those values such that eval(e,mem1) = v1 and eval(e,mem2) = v2.
Then c′1 = stop, α1 = new(〈〉), mds ′ = mds, and mem ′1 = mem1[x 7→ v1]. We define
c′2 = stop, α2 = α1, and mem
′
2 = mem2[x 7→ v2]. Then, by the operational semantics
for assignments, 〈c,mds,mem2〉 α2−_ 〈c′′,mds ′,mem ′2〉.
We now show that mem1[x 7→ v1] =Λ mem2[x 7→ v2]. Since mem1 =Λ mem2 it
remains to show that v1 = v2 if Λ〈x 〉 = low . If Λ〈x 〉 = low then dma(x ) = low
because x 6∈ dom(Λ). Then d = low , and, hence, Λ〈·〉 ` e : low . It follows from
typing rule [EXP] that Λ〈y〉 = low for all y ∈ vars(e). But then it follows from
mem1 =Λ mem2 and our assumptions on expression evaluation in Section 2.3.2 that
v1 = v2.
Hence, 〈stop,mds,mem1[x 7→ v1]〉 RΛ1 〈stop,mds,mem2[x 7→ v2]〉 follows from `
Λ {stop} Λ, mds ∈ cons(Λ), and mem1[x 7→ v1] =Λ mem2[x 7→ v2]. In consequence,
〈stop,mds,mem1[x 7→ v1]〉 RΛ′1 〈stop,mds,mem2[x 7→ v2]〉 because Λ = Λ′, and,
hence, 〈stop,mds,mem1[x 7→ v1]〉 RΛ′ 〈stop,mds,mem2[x 7→ v2]〉.
− [ASS2]: Assume that ` Λ {c} Λ′ is derived with rule [ASS2]. Then c = x :=e,
x ∈ dom(Λ), Λ〈·〉 ` e : d , and Λ[x 7→ d ] = Λ′.
Let v1, v2 ∈ Val be those values such that eval(e,mem1) = v1 and eval(e,mem2) = v2.
Then c′1 = stop, α1 = new(〈〉), mds ′ = mds, and mem ′1 = mem1[x 7→ v1]. We define
c′2 = stop, α2 = α1, and mem
′
2 = mem2[x 7→ v2]. Then, by the operational semantics
for assignments, 〈c,mds,mem2〉 α2−_ 〈c′′,mds ′,mem ′2〉.
144 Appendix A. Detailed Proofs
We now show that mem1[x 7→ v1] =Λ[x 7→d] mem2[x 7→ v2]. Since mem1 =Λ mem2
it remains to show that v1 = v2 if Λ[x 7→ d ]〈x 〉 = low . If Λ[x 7→ d ]〈x 〉 = low then
d = low , and, hence, Λ〈·〉 ` e : low . It follows from typing rule [EXP] that Λ〈y〉 = low
for all y ∈ vars(e). But then it follows from mem1 =Λ mem2 and our assumptions
on expression evaluation in Section 2.3.2 that v1 = v2.
Moreover, mds ∈ cons(Λ[x 7→ t]) follows from dom(Λ) = dom(Λ[x 7→ t]) and
mds ∈ cons(Λ).
Hence, 〈stop,mds,mem1[x 7→ v1]〉 RΛ′1 〈stop,mds,mem2[x 7→ v2]〉 follows from `
Λ′ {stop} Λ′, mds ∈ cons(Λ′), and mem1[x 7→ v1] =Λ′ mem2[x 7→ v2]. In consequence,
〈stop,mds,mem1[x 7→ v1]〉 RΛ′ 〈stop,mds,mem2[x 7→ v2]〉.
− [IF]: Assume that ` Λ {c} Λ′ is derived with rule [IF]. Then c = if e then c1 else c2 fi,
` Λ {c1} Λ′, ` Λ {c2} Λ′, and Λ〈·〉 ` e : high implies that c1 ∼mdsmm c2 and [∀x ∈
dom(Λ′) : Λ′(x ) = high] are satisfied for all mode states mds ∈ cons(Λ).
Then, by the operational semantics for conditionals, c′1 = c1 or c
′
1 = c2. Moreover,
α = new(〈〉), mds ′ = mds, and mem ′1 = mem1.
Let v1, v2 ∈ Val be the values such that eval(e,mem1) = v1 and eval(e,mem2) = v2.
We do a case distinction on the cases Λ〈·〉 ` e : low and Λ〈·〉 ` e : high.
Assume that Λ〈·〉 ` e : low . Then it follows from rule [EXP] that Λ〈y〉 = low for all y ∈
vars(e). But then it follows from mem1 =Λ mem2 and our assumptions on expression
evaluation in Section 2.3.2 that v1 = v2. We define c
′
2 = c
′
1, α2 = α1, and mem
′
2 =
mem2. Then, by the operational semantics for conditionals, 〈c,mds,mem2〉 α2−_
〈c′2,mds,mem ′2〉. Moreover, from the induction hypotheses for the derivations of
` Λ {c1} Λ′ and ` Λ {c2} Λ′ it follows that 〈c′,mds,mem1〉 RΛ′ 〈c′,mds,mem2〉.
Assume now that Λ〈·〉 ` e : high. If v1 = v2 we can proceed as in the case for
Λ〈·〉 ` e : low . Assume that v1 6= v2. Moreover, assume without loss of generality
that c′1 = c1 (if c
′
1 = c2 the remainder of the proof in this case is the same by
switching the indices 1 and 2). We define c′2 = c2, α2 = α1, and mem
′
2 = mem2.
Then 〈c,mds,mem2〉 α2−_ 〈c′2,mds,mem ′2〉.
Let x ∈ Var with dma(x ) = low and x 6∈ mds(asm-no-r). Then x 6∈ dom(Λ)
because mds ∈ cons(Λ). Hence, Λ〈x 〉 = low . Since mem1 =Λ mem2 it follows that
mem1(x ) = mem2(x ). In consequence, mem1 =
mds
L mem2. Since mds ∈ cons(Λ) it
follows from the preconditions of rule [IF] that c1 ∼mdsmm c2. With mem1 =mdsL mem2
it follows that 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉. Hence, since ` Λ {c1} Λ′,
` Λ {c2} Λ′, and mds ∈ cons(Λ) it follows that 〈c1,mds,mem1〉 RΛ′2 〈c2,mds,mem2〉.
Hence, 〈c1,mds,mem1〉 RΛ′ 〈c2,mds,mem2〉.
− [WHILE]: Assume that ` Λ {c} Λ′ is derived with rule [WHILE]. Then c =
while e do c1 od, Λ
′ = Λ, Λ〈·〉 ` e : low , and ` Λ {c1} Λ.
By the definition of the operational semantics for while loops it follows that c′1 =
if e then c1; c else stop fi. α = new(〈〉), mds ′ = mds , and mem ′1 = mem1. We define
c′2 = c
′
1, α2 = α1, and mem
′
2 = mem2. Then, by the definition of the operational
semantics for while loops, 〈c,mds,mem2〉 α2−_ 〈c′2,mds,mem ′2〉.
Since ` Λ {c1} Λ and ` Λ {c} Λ are derivable, ` Λ {c1; c} Λ is derivable by rule
[SEQ]. Then, since Λ〈·〉 ` e : low and ` Λ {stop} Λ are derivable, the judgment
` Λ {if e then c1; c else stop fi} Λ is derivable by rule [IF], i.e., ` Λ {c′1} Λ is derivable.
A.7. Security Type System for SIFUM-security 145
Then 〈c′1,mds ′,mem ′1〉 RΛ
′
1 〈c′1,mds ′,mem ′2〉 because ` Λ {c′1} Λ is derivable, c′1 = c′2,
mds ′ = mds, mem1 = mem ′1, mem2 = mem
′
2, mds ∈ cons(Λ), and mem1 =Λ mem2.
Hence, 〈c′1,mds ′,mem ′1〉 RΛ
′ 〈c′1,mds ′,mem ′2〉.
− [SEQ]: Assume that ` Λ {c} Λ′ is derived with rule [SEQ]. Then c = c1; c2, and
there is an environment Λ′′ such that ` Λ {c1} Λ′′ and ` Λ′′ {c2} Λ′ are derivable.
We distinguish the cases c1 = stop and c1 6= stop.
Assume that c1 = stop. Then, by the operational semantics for sequential composition,
c′1 = c2, α1 = new(〈〉), mds ′ = mds, and mem ′1 = mem1. We define c′2 = c2,
α2 = α1, and mem
′
2 = mem2. Then 〈c,mds,mem2〉 α2−_ 〈c′2,mds,mem ′2〉. From
c1 = stop, ` Λ {c1} Λ′′, and the fact that ` Λ {stop} Λ′′ can only have been derived
by an application of [SUB] and [STOP], it follows that Λ v Λ′′. But then, since
` Λ′′ {c2} Λ′, ` Λ {c2} Λ′ by an application of rule [SUB]. Hence, it follows with
mds ∈ cons(Λ) and mem1 =Λ mem2 that 〈c2,mds,mem1〉 RΛ′1 〈c2,mds,mem2〉, and,
thus, 〈c2,mds,mem1〉 RΛ′ 〈c2,mds,mem2〉.
Assume now that c1 6= stop. Then, by the definition of the operational semantics for
sequential composition, there exists a command c′′1 such that 〈c1,mds,mem1〉 α1−_
〈c′′1 ,mds ′,mem ′1〉 and such that c′1 = c′′1 ; c2. Hence, by the induction hypothesis for
the derivation of ` Λ {c1} Λ′′ there exist c′′2 , α2 = new(thr2,mdss2), and mem ′2 such
that the following conditions are satisfied:
∗ 〈c1,mds,mem2〉 α2−_ 〈c′′2 ,mds ′,mem ′2〉,
∗ 〈c′′1 ,mds ′,mem ′1〉 RΛ
′′ 〈c′′2 ,mds ′,mem ′2〉, and
∗ ](thr1) = ](thr2), and
∗ 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
We define c′2 = c
′′
2 ; c2. Then, by the definition of the operational semantics of
sequential composition, 〈c,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉.
To show that 〈c′′1 ; c2,mds ′,mem ′1〉 RΛ
′ 〈c′′2 ; c2,mds ′,mem ′2〉 we distinguish between
the cases that 〈c′′1 ,mds ′,mem ′1〉 and 〈c′′2 ,mds ′,mem ′2〉 are related by RΛ
′′
1 , RΛ
′′
2 , or
RΛ′′3 .
Assume that 〈c′′1 ,mds ′,mem ′1〉 RΛ
′′
1 〈c′′2 ,mds ′,mem ′2〉. Then c′′1 = c′′2 and there exists
Λ′′′ such that ` Λ′′′ {c′′1 } Λ′′, mds ′ ∈ cons(Λ′′′) is derivable and mem ′1 =Λ′′′ mem ′2.
But then ` Λ′′′ {c′′1 ; c2} Λ′ is derivable by the rule [SEQ] because ` Λ′′ {c2} Λ′ is also
derivable. Hence, 〈c′′1 ; c2,mds ′,mem ′1〉 RΛ
′
1 〈c′′2 ; c2,mds ′,mem ′2〉, and, in consequence,
〈c′′1 ; c2,mds ′,mem ′1〉 RΛ
′ 〈c′′2 ; c2,mds ′,mem ′2〉.
Assume 〈c′′1 ,mds ′,mem ′1〉 RΛ
′′
2 〈c′′2 ,mds ′,mem ′2〉. Since ` Λ′′ {c2} Λ′ is derivable, it
follows that 〈c′′1 ; c2,mds ′,mem ′1〉 RΛ
′
3 〈c′′2 ; c2,mds ′,mem ′2〉, and, in consequence,
〈c′′1 ; c2,mds ′,mem ′1〉 RΛ
′ 〈c′′2 ; c2,mds ′,mem ′2〉.
Assume that 〈c′′1 ,mds ′,mem ′1〉 RΛ
′′
3 〈c′′2 ,mds ′,mem ′2〉. It follows from the definition
of RΛ′′3 that c′′1 = c′′′1 ; c∗ and c′′2 = c′′′2 ; c∗ for commands c′′′1 , c′′′2 , and c∗, and
that there exists a partial environment Λ′′′ such that ` Λ′′′ {c∗} Λ′′ and such that
〈c′′′1 ,mds ′,mem ′1〉 RΛ
′′′
2 〈c′′′2 ,mds ′,mem ′2〉. Since ` Λ′′′ {c∗} Λ′′ and ` Λ′′ {c2} Λ′
are derivable the judgment ` Λ′′′ {c∗; c2} Λ′ is derivable with rule [SEQ]. Hence,
〈c′′′1 ; c∗; c2,mds ′,mem ′1〉 RΛ
′
3 〈c′′′2 ; c∗; c2,mds ′,mem ′2〉, i.e., with c′′1 = c′′′1 ; c∗ and
c′′2 = c
′′′
2 ; c
∗, it follows that 〈c′′1 ; c2,mds ′,mem ′1〉 RΛ
′ 〈c′′2 ; c2,mds ′,mem ′2〉.
We have shown in all three cases that 〈c′′1 ; c2,mds ′,mem ′1〉 RΛ
′ 〈c′′2 ; c2,mds ′,mem ′2〉,
i.e., that 〈c′1,mds ′,mem ′1〉 RΛ
′ 〈c′2,mds ′,mem ′2〉 because c′1 = c′′1 ; c2 and c′2 = c′′2 ; c2.
146 Appendix A. Detailed Proofs
− [SUB]: Assume that ` Λ {c} Λ′ is derived with rule [SUB]. Then there are partial
environments Λ1 and Λ
′
1 such that ` Λ1 {c} Λ′1, Λ v Λ1, and Λ′1 v Λ′.
From Λ v Λ1 and Λ′1 v Λ′ it follows that dom(Λ) ⊇ dom(Λ1) and dom(Λ′1) ⊇
dom(Λ′). Hence, cons(Λ) ⊆ cons(Λ1) and cons(Λ′1) ⊆ cons(Λ′) by the definition of
consistency of mode states with partial environments.
Since cons(Λ) ⊆ cons(Λ1) and mds ∈ cons(Λ) it follows that mds ∈ cons(Λ1). Let
x ∈ Var with Λ1〈x 〉 = low . It follows from Λ v Λ1 that Λ〈x 〉 v Λ1〈x 〉, and, hence,
Λ〈x 〉 = low . Hence, since mem1 =Λ mem2 it follows that mem1(x ) = mem2(x ). In
consequence, mem1 =Λ1 mem2.
Since mds ∈ cons(Λ1) and mem1 =Λ1 mem2, by the induction hypothesis there exist
c′2, α2 = new(thr2,mdss2), and mem
′
2 such that the following conditions are satisfied:
∗ 〈c,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
∗ 〈c′1,mds ′,mem ′1〉 RΛ
′
1 〈c′2,mds ′,mem ′2〉, and
∗ ](thr1) = ](thr2), and
∗ 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
This concludes this case if RΛ′1 ⊆ RΛ′ . We prove this inclusion by showing that
RΛ′11 ⊆ RΛ
′
1 , RΛ
′
1
2 ⊆ RΛ
′
2 , and RΛ
′
1
3 ⊆ RΛ
′
2 .
Assume that 〈c1,mds,mem1〉 RΛ
′
1
1 〈c2,mds,mem2〉. Then c1 = c2 and there ex-
ists Λ such that ` Λ {c} Λ′1, mds ∈ cons(Λ), and mem1 =Λ mem2}. Since
` Λ {c} Λ′1 and Λ′1 v Λ′ it follows that ` Λ {c} Λ′ by rule [SUB]. Hence,
〈c1,mds,mem1〉 RΛ′1 〈c2,mds,mem2〉.
Assume that 〈c1,mds,mem1〉 RΛ
′
1
2 〈c2,mds,mem2〉. Then 〈c1,mds,mem1〉 ∼mm
〈c2,mds,mem2〉, [∀x ∈ dom(Λ′1) : Λ′1(x ) = high] is satisfied, and there exist Λ1 and
Λ2 such that ` Λ1 {c1} Λ′1, ` Λ2 {c2} Λ′1, mds ∈ cons(Λ1), and mds ∈ cons(Λ2).
Since Λ′1 v Λ′ it follows that ` Λ1 {c1} Λ′ and ` Λ2 {c2} Λ′ by rule [SUB]. Moreover,
since [∀x ∈ dom(Λ′1) : Λ′1(x ) = high] is satisfied and Λ′1 v Λ′ it follows that
[∀x ∈ dom(Λ′) : Λ′(x ) = high]. Hence, 〈c1,mds,mem1〉 RΛ′2 〈c2,mds,mem2〉.
Assume that 〈c1,mds,mem1〉 RΛ
′
1
3 〈c2,mds,mem2〉. Then there exist commands
c′1, c
′
2, and c and a partial environment Λ such that c1 = c
′
1; c, c2 = c
′
2; c, ` Λ {c} Λ′1,
and 〈c′1,mds,mem1〉 RΛ
′
1
2 〈c′2,mds,mem2〉. We have already shown above that then
〈c′1,mds,mem1〉 RΛ
′
2 〈c′2,mds,mem2〉. Moreover, from Λ′1 v Λ′ it follows that
` Λ {c} Λ′ by rule [SUB]. Hence, 〈c1,mds,mem1〉 RΛ′3 〈c2,mds,mem2〉.
− [SPAWN]: Assume that ` Λ {c} Λ′ is derived with rule [SPAWN]. Then c = spawn(thr)
and there exist Λ1, . . . ,Λ](thr) such that Λ
′ = Λ and ` Λ0 {thr [i]} Λi is derivable for
all i ∈ {1, . . . , ](thr)}. Moreover, Λ〈x 〉 v dma(x ) for all x ∈ Var .
By the operational semantics for spawn-commands, c′1 = stop, α1 = new(thr),
mds ′ = mds , and mem ′1 = mem1. We define c
′
2 = stop, α2 = α1, and mem
′
2 = mem2.
Then 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉.
Moreover, mem1 =
mds
L mem2 follows from mds ∈ cons(Λ) and mem1 =Λ mem2.
Hence, 〈stop,mds,mem1〉 RΛ1 〈stop,mds,mem2〉 follows from ` Λ {stop} Λ, mds ∈
cons(Λ), and mem1 =
mds
L mem2. Hence, 〈stop,mds,mem1〉 RΛ
′
1 〈stop,mds,mem2〉
because Λ = Λ′, and, in consequence, 〈stop,mds,mem1〉 RΛ′ 〈stop,mds,mem2〉.
Let i ∈ {1, . . . , ](thr)}. It follows from the operational semantics for spawn-commands
(in particular the definition of the function spawn-mds) that mdss[i] ∈ cons(Λ0).
A.7. Security Type System for SIFUM-security 147
Moreover, it follows from the fact that Λ〈x 〉 v dma(x ) for all x ∈ Var and mem1 =Λ
mem2 that mem1 =L mem2, and, hence, mem1 =
mdss[i]
L mem2. With the derivability
of ` Λ0 {thr [i]} Λi it then follows 〈thr [i],mdss [i],mem ′1〉 RΓi1 〈thr [i],mdss [i],mem ′2〉,
and, in consequence, 〈thr [i],mdss[i],mem ′1〉 R 〈thr [i],mdss[i],mem ′2〉.
Case 2: Assume that 〈c1,mds,mem1〉 RΛ′2 〈c2,mds,mem2〉. It follows from the definition
of RΛ′2 that 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉, that [∀x ∈ dom(Λ′) : Λ′(x ) = high] is
satisfied, and that there exist environments Λ1 and Λ2 such that ` Λ1 {c1} Λ′, ` Λ2 {c2} Λ′,
mds ∈ cons(Λ1), and mds ∈ cons(Λ2).
Assume 〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉. It follows from 〈c1,mds,mem1〉 ∼mm
〈c2,mds,mem2〉, that there exist c′2, α2 = new(thr2,mdss2), and mem ′2 such that the
following conditions are satisfied:
− 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
− 〈c′1,mds ′,mem ′1〉 ∼mm 〈c′2,mds ′,mem ′2〉, and
− ](thr1) = ](thr2), and
− 〈thr1[i],mdss1[i],mem ′1〉 ∼mm 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
Since ` Λ1 {c1} Λ′, 〈c1,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉 and mds ∈ cons(Λ1), by
Theorem 4.6 there exists Λ′1 such that ` Λ′1 {c′1} Λ′ and mds ′ ∈ cons(Λ′1). Moreover,
since ` Λ2 {c2} Λ′, 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉, and mds ∈ cons(Λ2), by
Theorem 4.6 there exists Λ′2 such that ` Λ′2 {c′2} Λ′ and mds ∈ cons(Λ′2).
Hence, 〈c′1,mds ′,mem ′1〉 RΛ
′
2 〈c′2,mds ′,mem ′2〉, and, in consequence,
〈c′1,mds ′,mem ′1〉 RΛ
′ 〈c′2,mds ′,mem ′2〉.
Case 3: Assume that 〈c1,mds,mem1〉 RΛ′3 〈c2,mds,mem2〉. It follows from the definition
of RΛ′3 that there exist commands c′′1 , c′′2 , and c∗ such that c1 = c′′1 ; c∗ and c2 = c′′2 ; c∗,
and that there exists Λ′′ such that ` Λ′′ {c∗} Λ′ and such that
〈c′′1 ,mds,mem1〉 RΛ
′′
2 〈c′′2 ,mds,mem2〉.
We distinguish the cases that c′′1 6= stop and that c′′1 = stop.
Assume that c′′1 6= stop. Then it follows from the operational semantics for sequential
composition that there exists c′′′1 such that 〈c′′1 ,mds,mem1〉 α1−_ 〈c′′′1 ,mds ′,mem ′1〉 and
c′1 = c
′′′
1 ; c
∗. With 〈c′′1 ,mds,mem1〉 RΛ
′′
2 〈c′′2 ,mds,mem2〉 and the proof in the preceding
case (Case 2) it follows that there exist c′′′2 , α2, and mem
′
2 such that 〈c′′2 ,mds,mem2〉 α2−_
〈c′′′2 ,mds ′,mem ′2〉 and 〈c′′′1 ,mds ′,mem ′1〉 RΛ
′′
2 〈c′′′2 ,mds ′,mem ′2〉. We define c′2 = c′′′2 ; c∗.
Then, by the operational semantics for sequential composition, 〈c2,mds,mem2〉 α2−_
〈c′2,mds ′,mem ′2〉. Moreover, 〈c′1,mds ′,mem ′1〉 RΛ
′
3 〈c′2,mds ′,mem ′2〉 is satisfied because
〈c′′1 ,mds ′,mem ′1〉 RΛ
′′
2 〈c′′′2 ,mds ′,mem ′2〉 and ` Λ′′ {c∗} Λ′. In consequence,
〈c′1,mds ′,mem ′1〉 RΛ
′ 〈c′2,mds ′,mem ′2〉.
Assume that c′′1 = stop. It follows from the operational semantics for sequential
composition that c′1 = c
∗, α = new(〈〉), mds ′ = mds, and mem ′1 = mem1. Moreover,
〈c′′1 ,mds,mem1〉 ∼mm 〈c′′2 ,mds,mem2〉 because 〈c′′1 ,mds,mem1〉 RΛ
′′
2 〈c′′2 ,mds,mem2〉,
and, hence, c′′2 = stop.
We define c′2 = c
∗, α2 = α, and mem ′2 = mem2. Then 〈c2,mds,mem2〉 α2−_
〈c∗,mds ′,mem ′2〉 by the operational semantics for sequential composition.
From 〈c′′1 ,mds,mem1〉RΛ
′′
2 〈c′′2 ,mds,mem2〉 it follows that mds ∈ cons(Λ′′). Moreover,
it follows that 〈c′′1 ,mds,mem1〉 ∼mm 〈c′′2 ,mds,mem2〉, and, hence, mem1 =mdsL mem2. It
also follows that Λ′′(x ) = high for all x ∈ dom(Λ′′). Let x ∈ Var such that Λ′′〈x 〉 = low .
Then x 6∈ dom(Λ′′) because Λ′′(x ) = high for all x ∈ dom(Λ′′). Hence, dma(x ) = low ,
148 Appendix A. Detailed Proofs
and x 6∈ mds(asm-no-r) because mds ∈ cons(Λ′′). Thus, mem1(x ) = mem2(x ) because
mem1 =
mds
L mem2. This shows that mem1 =Λ′′ mem2.
Since ` Λ′′ {c∗} Λ′, mds ∈ cons(Λ′′), and mem1 =Λ′′ mem2, it follows that
〈c∗,mds,mem1〉 RΛ′1 〈c∗,mds,mem2〉. Since c′1 = c′2 = c∗, mds = mds ′, mem1 = mem ′1,
and mem2 = mem
′
2, it follows with the definition of RΛ
′
that
〈c′2,mds ′,mem ′1〉 RΛ
′
1 〈c′2,mds ′,mem ′2〉.
Proof of Theorem 4.9. The basic idea of the proof is the same as for the proof of Theo-
rem 4.7: We define a family of relations R∆′ which is parametric in the set of dependent
partial environments. To define this family we adapt the definition of the family RΛ′
from the proof of Theorem 4.7. Since we do not consider the semantic side condition
for rule [IF] in the type system with dependent partial environments, we only need to
consider the first of the three sub-relations in the adaptation. We define the relation R∆′
for each dependent partial environment as follows (where X is the domain of the partial
memories in dom(∆′)):
R∆′ = {(〈c,mds,mem1〉 , 〈c,mds,mem2〉) | ∃∆ : ∃pm1, pm2 ∈ dom(∆) :
` ∆ {c} ∆′ ∧mds ∈ cons(∆) ∧mem1 =∆(pm1) mem2 ∧mem1 =∆(pm2) mem2
∧ [∀x ∈ dom(pm) : mem1(x ) = pm1(x ) ∧mem2(x ) = pm2(x )]}
We define R = ⋃∆′ R∆′ . Then 〈c,mds,mem1〉 R 〈c,mds,mem2〉 follows from the
assumptions of the theorem. It remains to show that R is a strong low bisimulation
modulo modes.
Symmetry of R follows directly from the definition of R.
We now show that R is closed under globally consistent changes. Assume that
〈c1,mds,mem1〉 R∆′ 〈c2,mds,mem2〉. Then c1 = c2 and there exists ∆ and pm1, pm2 ∈
dom(∆) such that ` ∆ {c1} ∆′, mds ∈ cons(∆), mem1 =∆(pm1) mem2, mem1 =∆(pm2)
mem2, and mem1(x ) = pm1(x ) ∧mem2(x ) = pm2(x ) for all x ∈ dom(pm1).
Let x ∈ Var with x 6∈ mds(asm-no-w). It follows from mds ∈ cons(∆) that x 6∈
dom(pm1) and x 6∈ dom(pm2).
Assume that x ∈ L and let v ∈Val . It follows from mem1 =∆(pmi) mem2 that
mem1[x 7→ v ] =∆(pmi) mem2[x 7→ v ] for i ∈ {1, 2}. Moreover, it follows from x 6∈
dom(pm1) that mem1[x 7→ v ](x ) = pm1(x ) and mem2[x 7→ v ](x ) = pm2(x ) for all
x ∈ dom(pm1). In consequence, 〈c1,mds,mem1[x 7→ v ]〉 R∆
′ 〈c2,mds,mem2[x 7→ v ]〉.
Assume now that x ∈ H and let v1, v2 ∈ Val . Since x 6∈ mds(asm-no-w) and
mds ∈ cons(∆) it follows from x ∈ H that x 6∈ dom(∆(pm1)) and x 6∈ dom(∆(pm2)).
Hence, ∆(pm1)〈x 〉 = ∆(pm2)〈x 〉 = high, and it follows that mem1[x 7→ v1] =∆(pm1)
mem2[x 7→ v2] and mem1[x 7→ v1] =∆(pm2) mem2[x 7→ v2]. Moreover, it follows from
x 6∈ dom(pm1) that mem1[x 7→ v1](x ) = pm1(x ) and mem2[x 7→ v2](x ) = pm2(x ) for all
x ∈ dom(pm1). In consequence, 〈c1,mds,mem1[x 7→ v1]〉 R∆
′ 〈c2,mds,mem2[x 7→ v2]〉.
Now we show that whenever 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 then mem1 =mdsL
mem2. Assume that 〈c1,mds,mem1〉 R∆′ 〈c2,mds,mem2〉. By the definition of R∆′
there exists ∆ and pm ∈ dom(∆) such that mds ∈ cons(∆) and mem1 =∆(pm) mem2.
Let x ∈ Var with x ∈ L and x 6∈ mds(asm-no-r). Since mds ∈ cons(∆) it follows from
A.7. Security Type System for SIFUM-security 149
x ∈ L and x 6∈ mds(asm-no-r) that x 6∈ dom(∆(pm)). Then, mem1(x ) = mem2(x )
follows directly from mem1 =∆(pm) mem2.
Finally, we show that for all c, c′1 ∈ Com, mds,mds ′ ∈ Mds, mem1,mem2,mem ′1 ∈
Mem, α1 = new(thr1,mdss1) ∈ Labm, dependent partial environments ∆,∆′, and
pm1, pm2 ∈ dom(∆) with 〈c,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉, ` ∆ {c} ∆′, mds ∈
cons(∆), mem1 =∆(pm1) mem2, mem1 =∆(pm2) mem2, and mem1(x ) = pm1(x ) ∧
mem2(x ) = pm2(x ) for all x ∈ dom(pm), there exist c′2, α2 = new(thr2,mdss2), and
mem ′2 such that the following conditions are satisfied:
− 〈c,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
− 〈c′1,mds ′,mem ′1〉 R∆
′ 〈c′2,mds ′,mem ′2〉, and
− ](thr1) = ](thr2), and
− 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
The proof is by induction on the derivation of the judgment ` ∆ {c} ∆′
− [ANNO], [SKIP], [SEQ], [WHILE], and [SPAWN]: The proofs for these cases are
analogous to the proofs for these cases in the proof of Theorem 4.7.
− [ASS]: Assume that ` ∆ {c} ∆′ is derived with rule [ASS]. Then c = x :=e, ∆′ =
update-dpe(∆, x , e), and if pm ∈ dom(∆), x 6∈ dom(∆(pm)), and ∆(pm)〈·〉 ` e : dpm
then dpm v dma(x ).
Let v1, v2 ∈ Val be those values such that eval(e,mem1) = v1 and eval(e,mem2) = v2.
Then c′1 = stop, α1 = new(〈〉), mds ′ = mds, and mem ′1 = mem1[x 7→ v1]. We define
c′2 = stop, α2 = α1, and mem
′
2 = mem2[x 7→ v2]. Then, by the operational semantics
for assignments, 〈c,mds,mem2〉 α2−_ 〈c′′,mds ′,mem ′2〉.
By typing rule [STOP], ` ∆′ {stop} ∆′. Hence, for showing 〈stop,mds,mem1[x 7→
v1]〉 R∆′ 〈stop,mds,mem2[x 7→ v2]〉 it suffices to show that there exist pm ′1, pm ′2 ∈
dom(∆′) such that mem1[x 7→ v1] =∆′(pm′1) mem2[x 7→ v2], mem1[x 7→ v1] =∆′(pm′2)
mem2[x 7→ v2], and mem1[x 7→ v1](y) = pm ′1(y) ∧mem2[x 7→ v2](y) = pm ′2(y) for all
y ∈ dom(pm ′1).
To show this, assume firstly that x 6∈ dom(pm1). In this case, we define pm ′1 = pm1
and pm ′2 = pm2. Then, by the definition of update-dpe, pm
′
1, pm
′
2 ∈ dom(∆′).
Moreover, mem1[x 7→ v1](y) = pm ′1(y) and mem2[x 7→ v2](y) = pm ′2(y) hold for
all y ∈ dom(pm ′1). That mem1[x 7→ v1] =∆′(pm′1) mem2[x 7→ v2] and mem1[x 7→
v1] =∆′(pm′2) mem2[x 7→ v2] are satisfied follows as in the cases for [ASS1] and [ASS2]
in the proof of Theorem 4.7.
Assume now that x ∈ dom(pm). In this case, we define pm ′1 = pm1[x 7→ v1] and
pm ′2 = pm2[x 7→ v2]. Then, by the definition of update-dpe, pm ′1, pm ′2 ∈ dom(∆′).
Moreover, mem1[x 7→ v1](y) = pm ′1(y) and mem2[x 7→ v2](y) = pm ′2(y) hold
for all y ∈ dom(pm ′1). Also, that mem1[x 7→ v1] =∆′(pm′1) mem2[x 7→ v2] and
mem1[x 7→ v1] =∆′(pm′2) mem2[x 7→ v2] are satisfied follows as in the cases for [ASS1]
and [ASS2] in the proof of Theorem 4.7.
− [IF]: Assume that ` ∆ {c} ∆′ is derived with rule [IF]. Then c = if e then c1 else c2 fi
and ∆(pm)〈·〉 ` e : low for all pm ∈ dom(∆). Moreover, let ∆1 = ∆ |{pm|true∈eval(e,pm)}
and ∆2 = ∆ |{pm|false∈eval(e,pm)}. Then ` ∆1 {c1} ∆′ if dom(∆1) 6= {} and
` ∆2 {c2} ∆′ if dom(∆2) 6= {}.
150 Appendix A. Detailed Proofs
Let v1, v2 ∈ Val be the values such that eval(e,mem1) = v1 and eval(e,mem2) = v2.
By the operational semantics for conditionals, c′1 = c1 if v1 = true and c
′
1 = c2 if
v1 = false. Moreover, α = new(〈〉), mds ′ = mds, and mem ′1 = mem1.
It follows from ∆(pm1)〈·〉 ` e : low , ∆(pm2)〈·〉 ` e : low , and typing rule [EXP]
that ∆(pm1)〈y〉 = ∆(pm2)〈y〉 = low for all y ∈ vars(e). But then it follows from
mem1 =∆(pm) mem2 and our assumptions on expression evaluation in Section 2.3.2
that v1 = v2. We define c
′
2 = c
′
1, α2 = α1, and mem
′
2 = mem2. Then, by the
operational semantics for conditionals, 〈c,mds,mem2〉 α2−_ 〈c′2,mds,mem ′2〉.
Assume that v1 = true. Then pm1 ∈ dom(∆1) because pm1(x ) = mem1(x ) for
all x ∈ dom(pm1), and, hence, true ∈ eval(e, pm1). Analogously, pm2 ∈ dom(∆1).
Hence, it follows from the induction hypothesis for the derivation of ` ∆1 {c1} ∆′
that 〈c′,mds,mem1〉 R∆′ 〈c′,mds,mem2〉.
Assume that v1 = false. Then pm1 ∈ dom(∆2) and pm2 ∈ dom(∆2) follows as in the
case that v1 = true. Hence, it follows from the induction hypothesis for the derivation
of ` ∆2 {c2} ∆′ that 〈c′,mds,mem1〉 R∆′ 〈c′,mds,mem2〉.
− [SUB]: Assume that ` ∆ {c} ∆′ is derived with rule [SUB]. Then there are partial en-
vironments ∆1 and ∆
′
1 such that ` ∆1 {c} ∆′1, ∆ v ∆1, and ∆′1 v ∆′. Let X,X ′, X1,
and X ′1 be the domains of the partial memories in dom(∆), dom(∆
′), dom(∆1), and
dom(∆′1), respectively.
From ∆ v ∆1 and ∆′1 v ∆′ it follows that X ⊇ X1, that X ′1 ⊇ X ′, that
∆(pm) v ∆1(pm|X1) for all pm ∈ dom(∆), and that ∆′1(pm) v ∆′(pm|X′) for
all pm ∈ dom(∆′1). From the last two statements it follows that dom(∆(pm)) ⊇
dom(∆1(pm|X1)) for all pm ∈ dom(∆) and that dom(∆′1(pm)) ⊇ dom(∆′(pm|X′))
for all pm ∈ dom(∆′1). Hence, cons(∆) ⊆ cons(∆1) and cons(∆′1) ⊆ cons(∆′) by
the definition of consistency of mode states with dependent partial environments.
Since cons(∆) ⊆ cons(∆1) and mds ∈ cons(∆) it follows that mds ∈ cons(∆1). Let
pm1 ∈ dom(∆1) and x ∈ Var with ∆1(pm1)〈x 〉 = low . It follows from ∆ v ∆1 that
∆(pm)〈x 〉 v ∆1(pm1)〈x 〉, and, hence, ∆(pm)〈x 〉 = low . Hence, since mem1 =∆(pm)
mem2 it follows that mem1(x ) = mem2(x ). In consequence, mem1 =∆1(pm1) mem2.
Since mds ∈ cons(∆1) and mem1 =∆1(pm1) mem2, by the induction hypothesis there
exist c′2, α2 = new(thr2,mdss2), and mem
′
2 such that the following conditions are
satisfied:
∗ 〈c,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
∗ 〈c′1,mds ′,mem ′1〉 R∆
′
1 〈c′2,mds ′,mem ′2〉, and
∗ ](thr1) = ](thr2), and
∗ 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
This concludes this case ifR∆′1 ⊆ R∆′ . Assume 〈c1,mds,mem1〉 R∆′1 〈c2,mds,mem2〉.
Then c1 = c2 and there exists ∆ and pm ∈ dom(∆) such that ` ∆ {c} ∆′1,
mds ∈ cons(∆), and mem1 =∆(pm) mem2}, and mem1(x ) = mem2(x ) = pm(x )
for all x ∈ dom(pm). Since ` ∆ {c} ∆′1 and ∆′1 v ∆′ it follows that ` ∆ {c} ∆′ by
rule [SUB]. Hence, 〈c1,mds,mem1〉 R∆′1 〈c2,mds,mem2〉.
A.8. Integration of FSI-security and SIFUM-security 151
A.8 Integration of FSI-security and SIFUM-security
This appendix contains the proof of the compositionality and scheduler-independence result
for FSIFUM-security, as well as the proofs that FSIFUM-security subsumes FSI-security
and SIFUM-security. The proofs are not as detailed as in the previous sections, because
they are in large parts analogous to the proofs for FSI-security and SIFUM-security,
respectively.
For proving compositionality and scheduler independence of FSIFUM-security, we
adopt Definition 4.18 and Lemmas 4.1 and 4.2 (all from Section 4.4.4) to a setting where
high threads are treated differently from low threads.
Definition A.2. Let tcm1 = 〈thr1,mdss,mem1〉 and tcm2 = 〈thr2,mdss,mem2〉 be
thread configurations with modes and let match : {1, . . . , ](thr1)} ⇀ {1, . . . , ](thr2)}
be an injective partial function such that the indices of low threads of thr1 are contained
in dom(match) and the indices of low threads of thr2 are contained in img(match). We
say that lists of memories mems1 and mems2 with ](mems1) = ](thr1) and ](mems2) =
](thr2) make tcm1 and tcm2 compatible with strong low bisimulation modulo low match-
ing and modes for match if and only if the following conditions are satisfied (where
Xi = {x ∈ Var | mems1[i](x ) 6= mem1(x ) ∨ mems2[match(i)](x ) 6= mem2(x )} for each
i ∈ dom(match)):
1. ∀i ∈ dom(match) : ∀f : Var ⇀ Val : dom(f) = Xi ⇒ 〈thr1[i],mdss[i],mems1[i][x 7→
f(x) | x ∈ Xi]〉 ∼lmm 〈thr2[match(i)],mdss[match(i)],mems2[match(i)][x 7→ f(x) |
x ∈ Xi]〉,
2. ∀x ∈ Var : ∀i ∈ dom(match) : [mem1(x ) = mem2(x ) ∨ x ∈ H ]⇒ x 6∈ Xi, and
3. (dom(match) = {} ∧mem1 =L mem2) ∨ (∀x ∈Var : ∃i ∈ dom(match) : x 6∈ Xi).
Remark A.1. Note that in Definition A.2 not all elements of the lists of memories mems1
and mems2 are actually relevant. Items (1)–(3) in the definition only make statements
about the memories mems1[i] for i ∈ dom(match) and the memories mems1[j] for
j ∈ img(match). We choose this definition over a definition in which the irrelevant
memories are not included in mems1 and mems2, because it permits us to use the same
indices for selecting elements of the thread pools, elements of the lists of mode states,
and elements of the lists of memories.
Lemma A.12. Let 〈thr1,mdss1,mem1, sst〉 and 〈thr2,mdss2,mem2, sst〉 be system con-
figurations such that (thr1,mdss1) and (thr2,mdss2) have sound modes, let match :
{1, . . . , ](thr1)} ⇀ {1, . . . , ](thr2)} be an injective partial function, and let mems1 and
mems2 be lists of memories that make 〈thr1,mdss,mem1〉 and 〈thr2,mdss,mem2〉 com-
patible with strong low bisimulation modulo low matching and modes for match.
Then for all i ∈ dom(match) the commands thr1[i] and thr2[match(i)] do not read
any variable in Xi = {x ∈ Var | mems1[i](x ) 6= mem1(x ) ∨ mems2[match(i)](x ) 6=
mem2(x )}. ♦
Proof Sketch. The proof is like the proof for Lemma 4.1.
Lemma A.13. Let 〈thr1,mdss1,mem1, sst〉 and 〈thr2,mdss2,mem2, sst〉 be system con-
figurations such that (thr1,mdss1) and (thr2,mdss2) have sound modes for scheduler S
and observation function obs, and assume that obs is confined to L. Let match :
{1, . . . , ](thr1)} ⇀ {1, . . . , ](thr2)} be an injective partial function and assume that
mems1 and mems2 make 〈thr1,mdss,mem1〉 and 〈thr2,mdss,mem2〉 compatible with
152 Appendix A. Detailed Proofs
strong low bisimulation modulo low matching and modes for match. Moreover, assume
〈thr1,mdss1,mem1, sst〉 k,p=⇒S 〈thr ′1,mdss ′1,mem ′1, sst ′〉 for k ∈ dom(match).
Then there exist thr ′2, mem
′
2, mems
′
1, mems
′
2, and an injective partial function match
′ :
{1, . . . , ](thr ′1)} ⇀ {1, . . . , ](thr ′2)} such that the lists of memories mems ′1 and mems ′2
make 〈thr ′1,mdss ′2,mem ′1〉 and 〈thr ′2,mdss ′2,mem ′2〉 compatible with strong low bisimula-
tion modulo low matching and modes for match ′, and 〈thr2,mdss2,mem2, sst〉 match(k),p=======⇒S
〈thr ′2,mdss ′2,mem ′2, sst ′〉. ♦
Proof Sketch. The proof is essentially the same as the proof of Lemma 4.2, with the
difference that the index of the two threads performing the execution steps are not
necessarily equal but related by the function match. The definition of low bisimulations
modulo low matching and modes guarantees that such a match exists also after the
execution step even if new threads are spawned in any of the two execution steps.
Theorem A.1. Let S be a robust scheduler, and assume that the observation function
obs is confined to L.
Let sc1 = 〈thr1,mdss1,mem1, sst1〉 and sc2 = 〈thr2,mdss2,mem2, sst2〉 be terminat-
ing system configurations with sound modes, match : {1, . . . , ](thr1)}⇀ {1, . . . , ](thr2)}
be an injective partial function, and mems1 and mems2 be lists of memories that make sc1
and sc2 compatible with strong low bisimulation modulo low matching and modes
for match.
Let sc1,p =〈thr1,p,mdss1,p,mem1,p, sstp〉 and sc2,p =〈thr2,p,mdss2,p,mem2,p, sstp〉 be
system configurations with sound modes, match1,p : {1, . . . , ](thr1)}⇀ {1, . . . , ](thr1,p)}
and match2,p : {1, . . . , ](thr2)} ⇀ {1, . . . , ](thr2,p)} be injective partial functions with
dom(match1) = dom(match1,p) and dom(match2) = dom(match2,p), and let mems1,p
and mems2,p be lists of memories such that mems1 and mems2 make sc1 and sc1,p and
mems2 and mems2,p make sc2 and sc2,p compatible with strong low bisimulations modulo
low matching and modes, respectively.
Assume finally that sc1 ≺S sc1,p and sc2 ≺S sc2,p.
Then the following holds for all mem ∈ Mem:∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem′) =
∑
mem′∈[mem]LO
ρS(TS(sc2)⇓mem′)
Proof.
Proof Outline. The general idea and structure of the proof is the same as in the proof of
Theorem 3.14. The major difference is to Steps 9 and 10 of the proof of Theorem 3.14,
where it is established that the existence of a transition in sc1 guarantees the existence
of a matching transition in sc2. To establish the same in this proof, we exploit Lemmas
A.12 and A.13, exploiting that the system configurations have sound modes.
Like the proof of Theorem 3.14, the proof is by induction on ](TS(sc1)) + ](TS(sc2)),
where ](T ) =
∑
tr∈T ](tr), which is possible because the system configurations sc1 and sc2
are terminating.
The induction basis is proved as in the proof of Theorem 3.14.
For the induction step, we write P (sc) for the sum
∑
mem′∈[mem]LO ρS(TS(sc)⇓mem′).
A.8. Integration of FSI-security and SIFUM-security 153
1. For each system configuration sc, we denote with enabled(sc) ⊂ N the set of thread
indices such that j ∈ enabled(sc) if and only if there exist sc′ ∈ SysConf and p > 0
with sc
j,p
=⇒S sc′.
By the definition of schedulers and the semantics for system configurations, sc′ is
uniquely determined by sc and j. We denote sc′ with succj(sc).
2. By Lemma A.10 the following equation holds for every memory mem:
ρS(TS(sc1)⇓mem) =
∑
j∈enabled(sc1)
ρSsc1(j) ∗ ρS(TS(succj(sc1))⇓mem)
Hence, the following holds:∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem) =
∑
mem′∈[mem]LO
∑
j∈enabled(sc1)
ρSsc1(j)∗ρS(TS(succj(sc1))⇓mem)
Switching the sums on the right hand side of the equation, we obtain∑
mem′∈[mem]LO
ρS(TS(sc1)⇓mem) =
∑
j∈enabled(sc1)
ρSsc1(j) ∗
∑
mem′∈[mem]LO
ρS(TS(succj(sc1))⇓mem).
Using the notation introduced for this proof, we write this equation as follows:
P (sc1) =
∑
j∈enabled(sc1)
ρSsc1(j) ∗ P (succj(sc1)).
3. We rewrite this sum as P (sc1) = P (sc1, high) + P (sc1, low), where
P (sc1, high) =
∑
j∈enabled(sc1)
∧j 6∈dom(match)
ρSsc1(j) ∗ P (succj(sc1))
and
P (sc1, low) =
∑
j∈enabled(sc1)
∧j∈dom(match)
ρSsc1(j) ∗ P (succj(sc1)).
4. Let j ∈ enabled(sc1). Then there exist c1,mem ′1, mds ′, α, p, and sst ′1 such that
〈thr1[j],mdss1[j],mem1〉 α−_ 〈c1,mds ′,mem ′1〉 and (sst1, obs(thr1,mem1)) j,p S sst ′1,
where succj(sc1) = 〈updatej(thr1, c1, α),mdss ′1,mem ′1, sst ′1〉, and mdss ′1 is obtained
by updating mdss1 with mds
′.
5. Assume firstly that j 6∈ dom(match). Then thr1[j] ∈ HCom. We show that this
implies that P (succj(sc1)) = P (sc2) holds. Let thr
′
1 be the thread pool in the system
configuration succj(sc1).
a) Since high threads do not modify the values of low variables, and by the definition
of ∼lmm, the lists of memories mems1 and mems2 make succj(sc1) and sc2
compatible with low bisimulations modulo low matching and modes for match ′
(where match ′ is obtained from match by taking into account that the high thread
at position j might have terminated or spawned new, necessarily high, threads).
b) The same as in (a) also holds for succj(sc1) and sc1,p.
c) By the definition of termination and of sound modes, succj(sc1) also terminates
and has sound modes, because it is the result of an execution step of a system
configuration that terminates and has sound modes. Moreover, ](TS(succj(sc1)))+
](TS(sc2)) < ](TS(sc1)) + ](TS(sc2)).
154 Appendix A. Detailed Proofs
d) From sc1 ≺S sc1,p and the definition of S-simulations it follows that
succj(sc1) ≺S sc1,p.
e) Hence, all assumptions for the induction hypothesis for the pair of system
configurations succj(sc1) and sc2 are satisfied, and it follows that
P (succj(sc1)) = P (sc2).
6. Using (5.), we rewrite P (sc1, high) as follows:
P (sc1, high) = P (sc2) ∗
∑
j∈enabled(sc1)
∧j 6∈dom(match)
ρSsc1(j).
By the definition of l -ρS , it follows that
P (sc1, high) = P (sc2) ∗ (1− l -ρS(sc1)).
Analogously, it follows that P (sc2, high) = P (sc1) ∗ (1− l -ρS(sc2)).
7. Assume now that j ∈ dom(match) and that k = match(j).
8. Then ρSsc1(j)/l -ρS(sc1) = ρ
S
sc2(k)/l -ρS(sc2). The proof is almost exactly as in the
proof of Theorem 3.14. The only difference is in the step where the other proof deduces
from mem1 =L mem2 that obs(thr1|LCom ,mem1,p) = obs(thr2|LCom ,mem2,p). Here
we only know that mem1 and mem2 agree on low variables for which no thread makes
a no-read assumption (and not that mem1 =L mem2 as in the other proof). But
since it follows from the sound modes of sc1 and sc2 that the thread pools in sc1
and sc2 have compatible modes with obs the equality of the observations follows in
this proof as well, because mem1 and mem2 differ only on variables for which some
thread makes a no-read assumption.
9. The inequality ρSsc1(j) > 0 holds because j ∈ enabled(sc1). Hence, by (8.), the
inequality ρSsc2(k) > 0 holds. Moreover, it follows from Lemma A.13 that k ∈
enabled(sc2).
10. We now show that P (succj(sc1)) = P (succk(sc2)).
a) Since sc1 and sc2 are both terminating and have sound modes, succj(sc1) and
succk(sc2) are also terminating and have sound modes. Moreover,
](TS(succj(sc1))) + ](TS(succk(sc2))) < ](TS(sc1)) + ](TS(sc2)).
b) Since sc1 ≺S 〈thr1|L,mem1,p, sstp〉, the execution step from sc1 to
succj(sc1) can be simulated by an execution step of 〈thr1|L,mem1,p, sstp〉 by the
definition of S-simulations, resulting in the configuration
〈getThr(succj(sc1))|L,mem ′1,p, sst ′p〉
for some sst ′p. Moreover,
succj(sc1) ≺S 〈getThr(succj(sc1))|L,mem ′1,p, sst ′p〉.
holds. Finally, getMem(succj(sc1)) =L mem
′
1,p holds, because thr1 is FSIFUM-
secure.
A.8. Integration of FSI-security and SIFUM-security 155
c) We repeat (b) with sc2 instead of sc1. Note that since obs is confined to L,
the resulting scheduler state is also sst ′p, because ](thr1|L) = ](thr1|L) and
mem1,p =L mem2,p.
d) It follows from (b) and (c) that the assumptions of the theorem are also satisfied
for the pair of system configurations succj(sc1) and succk(sc2).
e) Moreover, by Lemma A.13 there exist memories mem1,i and mem2,i for i ∈
{1, . . . , n′)} (n′ being the number of low threads in succj(sc1) and succk(sc2))
such that the assumptions of the theorem regarding compatibility with strong
low bisimulation modulo low matching and modes are also satisfied for the pair
of system configurations succj(sc1) and succk(sc2).
f) Hence, all assumptions of the induction hypothesis are satisfied and it follows
that
P (succj(sc1)) = P (succk(sc2)).
11. The remainder of the proof is exactly as in the proof of Theorem 3.14 (Step (11.)
and onwards).
Proof sketch of Theorem 5.3. The theorem follows directly with Theorem A.1.
Lemma A.14. Assume that thr1 ∼lm thr2, and that i ∈ {1, . . . , ](thr1)} with thr1[i] ∈
LCom. Then 〈thr1[i]〉 ∼lm 〈thr2[j]〉 where j = l -matchthr1,thr2(i). ♦
Proof. We define the relation R as follows: thr1 R thr2 if and only if there exist
thr ′1, thr
′′
1 , thr
′
2, and thr
′′
2 such that thr
′
1 and thr
′
2 have the same number of low threads,
such that thr ′′1 and thr
′′
2 have the same number of low threads, and such that
thr ′1 :: thr1 :: thr
′′
1 ∼lm thr ′2 :: thr2 :: thr ′′2 . One easily sees that R is a low bisimulation
modulo low matching. Moreover, it follows from the assumptions of the lemma that
〈thr1[i]〉 R 〈thr2[j]〉. Hence, 〈thr1[i]〉 ∼lm 〈thr2[j]〉.
Lemma A.15. Define the relation R on thread configurations with modes as follows:
〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 if and only if 〈c1〉 ∼lm 〈c2〉, mem1 =L mem2, and c1
and c2 do not affect the mode state. Then R is a low bisimulation modulo low matching
and modes. ♦
Proof. Assume that 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉. Then 〈c1〉 ∼lm 〈c2〉, mem1 =L
mem2, and both c1 and c2 do not affect the mode state.
Let x ∈ Var and v , v1, v2 ∈ Val . If x ∈ L it follows from mem1 =L mem2 that
mem1[x 7→ v ] =L mem2[x 7→ v ]. Hence, 〈c1,mds,mem1[x 7→ v ]〉 R 〈c2,mds,mem2[x 7→ v ]〉.
If x ∈ H then mem1[x 7→ v1] =L mem2[x 7→ v2]. In consequence, 〈c1,mds,mem1[x 7→
v1]〉 R 〈c2,mds,mem2[x 7→ v2]〉. Hence, R is closed under globally consistent changes.
Moreover, it follows directly from mem1 =L mem2 that mem1 =
mds
L mem2.
Assume that c1 6∈ HCom and that 〈c1,mds,mem1〉 new(thr1,mdss1)−−−−−−−−−−−_ 〈c′1,mds ′,mem ′1〉.
Since c1 does not affect the mode state it follows that mds
′ = mds and that c′1 and the
commands in thr1 do not affect the mode state. Moreover, since 〈c1〉 ∼lm 〈c2〉 there exist
c′2, mem
′
2, and thr2 such that the following conditions are satisfied:
− 〈c2,mem2〉 new(thr2)−−−−−−_ 〈c′2,mem ′2〉,
− mem ′1 =L mem ′2,
− ](thr1|L) = ](thr2|L), and
− update1(〈c1〉, c′1, thr1) ∼lm update1(〈c2〉, c′2, thr2).
156 Appendix A. Detailed Proofs
It follows from update1(〈c1〉, c′1, thr1) ∼lm update1(〈c2〉, c′2, thr2) and Lemma A.14 that
〈c′1〉 ∼lm 〈c′2〉 and that 〈thr1[i]〉 ∼lm 〈thr2[j]〉 for all i ∈ {1, . . . , ](thr1)} with thr1[i] ∈
LCom and j = l -matchthr1,thr2(i). Moreover, due to 〈c2,mem2〉 new(thr2)−−−−−−_ 〈c′2,mem ′2〉
and the fact that c2 does not affect the mode state, 〈c2,mds,mem2〉 new(thr2,mdss2)−−−−−−−−−−−_
〈c′2,mds,mem ′2〉 and c2 and any threads in thr2 do not affect the mode state. In conse-
quence, 〈c′1,mds,mem ′1〉 R 〈c2,mds,mem ′2〉 and
〈thr1[i],mdss[i],mem ′1〉 R 〈thr2[j],mdss[j],mem ′2〉 for all i ∈ {1, . . . , ](thr1)} with
thr1[i] ∈ LCom and j = l -matchthr1,thr2(i).
Hence, Items (a) and (b) in the definition of low bisimulations modulo low matching
and modes are satisfied, and Item (c) is satisfied for f = l -matchthr1,thr2 .
Lemma A.16. The relation ∼mm is a low bisimulation modulo low matching and modes.♦
Proof. The relation ∼mm is closed under globally consistent changes because it is a strong
low bisimulation modulo modes.
Assume that 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉. Then mem1 =mdsL mem2 be-
cause ∼mm is a strong low bisimulation modulo modes.
Assume that 〈c1,mds,mem1〉 ∼mm 〈c2,mds,mem2〉, 〈c1,mds,mem1〉 new(thr1,mdss1)−−−−−−−−−−−_
〈c′1,mds ′,mem ′1〉, and c1 6∈ HCom. Since ∼mm is a strong low bisimulation modulo modes
it follows that there exist c′2, mem
′
2, and α2 = new(thr2,mdss2) such that the following
conditions are satisfied:
− 〈c2,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
− 〈c′1,mds ′,mem ′1〉 ∼mm 〈c′2,mds ′,mem ′2〉,
− ](thr1) = ](thr2), and
− 〈thr1[i],mdss1[i],mem ′1〉 ∼mm 〈thr2[i],mdss2[i],mem ′2〉 for all i ∈ {1, . . . , ](thr1)}.
Hence, Items (a) and (b) of the definition of low bisimulations modulo low matching and
modes are satisfied, and Item (c) is satisfied by defining f as the function with domain
{1, . . . , ](thr1)} and f(i) = i for all i ∈ dom(f).
A.9 Security Type System for FSIFUM-security
Like in the case of FSI-security, high commands are FSIFUM-secure.
Lemma A.17. If c ∈ HCom then c is FSIFUM-secure for any initial mode state. ♦
Proof. Define the relation R such that 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 if and only if
c1 = c2, c1 ∈ HCom, and mem1 =mdsL mem2. Then it follows immediately that R is a
strong low bisimulation modulo low matching and modes. In consequence, c ∼mdslmm c for
all mode states mds, and, hence, c is FSIFUM-secure for all mds.
Moreover, like for the type system for FSI-security, commands typable with mdf = high
are high.
Lemma A.18. Let c ∈ Com. Assume that c is typable with type (high, stp) for some
stp ∈ {low , high} in the security type system for FSIFUM-security. Then c ∈ HCom. ♦
A.9. Security Type System for FSIFUM-security 157
Proof. The proof is exactly like the proof of Lemma 3.2, the analogous lemma for the type
system for FSI-security (the typing rules of the type system for FSIFUM-security impose
exactly the same requirements as the typing rules of the type system for FSI-security
regarding mdf and stp).
Moreover, we have a subject reduction result for the type system for FSIFUM-security
that is a combination of the results for the type systems for FSI-security and SIFUM-
security.
Lemma A.19. Let c ∈ Com. Assume that ` Λ {c} Λ′ : (mdf , stp) is derivable, and that
〈c,mds,mem〉 new(thr ,mdss)−−−−−−−−−_ 〈c′,mdss ′,mem ′〉. Then there exist Λ′′, mdf ′, and stp′ such
that ` Λ′′ {c} Λ′ : (mdf ′, stp′) is derivable where mdf v mdf ′ and stp′ v stp. Moreover,
if mds is consistent with Λ then mds ′ is consistent with Λ′′. ♦
Proof. The proof is by induction on the derivation of ` Λ {c} Λ′ : (mdf , stp). The
argumentation is exactly as in the proofs of Lemma 3.1 and Theorem 4.6.
Proof of Theorem 5.6. The proof follows the same approach as the proof of Theorem 4.7,
where we adapt the constructed bisimulation relation to encode also information about
the pair (mdf , stp) in the typing judgments, and handle high commands separately, as in
the proof of Theorem 3.15.
For each partial environment Λ′ we define RΛ′ as follows:
RΛ′ = {(〈c,mds,mem1〉 , 〈c,mds,mem2〉) | ∃Λ, stp :
` Λ {c} Λ′ : (low , stp) ∧mds ∈ cons(Λ) ∧mem1 =Λ mem2}
We define R = ∼lmm ∪
(⋃
Λ′:Var⇀{low ,high}RΛ
′)
and show that R is a low bisimula-
tion modulo low matching and modes.
Note that all properties required by low bisimulations modulo low matching and modes
are satisfied for thread configurations that are related by ∼lmm, and, hence, it suffices to
show the properties for those thread configurations that are related by RΛ′ for some Λ′.
The symmetry of R follows immediately from the definition. and the closure under
globally consistent changes is proved exactly as in the proof of Theorem 4.7. Also, proving
that mem1 =
mds
L mem2 whenever 〈c1,mds,mem1〉 R 〈c2,mds,mem2〉 is exactly as in
the proof of Theorem 4.7.
It remains to show that for all c, c′1 ∈ Com, all mds,mds ′ ∈ Mds, all mem1, mem2,
and mem ′1 ∈ Mem, all α1 = new(thr1,mdss1) ∈ Labm, all Λ,Λ′ : Var ⇀ {low , high}, and
all stp ∈ {low , high} with c 6∈ HCom, 〈c,mds,mem1〉 α1−_ 〈c′1,mds ′,mem ′1〉, ` Λ {c} Λ′,
mds ∈ cons(Λ), and mem1 =Λ mem2, there exist c′2, α2 = new(thr2,mdss2), and mem ′2
such that the following conditions are satisfied:
− 〈c,mds,mem2〉 α2−_ 〈c′2,mds ′,mem ′2〉,
− 〈c′1,mds ′,mem ′1〉 R 〈c′2,mds ′,mem ′2〉, and
− there exist an injective partial function match : {1, . . . , ](thr1)} ⇀ {1, . . . , ](thr2)}
such that 〈thr1[i],mdss1[i],mem ′1〉 R 〈thr2[j],mdss2[j],mem ′2〉 for all i ∈ dom(match)
and j = match(i), thr1[i] ∈ HCom for all i 6∈ dom(match), and thr2[i] ∈ HCom for
all i 6∈ img(match).
The proof is by induction on the derivation of the judgment ` Λ {c} Λ′ : (low , stp).
The cases for the derivations via rules [ANNO], [SKIP], [ASS1], [ASS2], [SPAWN], and
[SUB] are derived directly from the corresponding cases in the proof of Theorem 4.7, and
we do not repeat them here.
158 Appendix A. Detailed Proofs
The cases for the derivations via rules [IF] and [WHILE] are also like in the proof of
Theorem 4.7, taking into account that mdf = low in the typing judgment and, because
d v mdf in both rule [IF] and [WHILE] it follows that d = low .
The case for the derivation via rule [SEQ] is like in Theorem 4.7, in which in addition
a case distinction on the cases stp1 = low and stp1 = high is performed, proceeding as in
the proof of Theorem 3.15.
Proof of Theorem 5.7. Since ` thr is derivable, by the typing rule [PARS ] there exist a
list of mode states mdss, partial environments Λ1, . . . ,Λ](thr) and Λ
′
1, . . . ,Λ
′
](thr), and
security domains mdf 1, . . . ,mdf ](thr) and stp1, . . . , stp](thr) such that ` Λi {thr [i]} Λ′i :
(mdf i, stpi) is derivable, dma(x ) v Λi〈x 〉 for all x ∈ Var , and mdss [i] is consistent with Λi
for all i ∈ {1, . . . , ](thr)}, and such that (thr ,mdss) has sound modes for S. Hence,
by Theorem 5.6, it holds for all i ∈ {1, . . . , ](thr)} that 〈thr [i],mdss[i],mem1〉 ∼lmm
〈thr [i],mdss[i],mem2〉 for all mem1,mem2 ∈ Mem that satisfy mem1(x ) = mem2(x )
for all x ∈ Var with Λi〈x 〉 = low . Since mdss[i] ∈ cons(Λi) and dma(x ) v Λi〈x 〉 for
all x ∈ Var it follows that 〈thr [i],mdss[i],mem1〉 ∼lmm 〈thr [i],mdss[i],mem2〉 for all
mem1 =L mem2. I.e., thr [i] is FSIFUM-secure for mdss[i] for all i ∈ {1, . . . , ](thr)}. As
modes are sound for S, with Theorem 5.3 it follows that thr is S-noninterferent.
A.10 Relation between Type-based and PDG-based Infor-
mation Flow Analysis
This appendix contains the proofs for the relation between type-based and PDG-based
information flow analysis for sequential programs from Chapter 6. Moreover, it contains
the soundness proof for the PDG-based information flow analysis for multi-threaded
programs from the same chapter.
Before proving Theorem 6.3 we prove several lemmas that relate paths in the graph
PDG(CFGI,Oc ) where c is of the form if e then c1 else c2 fi, while e do c1 od, or c1; c2 to
paths in the graphs PDG(CFGI,Oc1 ) and (if applicable) PDG(CFG
I,O
c2 ). In the proofs, we
write p + k for the path that is obtained from p by adding k to each node on p that is
a natural number, and leaving start and stop unchanged. Moreover, we write p − k for
the path that is obtained from p by subtracting k from each node on p that is a natural
number, and leaving start and stop unchanged.
Lemma A.20. Let c = if e then c1 else c2 fi and x , y ∈ Var . Then the following hold:
1. There is a path from in to out in PDG(CFG{x},{y}c ) if and only if one of the following
conditions are satisfied:
a) there is a path from in to out in PDG(CFG{x},{y}c1 ),
b) there is a path from in to out in PDG(CFG{x},{y}c2 ),
c) x ∈ vars(e) and there is a path from start to out in PDG(CFG{x},{y}c1 ) that
contains a node n 6∈ {start , out}, or
d) x ∈ vars(e) and there is a path from start to out in PDG(CFG{x},{y}c2 ) that
contains a node n 6∈ {start , out}.
2. There is a path from start to out in PDG(CFG{x},{y}c ) that contains a node n 6∈
{start , out} if and only if there is such a path in the graph PDG(CFG{x},{y}c1 ) or in
the graph PDG(CFG{x},{y}c2 ). ♦
A.10. Relation between Type-based and PDG-based Information Flow Analysis 159
Proof. We firstly prove Statement (1) of the lemma.
1. By the construction of the CFG for commands the following holds:
a) Let n, n ′ 6∈ {1, start , stop} be nodes of CFGc . Then n ′ is data (control) dependent
on n for CFGc if and only if n
′	 1 is data (control) dependent on n 	 1 for
CFGc1 or n
′	 1	 ](c1) is data (control) dependent on n 	 1	 ](c1) for CFGc2 .
Moreover, n is not data dependent on 1 and 1 is not data dependent on n.
Moreover, n is control dependent on 1 if and only if n 	 1 is control dependent
on start for CFGc1 or n 	 1	 ](c1) is control dependent on start for CFGc2 .
2. By the construction of the PDG and the construction of the CFG for commands we
obtain the following:
a) Let n 6∈ {1, start , stop} be a node of CFGc. Then there is an edge (in,n) in
PDG(CFG{x},{y}c ) if and only if there is an edge (in, n 	 1) in PDG(CFG{x},{y}c1 )
or an edge (in,n 	 1	 ](c1)) in PDG(CFG{x},{y}c2 ).
Moreover, there is an edge (n, out) in PDG(CFG{x},{y}c ) if and only if there
is an edge (n 	 1, out) in PDG(CFG{x},{y}c1 ) or an edge (n 	 1	 ](c1), out) in
PDG(CFG{x},{y}c2 ).
b) There is an edge (in, 1) in PDG(CFG{x},{y}c ) if and only if x ∈ vars(e). Moreover,
there is no edge (1, out) in PDG(CFG{x},{y}c ).
c) There is an edge (in, out) in PDG(CFG{x},{y}c ) if and only if there is an edge
(in, out) in PDG(CFG{x},{y}c1 ) or in PDG(CFG
{x},{y}
c2 ).
3. Assume that there is a path p from in to out in PDG(CFG{x},{y}c ).
a) If p = 〈in, out〉, then by (2c) p is also a path in PDG(CFG{x},{y}c1 ) or in
PDG(CFG{x},{y}c2 ).
b) If p = 〈in, 1〉 :: p′ for some p′, then, by (2b), x ∈ vars(e) and p′ 6= 〈out〉. Moreover,
by (1a) the first node in p′ is control dependent on start in CFGc , and, since due to
(1a) all edges in p′ derive from edges in PDG(CFG{x},{y}c1 ) or PDG(CFG
{x},{y}
c1 ),
〈start〉 ::(p′	 1) is a path from start to out in the graph PDG(CFG{x},{y}c1 ) or
in the graph PDG(CFG{x},{y}c1 ) that contains a node n 6∈ {start , out} (namely
the first node of p′).
c) If p 6= 〈in, out〉 and p 6= 〈in, 1〉 :: p′ for some p′, then, using (1a) and (2a), p − 1
is a path in PDG(CFG{x},{y}c1 ) or in PDG(CFG
{x},{y}
c1 ).
4. Assume that there is a path p from in to out in PDG(CFG{x},{y}c1 ). Then, by (1a),
(2a), and (2c), p + 1 is a path in PDG(CFG{x},{y}c ).
5. Assume that there is a path from in to out in PDG(CFG{x},{y}c2 ). Then, by (1a),
(2a), and (2c), p + (1 + ](c1)) is a path in PDG(CFG
{x},{y}
c2 ).
6. Assume that x ∈ vars(e) and that there is a path from start to out in the graph
PDG(CFG{x},{y}c1 ) that contains n 6∈ {start , out}, i.e., of the form 〈start〉 :: p′. Then,
by (1a), (2a), and (2b), the sequence 〈in, 1〉 ::(p′ + 1) is a path in PDG(CFG{x},{y}c ).
7. Assume finally that x ∈ vars(e) and that there is a path from start to out in
PDG(CFG{x},{y}c2 ) that contains a node n 6∈ {start , out}, i.e., of the form 〈start〉 :: p′.
Then, by (1a), (2a), and (2b), the sequence 〈in, 1〉 ::(p′ + (1 + ](c1))) is a path in
PDG(CFG{x},{y}c ).
Statement (2) of the lemma is seen as follows: Using (1) and (2) of the proof of the first
statement of the lemma, paths from start to out in PDG(CFG{x},{y}c ) that contain a
node n 6∈ {start , out} are exactly the paths obtained from paths from start to out in
PDG(CFG{x},{y}c1 ) and PDG(CFG
{x},{y}
c2 ) that contain a node n 6∈ {start , out}, respec-
160 Appendix A. Detailed Proofs
tively, into which the node representing the guard of the conditional (Node 1) is inserted
directly after node start , and 1 respectively 1 + ](c1) is added to each node.
Lemma A.21. Let c = c1; c2 and x , y ∈ Var . Then the following hold:
1. There is a path from in to out in PDG(CFG{x},{y}c ) if and only if there exists z ∈ Var
such that there is a path from in to out in PDG(CFG{x},{z}c1 ) and a path from in to
out in PDG(CFG{z},{y}c2 ).
2. There is a path from start to out in PDG(CFG{x},{y}c ) that contains a node n 6∈
{start , out} if and only if one of the following conditions is satisfied:
a) there exists z ∈ Var such that there is a path from start to out that contains a
node n 6∈ {start , out} in the graph PDG(CFG{x},{z}c1 ) and such that there is a
path from in to out in PDG(CFG{z},{y}c2 ), or
b) there is a path from start to out in PDG(CFG{x},{y}c2 ) that contains a node
n 6∈ {start , out}. ♦
Proof. We firstly prove Statement (1).
1. By the construction of the CFG for commands, the following hold:
a) Let n,n ′ 6∈ {start , stop} be nodes of CFGc. Then n ′ is control dependent on n
for CFGc , if and only if n
′ is control dependent on n for CFGc1 , or if n 	 ](c1)
is control dependent on n 	 ](c1) for CFGc2 .
b) Let n,n ′ 6∈ {start , stop} be nodes of CFGc . Then n ′ is data dependent on n for
CFGc if and only if one of the following conditions is satisfied:
i. n ′ is data dependent on n for CFGc1
ii. n ′	 ](c1) is data dependent on n 	 ](c1) for CFGc2
iii. There exists z ∈ Var such that z ∈ defc1(n), z ∈ usec2(n ′	 ](c1)), a
definition of z at n reaches stop in CFGc1 , and a definition of z at start
reaches n ′	 ](c1) in CFGc2 .
Note that condition (iii) is equivalent to the existence of z ∈ Var such that there
is an edge from n to out in PDG(CFG{x},{z}c1 ) and an edge from in to (n
′	 ](c1))
in PDG(CFG{z},{y}c2 ).
2. By the definition of PDGs and the definition of CFGs of commands there is an edge
(in, out) in PDG(CFG{z},{y}c ) if and only if x = y and (in, out) is an edge both in
PDG(CFG{z},{y}c1 ) and in PDG(CFG
{z},{y}
c2 ).
3. Assume that there is a path p from in to out in PDG(CFG{x},{y}c ).
a) If p = 〈in, out〉, then, by (2), we conclude (setting z = x = y).
b) If p contains, besides in and out , only nodes in the set {1, . . . , ](c1)}, then
a definition of y at the one but last node of p reaches stop in CFGc, and,
hence, a definition of y at start reaches stop in CFGc2 . Hence, p is a path
in PDG(CFG{x},{y}c1 ) and 〈in, out〉 is a path in PDG(CFG{y},{y}c2 ). Thus, we
conclude setting z = y .
c) If p contains, besides in and out , only nodes in the set {](c1) + 1, . . . , ](c1; c2)},
we argue as in the previous case with roles of c1 and c2 switched, concluding by
setting z = x .
d) If p contains nodes in both {1, . . . , ](c1)} and {](c1)+1, . . . , ](c1; c2)}, then, by the
definition of the CFG, p = p1 :: p2 where p1 contains only nodes in {1, . . . , ](c1)}
and p2 contains only nodes in {](c1) + 1, . . . , ](c1; c2)}. With (1b.iii) it follows
that there is z such that p1 ::〈out〉 is a path in PDG(CFG{x},{z}c1 ) and 〈in〉 :: p2
is a path in PDG(CFG{z},{y}c2 ).
A.10. Relation between Type-based and PDG-based Information Flow Analysis 161
4. Now assume that there exists z ∈ Var and paths p1 and p2 from in to out in
PDG(CFG{x},{z}c1 ) and in PDG(CFG
{z},{y}
c2 ), respectively. With (1b.iii) it follows
that there exists a path from in to out in PDG(CFG{x},{z}c ) (by joining these two
paths).
We now prove Statement (2).
1. By the construction of the CFG for c1; c2 and the definition of postdominance, a
node n is control dependent on start in CFGc if and only if n is control dependent
on start in CFGc1 or n 	 ](c1) is control dependent on start in CFGc2 .
2. Assume that p is a path from start to out in PDG(CFG{x},{y}c ) that contains a node
n 6∈ {start , out}.
a) If p contains, besides start and out , only nodes in the set {](c1)+1, . . . , ](c1; c2)},
then p − ](c1) is a path from start to out in PDG(CFG{x},{y}c2 ) that contains a
node n 6∈ {start , out} (by (1), (1a), (1b), and the proof of the first statement of
the lemma).
b) Otherwise, using (1) and arguing analogously to the proof of the first part of the
lemma, there exists z such that there is a path from start to out in the graph
PDG(CFG{x},{z}c1 ) that contains a node n 6∈ {start , out} and a path from in to
out in the graph PDG(CFG{z},{y}c1 ).
3. The backwards direction (assuming paths in the graphs PDG(CFG{x},{y}c1 ) and
PDG(CFG{x},{y}c2 )) is analogous to the previous cases.
Lemma A.22. Let c = while e do c1 od. Then the following hold:
1. There is a path from in to out in PDG(CFG{x},{y}c ) if and only if there exist z1, . . . , zk
(for some k > 1) with z1 = x and zk = y such that for each i ∈ {1, . . . , k − 1} one of
the following conditions is satisfied:
a) there is a path from in to out in PDG(CFG{zi},{zi+1}c1 ), or
b) zi ∈ vars(e) and there is a path from start to out in PDG(CFG{zi},{zi+1}c1 ) that
contains a node n 6∈ {start , out}.
2. There is a path from start to out in PDG(CFG{x},{y}c ) that contains a node n 6∈
{start , out} if and only if there exist z1, . . . , zk (for some k > 0) such that zk = y , there
is a path from start to out in PDG(CFG{x},{z1}c1 ) that contains a node n 6∈ {start , out},
and for each i ∈ {1, . . . , k − 1} one of the following conditions is satisfied:
a) there is a path from in to out in PDG(CFG{zi},{zi+1}c1 ), or
b) zi ∈ vars(e) and there is a path from start to out in PDG(CFG{zi},{zi+1}c1 ) that
contains a node n 6∈ {start , out}. ♦
Proof. We start proving Statement (1) of the lemma.
1. By the construction of the CFG for commands the following hold:
a) Let n,n ′ 6∈ {1, start , stop} be nodes of CFGc. Then n ′ is data dependent on n
for CFGc if and only if one of the following holds:
i. n ′	 1 is data dependent on n 	 1 for CFGc1 or
ii. there exists z ∈ Var such that (n 	 1, out) is an edge in PDG(CFG{x},{z}c1 )
and (in,n ′	 1) is an edge in PDG(CFG{z},{y}c1 ).
Moreover, Node 1 is data dependent on n if and only if there exists z ∈ vars(e)
such that (n, out) is an edge in PDG(CFG{x},{z}c1 ).
162 Appendix A. Detailed Proofs
b) Let n,n ′ 6∈ {1, start , stop} be nodes of CFGc. Then n ′ is control dependent on
n for CFGc if and only if n
′	 1 is control dependent on n 	 1 for CFGc1 .
Moreover, n is control dependent on 1 if and only if n 	 1 is control dependent
on start for CFGc1 .
2. By the construction of the PDG and the construction of the CFG for commands the
following hold:
a) Let n 6∈ {1, start , stop} be a node of CFGc. Then there is an edge (in,n) in
PDG(CFG{x},{y}c ) if and only if there is an edge (in, n 	 1) in PDG(CFG{x},{y}c1 ).
Moreover, there is an edge (n, out) in PDG(CFG{x},{y}c ) if and only if there is
an edge (n 	 1, out) in PDG(CFG{x},{y}c1 ).
b) There is an edge (in, 1) in PDG(CFG{x},{y}c ) if and only if x ∈ vars(e). Moreover,
there is no edge (1, out) in PDG(CFG{x},{y}c ).
c) There is an edge (in, out) in PDG(CFG{x},{y}c ) if and only if there is an edge
(in, out) in PDG(CFG{x},{y}c1 ).
3. Assume that there is a path p from in to out in PDG(CFG{x},{y}c ).
a) If p = 〈in, out〉, then by (2c) it is also a path in PDG(CFG{x},{y}c1 ).
b) If p consists of more than 2 nodes, then by (1) and (2) p consists of segments that
correspond to paths in PDG(CFG{x},{y}c1 ), potentially separated by Node 1 (rep-
resenting the guard of the loop), where the edges (n, n ′) between these segments
correspond to edges (n, out) in PDG(CFG{zi},{zi+1}c1 ) and (in,n
′) respectively
(start ,n ′) in PDG(CFG{zi+1},{zi+2}c1 ) for a sequence of zi.
c) Hence, there exist z1, . . . , zk and paths from in to out respectively from start
to out (containing a node n 6∈ {start , out}) in the PDGs PDG(CFG{zi},{zi+1}c1 ),
where z1 = x and zk = y .
4. Assume now that there exist z1, . . . , zk with z1 = x and zk = y and paths from in to
out respectively from start to out (containing a node n 6∈ {start , out}) in the PDGs
PDG(CFG{zi},{zi+1}c1 ).
a) Using (1) and (2), these paths can be concatenated using the same arguments as
in Lemmas A.20 and A.21, where Node start is replaced by Node 1.
Statement (2) of the lemma is proven analogously to Statement (1), with the difference
being that the first segment of the path begins at Node start , not at Node in.
We prove a generalization of Theorem 6.3 that permits arbitrary security domains for
the program counter in the typing judgment. The generalization permits an inductive
proof over the construction of the command c.
Lemma A.23. Let c ∈ Com, Γ : Var → D, pc ∈ D, and y ∈ Var . Let Γ′ be the
environment with pc ` Γ {c} Γ′. Let X ⊆ Var be such that x ∈ X if and only if there is
a path 〈in, . . . , out〉 in PDG(CFG{x},{y}c ). Then one of the following two conditions is
satisfied:
1. Γ′(y) = pcunionsq(⊔x∈X Γ(x )), and there is a path from start to out in PDG(CFG{x},{y}c )
that contains a node n 6∈ {start , out} for some x ∈ Var .
2. Γ′(y) =
⊔
x∈X Γ(x ), and there is no such path in PDG(CFG
{x},{y}
c ) for any x ∈ Var .
♦
Proof. The proof is by induction on the structure of the command c.
Assume that c = skip:
A.10. Relation between Type-based and PDG-based Information Flow Analysis 163
1. By the typing rule [SKIP], Γ = Γ′. Hence, Γ(y) = Γ′(y).
2. The node start is the only node in CFG skip with two outgoing edges, and, hence, all
control dependency edges in PDG(CFG
{x},{y}
skip ) originate at start .
3. Node 1 (representing the skip-statement) has empty def and use sets by Definition 6.8.
Hence, by Definition 6.11 PDG(CFG
{x},{y}
skip ) contains no data dependency edges from
or to Node 1, and it contains an edge (in, out) if and only if x = y.
4. By (2) and (3), there is a path from in to out in PDG(CFG
{x},{y}
skip ) if and only if
x = y, i.e., X = {y}.
5. Moreover, by (2) and (3) there is no path from start to out in PDG(CFG
{x},{y}
skip ) but
the path 〈start , out〉.
6. Hence, by (4) and (5), it suffices to show that Γ′(y) = Γ(y) to conclude this case, and
Γ′(y) = Γ(y) holds by (1).
Assume that c = z :=e:
1. By the same argument as in the case for skip, all control dependency edges in
PDG(CFG{x},{y}z :=e ) originate at start .
2. By Definition 6.8, defc(1) = {z} and usec(1) = vars(e) (where 1 is the node repre-
senting the assignment). Hence, by Definition 6.11 there is a data dependency edge
(in, 1) in PDG(CFG{x},{y}z :=e ) if and only if x ∈ vars(e) and there is a data dependency
edge (1, out) if and only if y = z . Moreover, there is an edge (in, out) if and only if
x = y and x 6= z .
3. Assume that y = z .
a) By (1) and (2), there is a path from in to out if and only if x ∈ vars(e) (the
path 〈in, 1, out〉). Hence, X = vars(e).
b) Since Node 1 is control dependent on start there is a path from start to out that
contains a node n 6∈ {start , out} (the path 〈start , 1, out〉).
c) Hence, we must show that Γ′(y) = pc unionsq (⊔x∈vars(e) Γ(x )). This equality holds
due to the typing rules [ASS] and [EXP].
4. Assume now that y 6= z .
a) By (1) and (2), there is a path from in to out if and only if x = y and x 6= z
(the path 〈in, out〉). Hence, X = {y}.
b) Moreover, by (1) and (2) there is no path from start to out but the path
〈start , out〉.
c) Hence, we must show that Γ′(y) = Γ(y). This holds due to the typing rule [ASS].
Assume that c = c1; c2:
1. By typing rule [SEQ] there is an environment Γ′′ such that pc ` Γ {c1} Γ′′ and
pc ` Γ′′ {c2} Γ′.
2. Let X2 be the set of variables such that x ∈ X2 if and only if there is a path from in
to out in PDG(CFG{x},{y}c2 ). By the induction hypothesis for k and c2 (instantiating
the environment with Γ′′) one of the following conditions is satisfied:
a) Γ′(y) = pc unionsq (⊔x∈X2 Γ′′(x )) and there is a path from start to out in the graph
PDG(CFG{x},{y}c2 ) that contains a node n 6∈ {start , out}, or
b) Γ′(y) =
⊔
x∈X2 Γ
′′(x ), and there is no such path in PDG(CFG{x},{y}c2 ).
3. For each z ∈ X2, let Xz be the set of variables such that x ∈ Xz if and only if there
is a path from in to out in PDG(CFG{x},{z}c1 ). For each z ∈ X2, by the induction
hypothesis for c1 (instantiating the environment with Γ and the variable with z ) one
of the following conditions is satisfied:
a) Γ′′(z ) = pc unionsq (⊔x∈Xz Γ(x )) and there is a path from start to out in the graph
164 Appendix A. Detailed Proofs
PDG(CFG{x},{z}c1 ) that contains a node n 6∈ {start , out}, or
b) Γ′′(z ) =
⊔
x∈Xz Γ(x ), and there is no such path in PDG(CFG
{x},{z}
c1 ).
4. By Lemma A.21, there is a path from in to out in PDG(CFG{x},{y}c1;c2 ) if and only if
there exists z ∈ Var such that there is a path from in to out in PDG(CFG{x},{z}c1 )
and a path from in to out in PDG(CFG{z},{y}c2 ). Hence, it follows from the definitions
of X2 and Xz that X =
⋃
z∈X2 Xz .
5. We distinguish the cases (2a) and (2b). Assume firstly that (2a) holds.
a) Due to (2a) and Lemma A.21, for all z ∈ Var there is a path from start to out in
PDG(CFG{z},{y}c1;c2 ) that contains a node n 6∈ {start , out}. Hence, we must show
that Γ′(y) = pc unionsq (⊔x∈X Γ(x )).
b) Due to (2a), Γ′(y) = pc unionsq (⊔z∈X2 Γ′′(z )).
c) Due to (3), for each z ∈ X2 either Γ′′(z ) = pc unionsq
(⊔
x∈Xz Γ(x )
)
or Γ′′(z ) =(⊔
x∈Xz Γ(x )
)
holds.
d) It follows from (b) and (c) that Γ′(y) = pc unionsq (⊔z∈X2 ⊔x∈Xz Γ(x )). Hence, by (4),
Γ′(y) = pc unionsq (⊔x∈X Γ(x )).
6. Assume now that (2b) holds.
a) Due to (2b), Γ′(y) =
⊔
z∈X2 Γ
′′(z ).
b) For each z ∈ X2, either (3a) or (3b) holds. We distinguish the cases that (3b)
holds for all z ∈ X2 and that (3b) does not hold for some z ∈ X2.
c) Assume firstly that (3b) holds for all z ∈ X2.
i. By Lemma A.21, PDG(CFG{x},{y}c1;c2 ) does not contain a path from start to
out but for the path 〈start , out〉.
ii. For all z ∈ X2, it follows from (3b) that Γ′′(z ) =
(⊔
x∈Xz Γ(x )
)
.
iii. From (a) and (ii) it follows that Γ′(y) =
⊔
z∈X2
⊔
x∈Xz Γ(x ). Hence, by (4),
Γ′(y) =
⊔
x∈X Γ(x ).
d) Assume now that there exists z ∈ X2 such that (3a) holds for z .
i. Hence, Γ′′(z ) = pc unionsq (⊔x∈Xz Γ(x )).
ii. Moreover, PDG(CFG{x},{z}c1 ) contains a path from start to out that contains
a node n 6∈ {start , out}.
iii. Since z ∈ X2 there is a path from in to out in PDG(CFG{z},{y}c2 ).
iv. By Lemma A.21, (ii), and (iii), PDG(CFG{x},{y}c1;c2 ) contains a path from start
to out that contains a node n 6∈ {start , out}.
v. Due to (3), for each z ∈ X2 either Γ′′(z ) = pc unionsq
(⊔
x∈Xz Γ(x )
)
or Γ′′(z ) =(⊔
x∈Xz Γ(x )
)
holds.
vi. From (a), (i), and (v), it follows that Γ′(y) = pc unionsq (⊔z∈X2 ⊔x∈Xz Γ(x )).
Hence, by (4), Γ′(y) = pc unionsq (⊔x∈X Γ(x )).
Assume that c = if e then c1 else c2 fi:
1. Let {z1, . . . , zl} = vars(e), and d = dma(z1) unionsq . . . unionsq dma(zl).
2. By the typing rule [IF], there are environments Γ′1 and Γ
′
2 such that Γ
′ = Γ′1 unionsq Γ′2,
pc unionsq d ` Γ {c1} Γ′1, and pc unionsq d ` Γ {c2} Γ′2.
3. For i ∈ {1, 2}, let Xi be the set of variables such that x ∈ Xi if and only if there is a
path from in to out in PDG(CFG{x},{y}ci ).
4. Applying the induction hypothesis for both k and c1 and k and c2 (instantiating the
program counter security level with pc unionsq d), it follows that for i ∈ {1, 2} one of the
following two conditions is satisfied:
a) Γ′i(y) = pc unionsq d unionsq
(⊔
x∈Xi Γ(x )
)
and there is a path from start to out in the graph
A.10. Relation between Type-based and PDG-based Information Flow Analysis 165
PDG(CFG{x},{y}ci ) that contains a node n 6∈ {start , out}, or
b) Γ′i(y) =
⊔
x∈Xi Γ(x ) and there is no such path in PDG(CFG
{x},{y}
ci ).
5. It follows from Lemma A.20 that there exists a path from in to out in the graph
PDG(CFG
{x},{y}
if e then c1 else c2 fi
) if and only if there is such a path in PDG(CFG{x},{y}c1 )
or in PDG(CFG{x},{y}c2 ) (i.e., x ∈ X1 ∪ X2), or if x ∈ vars(e) and there is a path
from start to out in PDG(CFG{x},{y}c1 ) or in PDG(CFG
{x},{y}
c2 ) that contains a node
n 6∈ {start , out}.
6. We do a case distinction on whether there exists a path from start to out in the
graph PDG(CFG
{x},{y}
if e then c1 else c2 fi
) that contains a node n 6∈ {start , out}. Assume
firstly that there is such a path.
a) Hence, by Lemma A.20, there is such a path in the graph PDG(CFG{x},{y}c1 ) or
in the graph PDG(CFG{x},{y}c2 ). Assume without loss of generality that there is
such a path in PDG(CFG{x},{y}c1 ).
b) Then, by (5), X = X1 ∪X2 ∪ vars(e).
c) Moreover, by (4), Γ′1(y) = pc unionsq d unionsq
(⊔
x∈X1 Γ(x )
)
.
d) Moreover, by (4), either Γ′2(y) = pc unionsq d unionsq
(⊔
x∈X2 Γ(x )
)
or Γ′2(y) =
⊔
x∈X2 Γ(x ).
e) Hence, since Γ′ = Γ′1 unionsq Γ′2, it follows from (1), (c), (d), and (e) that Γ′(y) =
pc unionsq (⊔x∈X Γ(x )).
7. Assume now that there is no path 〈start , . . . , out〉 in PDG(CFG{x},{y}if e then c1 else c2 fi)
that contains a node n 6∈ {start , out}.
a) Hence, by Lemma A.20, there is no such path in the graph PDG(CFG{x},{y}c1 )
and no such path in the graph PDG(CFG{x},{y}c2 ).
b) In consequence, by (5), X = X1 ∪X2.
c) Moreover, by (4), Γ′i(y) =
⊔
x∈Xi Γ(x ) for i ∈ {1, 2}.
d) Hence, since Γ′ = Γ′1 unionsq Γ′2, it follows from (b) and (c) that Γ′(y) =
⊔
x∈X Γ(x ).
Assume that c = while e do c1 od
1. Since pc ` Γ {while e do c1 od} Γ′ is derivable it follows from typing rule [WHILE]
that there exist k ∈ N and sequences Γ′0, . . . ,Γ′k+1, Γ′′0 , . . . ,Γ′′k , and d0, . . . , dk such
that the following hold (for 0 ≤ i ≤ k):
a) Γ′0 = Γ,
b) Γ′k+1 = Γ
′
k = Γ
′,
c) Γ′i ` e : di,
d) pc unionsq ti ` Γ′i {c1} Γ′′i , and
e) Γ′i+1 = Γ
′′
i unionsq Γ.
2. We say that a loop run of the loop while e do c1 od induces a dependency of z
′ on z
if one of the following two conditions is satisfied:
a) there is a path from in to out in PDG(CFG{z},{z
′}
c1 ) or
b) z ∈ vars(e) and there is a path from start to out in PDG(CFG{z},{z ′}c1 ) that
contains a node n 6∈ {start , out}.
3. Hence, by Lemma A.22, x ∈ X if and only if there is a sequence of distinct variables
z1, . . . , zl such that x = z1, zl = y , and the loop c induces a dependency of zi+1 on zi
for all i ∈ {1, . . . , l − 1}.
4. By the induction hypothesis and (1d) it follows that, for all z ′ ∈ Var and all i ∈ N,
one of the following holds, where Z is the set of all z such that there is a path from
in to out in PDG(CFG{z},{z
′}
c1 ):
a) Γ′′i (z
′) =
(⊔
z∈Z Γ
′
i(z )
) unionsq pc unionsq di if there is a path from start to out in the graph
PDG(CFG{z},{z
′}
c1 ) that contains a node n 6∈ {start , out}, and
166 Appendix A. Detailed Proofs
b) Γ′′i (z
′) =
⊔
z∈Z Γ
′
i(z ) if there is no such path.
5. From (1c) and typing rule [EXP] it follows that di =
⊔
x∈vars(e) Γ
′
i(x ).
6. From the definition in (2) and from (4) and (5) it follows that for all z ′ ∈ Var one
of the following holds, where Z ′ is the set of all z such that the loop c induces a
dependency of z ′ on z :
a) Γ′′i (z
′) =
(⊔
z∈Z′ Γ
′
i(z )
) unionsq pc if there is a path from start to out in the graph
PDG(CFG{x},{z
′}
c1 ) that contains a node n 6∈ {start , out}, and
b) Γ′′i (z
′) =
⊔
z∈Z′ Γ
′
i(z ) if there is no such path.
7. Hence, by (1e), it follows that for all z ∈ Var one of the following holds:
a) Γ′i+1(z
′) =
(⊔
z∈Z′ Γ
′
i(z )
) unionsq pc unionsq Γ(z ′) if there is a path from start to out in
PDG(CFG{z},{z
′}
c1 ) that contains a node n 6∈ {start , out}, and
b) Γ′i+1(z
′) =
(⊔
z∈Z′ Γ
′
i(z )
) unionsq Γ(z ′) if there is no such path.
8. Using (7) and starting with Γ′(y) = Γ′k(y), we unfold the equation further and further,
thereby collecting the term Γ(x ) for all x ∈ X on the right hand side of the equation.
As a result, the following holds:
a) Γ′(y) =
⊔
x∈X Γ(x ) unionsq pc, if, for any x ∈ Var , there exists z1, . . . , zk ∈ Var and a
path from start to out in PDG(CFG{x},{z1}c1 ) (containing a node n 6∈ {start , out})
and paths from in to out in the graphs PDG(CFG{zi},{zi+1}c1 ), and
b) Γ′(y) =
⊔
x∈X Γ(x ) if such paths do not exist for any x ∈ Var .
9. But then, with Statement (2) of Lemma A.22, it follows that
a) Γ′(y) =
⊔
x∈X Γ(x ) unionsq pc, if, there exists a path from start to out in the graph
PDG(CFG{zx},{y}c ) that contains a node n 6∈ {start , out}, and
b) Γ′(y) =
⊔
x∈X Γ(x ) if such a path does not exist.
This concludes the proof.
Proof of Theorem 6.3. Theorem 6.3 follows from Lemma A.23 for pc = low .
To prove Theorem 6.5, we extend the proof of Theorem 6.3 to commands containing
procedure calls. For relating summary edges to the functions in the tuple Ψ, we introduce
an additional induction over the depth of the procedure call chains that are considered for
computing summary edges respectively Ψ. For the tuple Ψ, the variants that reflect only
procedure call chains up to depth k are already explicit in the definition of Ψ∗, namely
the functions Ψk (compare Definition 6.21). For summary edges, we introduce the notion
of k-realizable paths in an SDG, where k-realizable paths represent dependencies that are
due to procedure call chains of at most depth k.
Definition A.3. A path in the SDG is k-realizable if its projection on the set containing
all nodes of the form (a-inn,k,p′ , p) and (a-outn,k,p′ , p) is generated by the grammar for
Rk, which is recursively defined as follows:
R0 ::= ε
Rk+1 ::= ε | Rk+1 (a-inn,k1,p′ , p) Rk (a-outn,k2,p′ , p)
We denote the corresponding PDGs with summary edges defined through k-realizable
path with PDGk. ♦
We denote with PDG∗(CFG{x},{y}c ) the PDG with inputs {x} and outputs {y} for
the command c, where summary edges are added between actual in and out parameter
A.10. Relation between Type-based and PDG-based Information Flow Analysis 167
nodes according to the computation of summary edges. With PDGk(CFG{x},{y}c ) we
denote this PDG where summary edges are determined via k-realizable paths.
It is straightforward to show that Lemmas A.20 to A.22 extend to procedure depen-
dence graphs with summary edges for commands with procedure calls.
We extend Lemma A.23 to the interprocedural analysis as follows:
Lemma A.24. In this lemma, we consider the security type system instantiated for the
universal security lattice.
Let k ∈ N, c ∈ Com, y ∈ Var and Γ be an environment. Let Γ′ be such that
pc `Ψk Γ {c} Γ′ is derivable in the security type system, and let X be the set of all
x ∈ Var such that there exists a path from in to out in PDGk(CFG{x},{y}c ). Then either
1. Γ′(y) = pcunionsq(⊔x∈X Γ(x )) and there is a path from start to out in PDGk(CFG{x},{y}c )
that contains a node n 6∈ {start , out} for some x ∈ Var , or
2. Γ′(y) =
⊔
x∈X Γ(x ) and there is no such path in PDG
k(CFG{x},{y}c ) for any x ∈ Var .
♦
Proof. The proof is by induction on the pair (k, c), using as well-founded ordering
(k, c) < (k′, c′) the lexicographic ordering (i.e., (k, c) < (k′, c′) if and only if k < k′ or
k = k′ and c is a subcommand of c′). The base cases of the induction correspond to the
minimal elements of this order, i.e., k = 0 and c is skip, x :=e, or a procedure call p(. . .).
Assume that k ∈ N and c = skip: The proof is the same as in the case for skip in
Lemma A.23 where the PDG is replaced by the PDG with summary edges for k-realizable
paths.
Assume that k ∈ N and c = z :=e: The proof is the same as in the case for assignments
in Lemma A.23 where the PDG is replaced by the PDG with summary edges for k-
realizable paths.
Assume that k = 0 and c = p(e1, . . . , elp ; z1, . . . , zmp):
1. There is an edge from start to 1, and all edges from 1 go to the actual in and out
parameter nodes.
2. Since there are no 0-realizable paths, there are no summary edges. Hence, there are
no edges starting at actual in parameter nodes and no edges ending at actual out
parameter nodes.
3. Moreover, there is an edge from start to a-in1,i,p if and only if x ∈ vars(ei).
4. Moreover, there is an edge from a-out1,i,p to out if and only if y = zi.
5. Moreover, there is an edge from in to out if and only if x = y and y 6∈ {z1, . . . , zmp}.
6. We do a case distinction on y ∈ {z1, . . . , zmp}. Assume firstly that y 6∈ {z1, . . . , zmp}.
a) By (4) and (5), there is a path from in to out if and only if x = y , i.e., X = {y}.
b) Moreover, by (4) there is no path from start to out but the path 〈start , out〉, and
we must show (due to (b)) that Γ′(y) = Γ(y).
c) It follows from the typing rule for procedure calls and the assumption that
pc `Ψ0 Γ {c} Γ′ that Γ′(y) = Γ(y).
7. Now assume that y = zi for some i.
a) Then, by (1) and (4) there is a path from start to out that contains a node
n 6∈ {start , out}. Hence, we must show that Γ′(y) = pc unionsq (⊔x∈X Γ(x )).
b) By (2) and (5) there is no path from in to out , i.e., X = {}. Hence, we must
show that Γ′(y) = pc.
168 Appendix A. Detailed Proofs
c) But Γ′(y) = pc is satisfied due to the typing rule for procedure calls and the
assumption that pc `Ψ0 Γ {c} Γ′ (because (ψ0)p(y) = {} for all p and y).
Assume that k > 0 and c = p(e1, . . . , elp ; z1, . . . , zmp):
1. There is an edge from start to 1, and all edges from 1 go to the actual in and out
parameter nodes.
2. All edges starting at actual in parameter nodes are edges ending at actual out
parameter nodes, and all edges ending at actual out parameter nodes are edges
starting at actual in parameter nodes.
3. Moreover, there is an edge from start to a-in1,i,p if and only if x ∈ vars(ei).
4. Moreover, there is an edge from a-out1,i,p to out if and only if y = zi.
5. Moreover, there is an edge from in to out if and only if x = y and y 6∈ {z1, . . . , zmp}.
6. We do a case distinction on y ∈ {z1, . . . , zmp}. Assume firstly that y 6∈ {z1, . . . , zmp}.
The proof in this case is the same as in the case where k = 0 and c is a procedure
call.
7. Now assume that y = zi for some i.
a) Then, by (1) and (4) there is a path from start to out that contains a node
n 6∈ {start , out}. Hence, we must show that Γ′(y) = pc unionsq (⊔x∈X Γ(x )).
b) By (2), (3), (4), and (5) paths from in to out in PDGk(CFG{x},{y}c ) are of the
form 〈in, a-in1,k1,p, a-out1,k2,p, out〉, where
i. x ∈ vars(ek1),
ii. k2 = i, and
iii. there is a summary edge from a-in1,k1,p to a-out1,k2,p.
c) By (b iii), there is a (k−1)-realizable path from f -inpk1 to f -out
p
k2
in the procedure
dependence graph of cp. This is the case if and only if there is a path from in to
out in PDGk−1(CFG
{x pk1},{y
p
k2
}
cp ).
d) We apply the induction hypothesis for k − 1 and the command cp. Let Γ′′ be
such that {} `Ψk−1 Γid {cp} Γ′′. Then Γ′′(yk2) = X ′, where X ′ is the set of all
x ′ ∈ Var such that there is a path from in to out in PDGk−1(CFG{x
′},{ypk2}
cp ).
e) By (c) and (d), the statement (b iii) is equivalent to x pk1 ∈ Γ′′(y
p
k2
) where Γ′′ is
such that {} `Ψk−1 Γid {cp} Γ′′. But this, by the definition of the sequence of the
Ψk, is equivalent to x
p
k1
∈ (Ψk)p(ypk2).
f) Hence, by (b) and (e), there is a path from in to out in PDGk(CFG{x},{y}c ) if
and only if there exists j such that x ∈ vars(ej) and x pj ∈ (Ψk)p(ypi ).
g) But then Γ′(y) = pc unionsq (⊔x∈X Γ(x )) follows directly from (f), the typing rule
[call], and the fact that pc `Ψk Γ {c} Γ′ is derivable in the type system.
Assume that k is arbitrary and c = c1; c2: The proof is the same as in the case for
sequential composition in Lemma A.23 where the PDG is replaced by the PDG with
summary edges.
Assume that k is arbitrary and c = if e then c1 else c2 fi: The proof is the same as
in the case for conditionals in Lemma A.23 where the PDG is replaced by the PDG with
summary edges.
Assume that k is arbitrary and c = while e do c1 od: The proof is the same as in
the case for while loops in Lemma A.23 where the PDG is replaced by the PDG with
summary edges.
A.10. Relation between Type-based and PDG-based Information Flow Analysis 169
Lemma A.25. Let c ∈ Com, y ∈ Var and Γ be an environment. Let Γ′ be such that
pc `Ψ∗ Γ {c} Γ′ is derivable in the security type system, and let X be the set of all
x ∈ Var such that there exists a path from in to out in PDG∗(CFG{x},{y}c ). Then either
1. Γ′(y) = pcunionsq(⊔x∈X Γ(x )) and there is a path from start to out in PDGk(CFG{x},{y}c )
that contains a node n 6∈ {start , out} for some x ∈ Var , or
2. Γ′(y) =
⊔
x∈X Γ(x ) and there is no such path in PDG
k(CFG{x},{y}c ) for any x ∈ Var .
♦
Proof. By the construction of the Ψk and k-realizable path, there exists k ∈ N such
that PDGk(CFG{x},{y}c ) = PDG
∗(CFG{x},{y}c ) and Ψk = Ψ
∗. As Lemma A.24 holds for
arbitrary k, the Corollary follows immediately.
Proof of Theorem 6.5. Theorem 6.5 follows from Corollary A.25 for pc = {}.
To prove Theorem 6.7, we generalize the definition of PDG ||(CFGH,Lc ,mds) to the
form PDG ||(CFGI,Oc ,mds) where I,O are arbitrary sets of variables.
Definition A.4. Let c ∈ Comseq , mds ∈ Mds, I,O ⊆ Var , and (N , E) = PDG(CFGI,Oc ).
We define the program dependence graph PDG ||(CFGI,Oc ,mds) by (N , E ∪ E′) where
(n,n ′)∈E′ if and only if one of the following conditions is satisfied:
1. n = in, there exists x ∈ usec(n ′) with x ∈ I, there exists n ′′ ∈ N with x 6∈
CFG-mdsc,mds(n
′′)(asm-no-w), and there is a path p from n ′′ to n ′ such that x 6∈
defc(n
′′′) for every node n ′′′ on p with n ′′′ 6= n ′′ and n ′′′ 6= n ′,
2. n ′ = out , there exists x ∈ defc(n) with x ∈ O, there exists n ′′ ∈ N with x 6∈
CFG-mdsc,mds(n
′′)(asm-no-r), and there is a path p from n to n ′′ such that x 6∈
defc(n
′′′) for every node n ′′′ on p with n ′′′ 6= n and n ′′′ 6= n ′′, or
3. n ∈ {1, . . . , ](c)}, c[n] ∈ Exp, and n ′ = out . ♦
To prove Theorem 6.7, we establish the following more general lemma.
Lemma A.26. Let mds be a mode state, Λ be a partial environment that is consistent
with mds, and c ∈ Comseq . Assume that no partial environment Λ′ exists such that
` Λ {c} Λ′ is derivable in the type system from Section 4.5. Then there exist x , y ∈ Var
with Λ〈x 〉 = high and dma(y) = low and a path p of the form 〈in, . . . ,n, out〉 in
PDG ||(CFG{x},{y}c ,mds) where n ∈ {1, . . . , ](c)} and one of the following conditions is
satisfied:
1. y ∈ def c(n), there is a node n ′ with y 6∈ CFG-mdsc,mds(n ′)(asm-no-r), and a
definition of y at n reaches n ′ in CFGc , or
2. c[n] ∈ Exp. ♦
Proof. The proof is by induction on the structure of the command c.
Assume that c = skip or c = stop. Then ` Λ {c} Λ is derivable, which contradicts the
assumptions of the lemma.
Assume that c = x :=e. If x ∈ dom(Λ) then ` Λ {c} Λ′ is derivable for some Λ′ with
rule [ASS2]. In consequence, x 6∈ dom(Λ). Moreover, if dma(x ) = high then ` Λ {c} Λ
is derivable with rule [ASS1]. In consequence, dma(x ) = low . Moreover, if Λ〈y〉 = low
170 Appendix A. Detailed Proofs
for all y ∈ vars(e) then ` Λ {c} Λ would be derivable with rule [ASS1]. In consequence,
there exists y ∈ vars(e) with Λ〈y〉 = high.
Since y ∈ vars(e) it follows that y ∈ usec(1), and, hence, the pair (in, 1) is an edge in
PDG(CFG{y},{x}c ). In consequence, the pair is an edge in PDG
||(CFG{y},{x}c ,mds).
Since x 6∈ dom(Λ), Λ is consistent with mds, and dma(x ) = low , it follows that
x 6∈ mds(asm-no-r). In consequence, x 6∈ CFG-mdsc,mds(stop)(asm-no-r). Moreover,
the definition of x at Node 1 reaches stop in CFGc. Hence, (1, out) is an edge in
PDG ||(CFG{y},{x}c ,mds), and Condition (1) is satisfied for this edge.
Hence, 〈in, 1, out〉 is a path in PDG ||(CFG{y},{x}c ,mds) that satisfies all required
conditions.
Assume that c = c1; c2. If there exist Λ
′′ and Λ′ such that ` Λ{c1}Λ′′ and ` Λ′′{c2}Λ′
are derivable then ` Λ {c}Λ′ is derivable with rule [SEQ]. In consequence, there does not
exist Λ′′ and Λ′ such that ` Λ {c1} Λ′′ and ` Λ′′ {c2} Λ′ are derivable. We distinguish
the two cases (1) that there is no Λ′′ such that ` Λ {c1} Λ′′ is derivable, and (2) that
if ` Λ {c1} Λ′′ is derivable for some Λ′′ then there is no Λ′ such that ` Λ′′ {c2} Λ′ is
derivable.
1. Assume that there is no Λ′′ such that ` Λ {c1} Λ′′ is derivable.
a) By the induction hypothesis there are x , y ∈ Var with Λ〈x 〉 = high and
dma(y) = low and a path p from in to out in PDG ||(CFG{x},{y}c1 ,mds) such
that Condition (1) or Condition (2) is satisfied for the one-but-last node of p.
To determine a path from in to out in PDG ||(CFG{x},{y}c ,mds) we distinguish
between whether Condition (1) or Condition (2) is satisfied for that node.
i. Assume that y ∈ def c1(n), that there exists a node n ′ with
y 6∈ CFG-mdsc1,mds(n ′)(asm-no-r), and that a definition of y at n reaches
n ′ in CFGc1 .
It follows from y ∈ def c1(n) that y ∈ def c1;c2(n). Moreover, it follows
from y 6∈ asm-no-rc1,Λ(n) that y 6∈ asm-no-rc1;c2,Λ(n). Moreover, since a
definition of y at n reaches n ′ in CFGc1 , it also reaches n
′ in CFGc .
Hence, the last edge (n, out) of p is an edge in PDG ||(CFG{x},{y}c ,mds).
Thus p is a path in PDG ||(CFG{x},{y}c ,mds).
ii. Assume that n ∈ {1, . . . , ](c1)} and c1[n] ∈ Exp. Then the last edge
(n, out) of p is an edge in PDG ||(CFG{x},{y}c ,mds). Thus p is a path in
PDG ||(CFG{x},{y}c ,mds).
2. Let Λ′′ such that ` Λ {c1} Λ′′ is derivable, and such that there is no Λ′ for which
` Λ′′ {c2} Λ′ is derivable.
a) Let mds ′′ = CFG-mdsc1,mds(stop). It follows from the definition of the functions
CFG-mds and the typing rules that Λ′′ is consistent with mds ′′.
b) By the induction hypothesis there exist z , y ∈ Var with Λ′′〈z 〉 = high and
dma(y) = low such that there is a path p2 in PDG
||(CFG{z},{y}c2 ,mds
′′) that is
of the form 〈in, . . . ,n, out〉 with n ∈ {1, . . . , ](c2)} and where Condition (1) or
Condition (2) is satisfied for the edge (n, out).
c) Let Γ be the unique environment such that low ` Λ〈·〉 {c1} Γ is derivable in
the type system from Section 6.2. Then, by Theorem 6.3, Γ(z ) =
⊔
x∈X Λ〈x 〉
where X contains all x ∈ Var such that there exists a path from in to out in
PDG(CFG{x},{z}c1 ). We denote this path with px for x ∈ X.
Like in the proof of Theorem 6.3, it follows from the existence of the paths px and
p2 that there exists a path p from in to out in PDG
||(CFG{x},{y}c1;c2 ,mds). That
Condition (1) or Condition (2) is satisfied for the last edge in this path p follows
A.10. Relation between Type-based and PDG-based Information Flow Analysis 171
from the construction of p and from (a) and (b). Hence, we can conclude this
case if there exists x ∈ X with Λ〈x 〉 = high.
Assume now that Λ〈x 〉 = low for all x ∈ X. Then Γ(z ) = low . It follows
from Γ(z ) = low , Λ′′〈z 〉 = high, and the derivability of low ` Λ〈·〉 {c1} Γ and
` Λ {c1} Λ′′ that dma(z ) = high and z 6∈ dom(Λ′′). Then, since Λ′′ is consistent
with mds ′′, z 6∈ mds ′′(asm-no-w). Let n ′ be a node such that z ∈ usec1(n ′)
and such that a definition of z at n ′ reaches stop in CFGc1 , or let n
′ = out
if no such node exists. Then, by Definition A.4 the pair (in,n ′) is an edge in
PDG ||(CFG{x},{z}c1 ,mds) for any x because mds
′′ = CFG-mdsc1,mds(stop), and
the pair (n ′, out) is an edge in PDG ||(CFG{x},{z}c1 ,mds) by construction of n
′.
Hence, 〈in,n ′, out〉 is a path in PDG ||(CFG{x},{z}c1 ,mds), and we can conclude
as in the above case for Λ〈x 〉 = high
Assume that c = if e then c1 else c2 fi. Since there is no partial environment Λ
′ such
that ` Λ{c}Λ′ is derivable in the type system, by the typing rule [IF] one of the following
conditions is satisfied: Λ〈e〉 = high, or there is no Λ′ such that ` Λ {c1} Λ′ is derivable,
or there is no Λ′ such that ` Λ {c2} Λ′ is derivable.
1. Assume that Λ〈e〉 = high. Then there exists x ∈ vars(e) such that Λ〈x 〉 = high.
Hence, (in, 1) is an edge in PDG(CFG{x},{y}c ). In consequence, (in, 1) is an edge in
PDG ||(CFG{x},{y}c ,mds).
Let y be a variable with dma(y) = low . Then the pair (1, out) is an edge in
PDG ||(CFG{x},{y}c ,mds) because c[1] ∈ Exp.
Hence, 〈in, 1, out〉 is a path from in to out in PDG ||(CFG{x},{y}c ,mds), and Condi-
tion (2) is satisfied for the last edge (1, out).
2. Assume that there is no Λ′ such that ` Λ{c1}Λ′ is derivable. Then, by the induction
hypothesis for c1, there are x , y , and a path p1 in PDG
||(CFG{x},{y}c1 ,mds) with
the properties stated by the lemma. But then one obtains a path p in the graph
PDG ||(CFG{x},{y}c ,mds) with the properties required by the lemma by increasing
each node n ∈ {1, . . . , ](c1)} in p1 by 1.
3. Assume that there is no Λ′ such that ` Λ {c2} Λ′ is derivable. The proof is as in the
previous case, exploiting the induction hypothesis for c2.
Assume that c = while e do c1 od: Since there is no Λ
′ such that ` Λ{while e do c1 od}Λ′
is derivable, by the typing rule [SUB] there is no Λ′′ with Λ v Λ′′ v Λ′ such that
` Λ′′ {while e do c1 od} Λ′′ is derivable. I.e., by the typing rule [WHILE], for all Λ′′ with
Λ v Λ′′ v Λ′ one of the following conditions is satisfied: Λ′′〈e〉 = high or ` Λ′′ {c1} Λ′′ is
not derivable.
1. Assume that Λ′′〈e〉 = high. Then the proof is as in the case for conditionals, defining
p = 〈in, 1, out〉.
2. Assume that ` Λ′′ {c1}Λ′′ is not derivable. Then, by the induction hypothesis for c1,
there are x , y ∈ Var and a path p1 in PDG ||(CFG{x},{y}c1 ,mds) with the properties
stated by the lemma. But then one obtains a path p in PDG ||(CFG{x},{y}c ,mds)
with the properties required by the lemma by increasing each node n ∈ {1, . . . , ](c1)}
in p1 by 1.
Now we prove Theorem 6.7.
Proof. We show that it follows from the assumptions of the theorem that ` thr is derivable
in the type system from Section 4.5.
172 Appendix A. Detailed Proofs
Let i ∈ {1, . . . , ](thr)}, and let Λi be a partial environment consistent with mdss[i].
We must show that there exists Λ′i such that ` Λi {thr [i]} Λ′i is derivable. We prove this
by contradiction. Assume that ` Λi {thr [i]} Λ′i is not derivable. Then, by Lemma A.26,
there exist x , y ∈ Var with Λi〈x 〉 = high and dma(y) = low , such that there is a path p
from in to out in PDG ||(CFG{x},{y}thr [i] ,mdss[i]) that has at least length 3.
If dma(x ) = high, then p is a path in PDG ||(CFGH,Lthr [i],mdss [i]). This contradicts the
assumptions of the theorem.
If dma(x ) = low then it follows from Λi〈x 〉 = high and the consistency of Λi with
mdss[i] that x ∈ mdss[i](asm-no-r). Hence, if a definition of x at start reaches a node
n in CFG thr [i] then there is an edge from n to out in PDG
||(CFGH,Lthr [i],mdss[i]). Since
p has at least length 3, p = 〈in,n, . . . , out〉 for some node n. Since (in,n) is an edge in
PDG ||(CFG{x},{y}thr [i] ,mdss [i]) it follows that a definition of x at start reaches n in CFG thr [i],
and, hence (n, out) is an edge in PDG ||(CFGH,Lthr [i],mdss[i]). Hence, 〈in, 1, out〉 is a path
in PDG ||(CFGH,Lthr [i],mdss[i]). This contradicts the assumptions of the theorem.
I.e., we have shown by contradiction that there exists Λ′i such that ` Λi {thr [i]} Λ′i is
derivable.
The remaining prerequisites of the derivation rule for the judgment ` thr follow
directly from the assumptions of the theorem. In consequence, ` thr is derivable. Hence,
by Theorem 4.8 (the soundness result for the type system), thr is S-noninterferent for
any scheduler.
A
P
P
E
N
D
IX
B
Type System for Sound Modes
In this appendix, we present the simple type system sketched in Section 4.5.3 for checking
that guarantees are respected, that no no-read assumptions occur at thread termination,
and that modes are compatible with obs.
We use typing judgments of the form ` mds {c} mds ′, where c is a command and
mds,mds ′ are mode states. The interpretation of the judgment is that if mds is an upper
bound on modes before c executes, then mds ′ is an upper bound on modes after the
execution of c. The type system is displayed in Figure B.1.
We use auxiliary typing judgments ` mds {anns} mds ′, where anns denotes a (pos-
sibly empty) sequence //ann1// . . . //annn// of annotations (see rule [ANNO]). We de-
fine mds-update(mds, anns) = mds if anns is empty, and mds-update(mds, anns) =
mds-update(mds-update(mds, ann1), /ann2//, . . . , //annn//) if anns = //ann1// . . . //annn//.
Moreover, the set X in rule [ANNO] is the largest set of variables to which obs is confined.
Subtyping (see rule [SUB]) makes use of the relation v on mode states that is defined
by mds v mds ′ if and only if mds(m) ⊆ mds ′(m) for all modes m ∈ Mod .
Rules [ASS], [IF], and [WHILE] ensure that guarantees are respected. Moreover,
rule [ANNO] ensures that modes are compatible with obs.
Theorem B.1. Let c be a command. Assume that the judgment ` mds1 {c} mds ′1 is
derivable in the type system. Then for all mode states mds2 v mds1 and memories
mem ∈ Mem the following conditions are satisfied:
(1) 〈c,mds2,mem〉 respects guarantees,
(2) 〈c,mds2,mem〉 has modes compatible with obs, and
(3) if 〈stop,mds ′2,mem ′〉 ∈ loc-reach(〈c,mds2,mem〉) then mds ′2 v mds ′1. ♦
It follows from Theorem B.1 that if ` mds {c} mds0 is derivable then 〈c,mds,mem〉
respects guarantees, has modes compatible with obs, and no no-read assumptions occur
at thread termination.
Proof of Theorem B.1. The proof is by induction on the derivation of the judgment
` mds1 {c} mds ′1.
173
174 Appendix B. Type System for Sound Modes
[ANNO]
mds ′ = mds-update(mds, anns)
mds(asm-no-r) ∩X = mds ′(asm-no-r) ∩X = {}
` mds {anns} mds ′
[SKIP]
` mds {anns} mds ′
` mds {anns skip} mds ′
[ASS]
` mds {anns} mds ′
x 6∈ mds(guar -no-w) vars(e) ∩mds(guar -no-r) = {}
` mds {anns x :=e} mds ′
[IF]
` mds {anns} mds ′ ` mds ′ {c1} mds ′′ ` mds ′ {c2} mds ′′
vars(e) ∩mds(guar -no-r) = {}
` mds {anns if e then c1 else c2 fi} mds ′′
[WHILE]
` mds {anns} mds ′ ` mds ′ {c} mds ′
vars(e) ∩mds(guar -no-r) = {}
` mds {anns while e do c od} mds ′
[SEQ]
` mds {c1} mds ′ ` mds ′ {c2} mds ′′
` mds {c1; c2} mds ′′
[SPAWN]
` mds {anns} mds ′
∀i ∈ {1, . . . , ](thr)} : ` spawn-mds(mds) {thr [i]} mds0
` mds {anns spawn(thr)} mds ′
[SUB]
` mds2 {c} mds ′2 mds1 v mds2 mds ′2 v mds ′1
` mds1 {c} mds ′1
Figure B.1: Type system for modes
− [SKIP]. If ` mds1 {c} mds ′1 is derived with rule [SKIP] then c = anns skip and
` mds1 {anns} mds ′1.
Then, by rule [ANNO], mds ′1 = mds-update(mds1, anns) and mds1(asm-no-r) ∩
X = mds ′1(asm-no-r) ∩ X = {}. Let mds ′2 = mds-update(mds2, anns). Then it
follows from mds2 v mds1 that mds ′2 v mds ′1, and, hence, mds2(asm-no-r) ∩X =
mds ′2(asm-no-r) ∩X = {}.
If 〈c′,mds ′,mem ′〉 ∈ loc-reach(〈c,mds2,mem〉) then c′ = anns skip and mds ′ = mds2
or c′ = stop and mds ′ = mds ′2. Hence, 〈c,mds2,mem〉 has modes compatible with
obs. Moreover, since both anns skip and stop do not read any variable and do not
modify any variable it follows that 〈c,mds2,mem〉 respects guarantees. Moreover, if
c′ = stop then mds ′ v mds ′1 because then mds ′ = mds ′2 and mds ′2 v mds ′1.
− [ASS]. If ` mds1 {c} mds ′1 is derived with rule [ASS] then c = anns x :=e, `
mds1 {anns} mds ′1, x 6∈ mds1(guar -no-w), and vars(e) ∩mds1(guar -no-r) = {}.
Then, by rule [ANNO], mds ′1 = mds-update(mds1, anns) and mds1(asm-no-r) ∩
X = mds ′1(asm-no-r) ∩ X = {}. Let mds ′2 = mds-update(mds2, anns). Then it
175
follows from mds2 v mds1 that mds ′2 v mds ′1, and, hence, mds2(asm-no-r) ∩X =
mds ′2(asm-no-r) ∩X = {}.
If 〈c′,mds ′,mem ′〉 ∈ loc-reach(〈c,mds2,mem〉) then c′ = anns x :=e and mds ′ =
mds2, or c
′ = stop} and mds ′ = mds ′2. Hence, Items (1) and (2) of the theorem
can be shown as in the case for rule [SKIP]. Moreover, the command stop does not
read any variable and does not modify any variable, the only variable written by
x :=e is x , and the only variables read by x :=e are the variables in the set vars(e)
(by the definition of the operational semantics and our assumption on expression
evaluation from Section 2.3.2). Hence, it follows from x 6∈ mds1(guar -no-w), vars(e)∩
mds1(guar -no-r) = {}, and mds2 v mds1 that 〈c,mds2,mem〉 respects guarantees.
− [IF]. If ` mds1 {c} mds ′1 is derived with rule [IF], then c = anns if e then c1 else c2 fi,
` mds1 {anns} mds ′′1 , ` mds ′′1 {c1} mds ′1, and ` mds ′′1 {c2} mds ′1 are derivable, and
vars(e) ∩mds(guar -no-r) = {}.
Then, by rule [ANNO], mds ′′1 = mds-update(mds1, anns) and mds1(asm-no-r) ∩
X = mds ′′1(asm-no-r) ∩ X = {}. Let mds ′′2 = mds-update(mds2, anns). Then it
follows from mds2 v mds1 that mds ′′2 v mds ′′1 , and, hence, mds2(asm-no-r) ∩X =
mds ′′2(asm-no-r) ∩X = {}.
If 〈c′,mds ′,mem ′〉 ∈ loc-reach(〈c,mds2,mem〉) then c′ = c and mds ′ = mds2, or
〈c′,mds ′,mem ′〉 ∈ loc-reach(〈c1,mds ′′2 ,mem ′′〉) for some mem ′′, or 〈c′,mds ′,mem ′〉 ∈
loc-reach(〈c2,mds ′′2 ,mem ′′〉) for some mem ′′. Hence, Items (2) and (3) of the theorem
follow with the induction hypotheses for the derivations of ` mds ′′1 {c1} mds ′1 and
` mds ′′1 {c2} mds ′1. Moreover, the command c does not write any variables, and
the only variables read by c are the variables in the set vars(e) (by the definition
of the operational semantics and our assumption on expression evaluation from Sec-
tion 2.3.2). Hence, it follows from vars(e)∩mds1(guar -no-r) = {} and the induction
hypotheses for the derivations of ` mds ′′1 {c1} mds ′1 and ` mds ′′1 {c2} mds ′1 that
〈c,mds2,mem〉 respects guarantees.
− [SEQ]. In this case, c = c1; c2 and there is a mode state mds ′′1 such that `
mds1 {c1} mds ′′1 and ` mds ′′1 {c2} mds ′1 are derivable in the type system.
If 〈c′,mds ′,mem ′〉 ∈ loc-reach(〈c1; c2,mds2,mem〉) then by the operational semantics
for commands one of the following two conditions is satisfied:
1. c′ = c′′; c2 and 〈c′′,mds ′,mem ′〉 ∈ loc-reach(〈c1,mds2,mem〉) or
2. 〈stop,mds ′′,mem ′′〉 ∈ loc-reach(〈c1,mds2,mem〉) and
〈c′,mds ′,mem ′〉 ∈ loc-reach(〈c2,mds ′′,mem ′′〉).
In the first case, the properties required for respecting guarantees and having com-
patible modes with obs follow from the induction hypothesis for the derivation of
` mds1 {c1} mds ′′1 .
In the second case, we know from the induction hypothesis for the derivation of `
mds1 {c1} mds ′′1 that mds ′′ v mds ′′1 . Hence, we obtain from the induction hypothesis
for the derivation of ` mds ′′1 {c1} mds ′1 that the properties required for respecting
guarantees and having compatible modes with obs are satisfied, as well as that Item (3)
of the theorem is satisfied.
The case for rule [WHILE] is proved using a combination of the proofs for rule [IF]
and rule [SEQ].
− [SUB]. In this case, there exist mode states mds3,mds ′3 with ` mds3 {c} mds ′3,
mds1 v mds3, and mds ′3 v mds ′1.
176 Appendix B. Type System for Sound Modes
From mds2 v mds1 it follows that mds2 v mds3. From the induction hypothesis for
the derivation of ` mds3 {c} mds ′3 it follows that 〈c,mds2,mem〉 respects guarantees
and has modes compatible with obs . Moreover, it follows that if 〈stop,mds ′2,mem ′〉 ∈
loc-reach(〈c,mds2,mem〉) then mds ′2 v mds ′3. Hence, mds ′2 v mds ′1 because mds ′3 v
mds ′1.
A
P
P
E
N
D
IX
C
Semantics for Procedure Calls
A semantics for the language with procedures in Section 6.5 can be defined by extending
the judgments for execution steps of commands from Section 2.2. To this end, we introduce
judgments of the form 〈coms,mems〉 −_ 〈coms ′,mems〉, where coms ∈ Com∗ is a finite
list of commands, and mems ∈ Mem∗ is a finite list of memories with ](coms) = ](mems).
The intuition is that coms and mems represent a call stack, where coms[1] is the control
state of the currently executing procedure, and mems [1] is the memory of that procedure
execution. The call stack grows by 1 when a procedure is called, and shrinks when a
procedure terminates.
The derivation rules for the judgments of the form 〈coms,mems〉 −_ 〈coms ′,mems〉 are
based on the judgments 〈c,mem〉 −_ 〈c′,mem ′〉 that model execution steps of programs
without procedures. The derivation rules are displayed in Figure C.1, where mem0 is a
memory containing a default value for each variable.
c = E [p(e1, . . . , elp ; z1, . . . , zmp)]
∀i ∈ {1, . . . , lp} : eval(ei,mem) = vi mem ′ = mem0[x p1 7→ v1, x plp 7→ vlp ]
〈〈c〉 :: coms, 〈mem〉 :: mems〉 −_ 〈〈cp, c〉 :: coms, 〈mem ′,mem〉 :: mems〉
〈c,mem〉 −_ 〈c′,mem ′〉 c′ 6= stop
〈〈c〉 :: coms, 〈mem〉 :: mems〉 −_ 〈〈c′〉 :: coms, 〈mem ′〉 :: mems〉
〈c1,mem1〉 −_ 〈stop,mem ′1〉 c2 = E [p(e1, . . . , elp ; z1, . . . , zmp)] c′2 = E [stop]
mem ′2 = mem2[z1 7→ mem ′1(yp1 ), . . . , zmp 7→ mem ′1(ypmp)]
〈〈c1, c2〉 :: coms, 〈mem1,mem2〉 :: mems〉 −_ 〈〈c′2〉 :: coms, 〈mem ′2〉 :: mems〉
Figure C.1: Semantics for programs with procedures
177

Bibliography
[AB04] T. Amtoft and A. Banerjee. Information Flow Analysis in Logical Form. In
Proceedings of the 11th Symposium on Static Analysis (SAS), LNCS 3148,
pages 100–115, Verona, Italy, 2004. Springer.
[ABC07] A. Almeida Matos, G. Boudol, and I. Castellani. Typing Noninterference for
Reactive Programs. Journal of Logic and Algebraic Programming, 72(2):124–
156, 2007.
[Aga00] J. Agat. Transforming out Timing Leaks. In Proceedings of the 27th ACM
SIGPLAN-SIGACT Symposium on Principles of Programming Languages
(POPL), pages 40–53, Boston, MA, USA, 2000. ACM.
[AHSS08] A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-Insensitive
Noninterference Leaks More Than Just a Bit. In Proceedings of the 13th
European Symposium on Research in Computer Security (ESORICS), LNCS
5283, pages 333–348, Ma´laga, Spain, 2008. Springer.
[AP09] M. Abadi and G. D. Plotkin. A Model of Cooperative Threads. In Pro-
ceedings of the 36th ACM SIGPLAN-SIGACT Symposium on Principles of
Programming Languages (POPL), pages 29–40, Savannah, GA, USA, 2009.
ACM.
[AR80] G. R. Andrews and R. P. Reitman. An Axiomatic Approach to Information
Flow in Programs. ACM Transactions on Programming Languages and
Systems (TOPLAS), 2(1):56–76, 1980.
[AS07] A. Askarov and A. Sabelfeld. Localized Delimited Release: Combining the
What and Where Dimensions of Information Release. In Proceedings of the
Workshop on Programming Languages and Analysis for Security (PLAS),
pages 53–60, San Diego, CA, USA, 2007. ACM.
[BC02] G. Boudol and I. Castellani. Noninterference for Concurrent Programs and
Thread Systems. Theoretical Computer Science, 281(1–2):109–130, 2002.
[BN02] A. Banerjee and D. A. Naumann. Secure Information Flow and Pointer
Confinement in a Java-like Language. In Proceedings of the 15th IEEE
Computer Security Foundations Workshop (CSFW), pages 253–270, Cape
Breton, Nova Scotia, Canada, 2002. IEEE Computer Society.
[Boy03] J. Boyland. Checking Interference with Fractional Permissions. In Proceedings
of the 10th Static Analysis Symposium (SAS), LNCS 2694, pages 55–72, San
Diego, CA, USA, 2003. Springer.
179
180 Bibliography
[BPR07] A. Bossi, C. Piazza, and S. Rossi. Compositional Information Flow Security
for Concurrent Programs. Journal of Computer Security (JCS), 15(3):373–
416, 2007.
[BRRS07] G. Barthe, T. Rezk, A. Russo, and A. Sabelfeld. Security of Multithreaded
Programs by Compilation. In Proceedings of the 12th European Symposium
on Research in Computer Security (ESORICS), LNCS 4734, pages 2–18,
Dresden, Germany, 2007. Springer.
[Bun11] Bundesamt fu¨r Sicherheit in der Informationstechnik. Die Lage der IT-
Sicherheit in Deutschland 2011, 2011.
[CH08] D. Clark and S. Hunt. Non-Interference for Deterministic Interactive Pro-
grams. In Proceedings of the 5th International Workshop on Formal Aspects
in Security and Trust (FAST), LNCS 5491, pages 50–66, Ma´laga, Spain,
2008. Springer.
[Che93] J. Cheng. Slicing Concurrent Programs – A Graph-Theoretical Approach. In
Proceedings of the 1st International Workshop on Automated and Algorithmic
Debugging (AADEBUG), LNCS 749, pages 223–240, Linko¨ping, Sweden,
1993. Springer.
[Coh77] E. Cohen. Information Transmission in Computational Systems. ACM
SIGOPS Operating Systems Review, 11(5):133–139, 1977.
[CS02] M. Colo´n and H. Sipma. Practical Methods for Proving Program Termination.
In Proceedings of the 14th International Conference on Computer Aided
Verification (CAV), LNCS 2404, pages 442–454, Copenhagen, Denmark,
2002. Springer.
[Den76] D. E. Denning. A Lattice Model of Secure Information Flow. Communications
of the ACM, 19(5):236–243, 1976.
[DFPV09] M. Dodds, X. Feng, M. J. Parkinson, and V. Vafeiadis. Deny-Guarantee
Reasoning. In Proceedings of the 18th European Symposium on Programming
(ESOP), LNCS 5502, pages 363–377, York, UK, 2009. Springer.
[Din03] J. Dingel. Computer-Assisted Assume/Guarantee Reasoning with VeriSoft.
In Proceedings of the 25th International Conference on Software Engineering
(ICSE), pages 138–148, Portland, OR, USA, 2003. IEEE Computer Society.
[Dur10] R. Durrett. Probability: Theory and Examples. Cambridge Series in Statistical
and Probabilistic Mathematics. Cambridge University, 4th edition, 2010.
[FG95] R. Focardi and R. Gorrieri. A Taxonomy of Security Properties for Process
Algebras. Journal of Computer Security (JCS), 3(1):5–34, 1995.
[FOW87] J. Ferrante, K. J. Ottenstein, and J. D. Warren. The Program Dependence
Graph and Its Use in Optimization. ACM Transactions on Programming
Languages and Systems (TOPLAS), 9(3):319–349, 1987.
[FRS05] R. Focardi, S. Rossi, and A. Sabelfeld. Bridging Language-Based and Process
Calculi Security. In Proceedings of the 8th International Conference on
Foundations of Software Science and Computational Structures (FoSSaCS),
LNCS 3441, pages 299–315, Edinburgh, UK, 2005. Springer.
Bibliography 181
[GFKD10] D. Garg, J. Franklin, D. Kaynar, and A. Datta. Compositional System
Security with Interface-Confined Adversaries. In Proceedings of the 26th Con-
ference on Mathematical Foundations of Programming Semantics (MFPS),
ENTCS 265, pages 49–71, Ottawa, ON, Canada, 2010. Elsevier.
[GH08] D. Giffhorn and C. Hammer. Precise Analysis of Java Programs Using
JOANA. In Proceedings of the 8th IEEE International Working Conference
on Source Code Analysis and Manipulation (SCAM), pages 267–268, Beijing,
China, 2008. IEEE Computer Society.
[GM82] J. A. Goguen and J. Meseguer. Security Policies and Security Models. In
Proceedings of the IEEE Symposium on Security and Privacy, pages 11–20,
Oakland, CA, USA, 1982. IEEE Computer Society.
[GM05] R. Giacobazzi and I. Mastroeni. Timed Abstract Non-interference. In
Proceedings of the Conference on Formal Modeling and Analysis of Timed
Systems (FORMATS), LNCS 3829, pages 289–303, Uppsala, Sweden, 2005.
Springer.
[GS12] D. Giffhorn and G. Snelting. Probabilistic Noninterference Based on Program
Dependence Graphs. Technical Report 6, Karlsruhe Institute of Technology
(KIT), 2012. Karlsruhe Reports in Informatics 2012.
[GTC+04] J. D. Guttman, F. J. Thayer, J. A. Carlson, J. C. Herzog, J. D. Ramsdell,
and B. T. Sniffen. Trust Management in Strand Spaces: A Rely-Guarantee
Method. In Proceedings of the 13th European Symposium on Programming
(ESOP), LNCS 2986, pages 325–339, Barcelona, Spain, 2004. Springer.
[Ham09] C. Hammer. Information Flow Control for Java. PhD thesis, Universita¨t
Karlsruhe (TH), 2009.
[Ham10] C. Hammer. Experiences with PDG-Based IFC. In Proceedings of the
Symposium on Engineering Secure Software and Systems (ESSoS), LNCS
5965, pages 44–60, Pisa, Italy, 2010. Springer.
[HG11] A. Hobor and C. Gherghina. Barriers in Concurrent Separation Logic. In
Proceedings of the 20th European Symposium on Programming (ESOP),
LNCS 6602, pages 276–296, Saarbru¨cken, Germany, 2011. Springer.
[HomBC] Homer. Ilia´s, approx. 1000 BC.
[HQR98] T. A. Henzinger, S. Qadeer, and S. K. Rajamani. You Assume, We Guarantee:
Methodology and Case Studies. In Proceedings of the 10th International
Conference on Computer Aided Verification (CAV), LNCS 1427, pages 440–
451, Vancouver, BC, Canada, 1998. Springer.
[HRB90] S. Horwitz, T. W. Reps, and D. Binkley. Interprocedural Slicing Using
Dependence Graphs. ACM Transactions on Programming Languages and
Systems (TOPLAS), 12(1):26–60, 1990.
[HS06] S. Hunt and D. Sands. On Flow-Sensitive Security Types. In Proceedings of
the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming
Languages (POPL), pages 79–90, Charleston, SC, USA, 2006. ACM.
182 Bibliography
[HS09] C. Hammer and G. Snelting. Flow-sensitive, Context-sensitive, and Object-
sensitive Information Flow Control based on Program Dependence Graphs.
International Journal of Information Security (IJIS), 8(6):399–422, 2009.
[HS11] S. Hunt and D. Sands. From Exponential to Polynomial-Time Security
Typing via Principal Types. In Proceedings of the 20th European Symposium
on Programming (ESOP), LNCS 6602, pages 297–316, Saarbru¨cken, Germany,
2011. Springer.
[HUM92] C. S. Hsieh, E. A. Unger, and R. A. Mata-Toledo. Using Program Dependence
Graphs for Information Flow Control. Journal of Systems and Software,
17(3):227–232, 1992.
[HWS06] M. Huisman, P. Worah, and K. Sunesen. A Temporal Logic Characterisation
of Observational Determinism. In Proceedings of the 19th IEEE Computer
Security Foundations Workshop (CSFW), pages 3–15, Venice, Italy, 2006.
IEEE Computer Society.
[Jac89] J. Jacob. On the Derivation of Secure Components. In Proceedings of the
IEEE Symposium on Security and Privacy, pages 242–247, Oakland, CA,
USA, 1989. IEEE Computer Society.
[Jun11] Juniper Networks. 2011 Mobile Threats Report, February 2011.
[Ju¨r00] J. Ju¨rjens. Secure Information Flow for Concurrent Processes. In Proceedings
of the 11th International Conference on Concurrency Theory (Concur),
LNCS 1877, pages 395–409, University Park, PA, USA, 2000. Springer.
[KM07] B. Ko¨pf and H. Mantel. Transformational Typing and Unification for Auto-
matically Correcting Insecure Programs. International Journal of Informa-
tion Security (IJIS), 6(2-3):107–131, 2007.
[Kri98] J. Krinke. Static Slicing of Threaded Programs. In Proceedings of the
SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools
and Engineering (PASTE), pages 35–42, Montre´al, QC, Canada, 1998. ACM.
[Kri03] J. Krinke. Advanced Slicing of Sequential and Concurrent Programs. PhD
thesis, Universita¨t Passau, 2003.
[Lam73] B. W. Lampson. A Note on the Confinement Problem. Communications of
the ACM, 16(10):613–615, 1973.
[Lam77] L. Lamport. Proving the Correctness of Multiprocess Programs. IEEE
Transactions on Software Engineering (TSE), 3(2):125–143, 1977.
[LBMC94] C. E. Landwehr, A. R. Bull, J. P. McDermott, and W. S. Choi. A Taxonomy
of Computer Program Security Flaws. ACM Computing Surveys, 26(3):211–
254, 1994.
[LM09] A. Lux and H. Mantel. Declassification with Explicit Reference Points.
In Proceedings of the 14th European Symposium on Research in Computer
Security (ESORICS), LNCS 5789, pages 69–85, Saint-Malo, France, 2009.
Springer.
Bibliography 183
[LMP12] A. Lux, H. Mantel, and M. Perner. Scheduler-Independent Declassification.
In Proceedings of the 11th International Conference on Mathematics of
Program Construction (MPC), LNCS 7342, pages 25–47, Madrid, Spain,
2012. Springer.
[Man00] H. Mantel. Possibilistic Definitions of Security – An Assembly Kit. In
Proceedings of the 13th IEEE Computer Security Foundations Workshop
(CSFW), pages 185–199, Cambridge, UK, 2000. IEEE Computer Society.
[McL92] J. D. McLean. Proving Noninterference and Functional Correctness using
Traces. Journal of Computer Security (JCS), 1(1):37–57, 1992.
[MHC+10] J. P. Martin, M. Hicks, M. Costa, P. Akritidis, and M. Castro. Dynamically
Checking Ownership Policies in Concurrent C/C++ Programs. In Proceedings
of the 37th ACM Symposium on Principles of Programming Languages
(POPL), pages 457–470, Madrid, Spain, 2010. ACM.
[MMKM94] B. Mallo, J. D. McGregor, A. Krishnaswamy, and M. Medikonda. An
Extensible Program Representation for Object-Oriented Software. SIGPLAN
Notices, 29(12):38–47, 1994.
[MNZZ01] A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java information
flow, Software release, 2001. http://www.cs.cornell.edu/jif.
[MR93] S. P. Masticola and B. G. Ryder. Non-concurrency Analysis. In Proceedings
of the 4th ACM SIGPLAN Symposium on Principles and Practice of Parallel
Programming (PPOPP), pages 129–138, San Diego, CA, USA, 1993. ACM.
[MR07] H. Mantel and A. Reinhard. Controlling the What and Where of Declassi-
fication in Language-Based Security. In Proceedings of the 16th European
Symposium on Programming (ESOP), LNCS 4421, pages 141–156, Braga,
Portugal, 2007. Springer.
[MS03] H. Mantel and A. Sabelfeld. A Unifying Approach to the Security of Dis-
tributed and Multi-threaded Programs. Journal of Computer Security (JCS),
11(4):615–676, 2003.
[MS04] H. Mantel and D. Sands. Controlled Declassification based on Intransitive
Noninterference. In Proceedings of the 2nd ASIAN Symposium on Program-
ming Languages and Systems (APLAS), LNCS 3302, pages 129–145, Taipei,
Taiwan, 2004. Springer.
[MS05] D. Meintrup and S. Scha¨ﬄer. Stochastik: Theorie und Anwendungen. Statis-
tik und ihre Anwendungen. Springer, 2005.
[MS07] H. Mantel and H. Sudbrock. Comparing Countermeasures against Interrupt-
Related Covert Channels in an Information-Theoretic Framework. In Pro-
ceedings of the 20th IEEE Computer Security Foundations Symposium (CSF),
pages 326–340, Venice, Italy, 2007. IEEE Computer Society.
[MS09] H. Mantel and H. Sudbrock. Information-Theoretic Modeling and Analysis
of Interrupt-Related Covert Channels. In Proceedings of the 5th Workshop
on Formal Aspects in Security and Trust (FAST), LNCS 5491, pages 67–81,
Ma´laga, Spain, 2009. Springer.
184 Bibliography
[MS10] H. Mantel and H. Sudbrock. Flexible Scheduler-Independent Security. In
Proceedings of the 15th European Symposium on Research in Computer
Security (ESORICS), LNCS 6345, pages 116–133, Athens, Greece, 2010.
Springer.
[MS13] H. Mantel and H. Sudbrock. Types vs. PDGs in Information Flow Analysis.
In Proceedings of the 22nd International Symposium on Logic Based Program
Synthesis and Transformation (LOPSTR 2012), LNCS 7844, pages 106–121,
Leuven, Belgium, 2013. Springer.
[MSK07] H. Mantel, H. Sudbrock, and T. Kraußer. Combining Different Proof Tech-
niques for Verifying Information Flow Security. In Proceedings the 16th
International Symposium on Logic Based Program Synthesis and Transfor-
mation (LOPSTR), LNCS 4407, pages 94–110, Venice, Italy, 2007. Springer.
[MSS11] H. Mantel, D. Sands, and H. Sudbrock. Assumptions and Guarantees for
Compositional Noninterference. In Proceedings of the 24th IEEE Computer
Security Foundations Symposium (CSF), pages 218–232, Cernay-la-Ville,
France, 2011. IEEE Computer Society.
[MSZ04] A. C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing Robust Declassi-
fication. In Proceedings of the 17th IEEE Computer Security Foundations
Workshop (CSFW), pages 172–186, Pacific Grove, CA, USA, 2004. IEEE
Computer Society.
[Mye99] A. C. Myers. JFlow: Practical Mostly-Static Information Flow Control.
In Proceedings of the 26th ACM Symposium on Principles of Programming
Languages (POPL), pages 228–241, San Antonio, TX, USA, 1999. ACM.
[NA98] G. Naumovich and G. S. Avrunin. A Conservative Data Flow Algorithm for
Detecting All Pairs of Statement That May Happen in Parallel. In Proceedings
of the the ACM SIGSOFT International Symposium on Foundations of
Software Engineering (FSE), pages 24–34, Lake Buena Vista, FL, USA, 1998.
ACM.
[NAC99] G. Naumovich, G. S. Avrunin, and L. A. Clarke. An Efficient Algorithm for
Computing MHP Information for Concurrent Java Programs. In Proceedings
of the 7th ACM SIGSOFT International Symposium on the Foundations of
Software Engineering (FSE), pages 338–354, Toulouse, France, 1999. ACM.
[NNH99] F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis.
Springer, 1999.
[Nul] NullLogic. Null httpd Web Server. http://nullhttpd.sourceforge.net/
httpd/, accessed 2012 March 21.
[OBvEG10] C. Otto, M. Brockschmidt, C. von Essen, and J. Giesl. Automated Termi-
nation Analysis of Java Bytecode by Term Rewriting. In Proceedings of
the 21st International Conference on Rewriting Techniques and Applications
(RTA), LIPIcs 6, pages 259–276. Schloss Dagstuhl – Leibniz-Zentrum fu¨r
Informatik, 2010.
[OG76] S. S. Owicki and D. Gries. An Axiomatic Proof Technique for Parallel
Programs I. Acta Informatica, 6:319–340, 1976.
Bibliography 185
[O’H04] P. W. O’Hearn. Resources, Concurrency and Local Reasoning. In Proceedings
of the 15th International Conference on Concurrency Theory (Concur), LNCS
3170, pages 49–67, London, UK, 2004. Springer.
[PBO07] M. J. Parkinson, R. Bornat, and P. W. O’Hearn. Modular Verification
of a Non-blocking Stack. In Proceedings of the 34th ACM Symposium on
Principles of Programming Languages (POPL), pages 297–302, Nice, France,
2007. ACM.
[PDH99] C. S. Pasareanu, M. B. Dwyer, and M. Huth. Assume-Guarantee Model
Checking of Software: A Comparative Case Study. In Proceedings of the
5th and 6th Workshop on Theoretical and Practical Aspects of SPIN Model
Checking, LNCS 1680, pages 168–183, Toulouse, France, 1999. Springer.
[Pet81] G. L. Peterson. Myths About the Mutual Exclusion Problem. Information
Processing Letters, 12(3):115–116, 1981.
[PS02] F. Pottier and V. Simonet. Information Flow Inference for ML. In Proceedings
of the 29th ACM Symposium on Principles of Programming Languages
(POPL), pages 319–330, Portland, OR, USA, 2002. ACM.
[RA79] R. P. Reitman and G. R. Andrews. Certifying Information Flow Properties
of Programs: An Axiomatic Approach. In Proceedings of the 6th ACM
Symposium on Principles of Programming Languages (POPL), pages 283–
290, San Antonio, TX, USA, 1979. ACM.
[RHNS06] A. Russo, J. Hughes, D. A. Naumann, and A. Sabelfeld. Closing Internal
Timing Channels by Transformation. In Proceedings of the 11th Asian
Computing Science Conference (ASIAN), LNCS 4435, pages 120–135, Tokyo,
Japan, 2006. Springer.
[RHSR94] T. W. Reps, S. Horwitz, S. Sagiv, and G. Rosay. Speeding up Slicing.
In Proceedings of the 2nd ACM SIGSOFT Symposium on Foundations of
Software Engineering (FSE), pages 11–20, New Orleans, LA, USA, 1994.
[Ros95] A. W. Roscoe. CSP and Determinism in Security Modelling. In Proceedings
of the IEEE Symposium on Security and Privacy, pages 114–127, Oakland,
CA, USA, 1995. IEEE Computer Society.
[RS06a] A. Russo and A. Sabelfeld. Securing Interaction between Threads and the
Scheduler. In Proceedings of the 19th IEEE Computer Security Foundations
Workshop (CSFW), pages 177–189, Venice, Italy, 2006. IEEE Computer
Society.
[RS06b] A. Russo and A. Sabelfeld. Security for Multithreaded Programs Under
Cooperative Scheduling. In Proceedings of the Andrei Ershov 6th Conference
on Perspectives of System Informatics (PSI), LNCS 4378, pages 474–480,
Akademgorodok, Novosibirsk, Russia, 2006. Springer.
[RS09] A. Russo and A. Sabelfeld. Securing Interaction between Threads and the
Scheduler in the Presence of Synchronization. Journal of Logic and Algebraic
Programming, 78(7):593–618, 2009.
186 Bibliography
[RWW94] A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Non-interference through
Determinism. In Proceedings of the 3rd European Symposium on Research
in Computer Security (ESORICS), LNCS 875, pages 33–53, Brighton, UK,
1994. Springer.
[Sab01] A. Sabelfeld. The Impact of Synchronisation on Secure Information Flow in
Concurrent Programs. In Proceedings of the Andrei Ershov 4th Conference
on Perspectives of System Informatics (PSI), LNCS 2244, pages 225–239,
Akademgorodok, Novosibirsk, Russia, 2001. Springer.
[Sab03] A. Sabelfeld. Confidentiality for Multithreaded Programs via Bisimulation.
In Proceedings of the Andrei Ershov 5th Conference on Perspectives of System
Informatics (PSI), LNCS 2890, pages 260–274, Akademgorodok, Novosibirsk,
Russia, 2003. Springer.
[SAB10] E. J. Schwartz, T. Avgerinos, and D. Brumley. All You Ever Wanted to
Know about Dynamic Taint Analysis and Forward Symbolic Execution (but
Might Have Been Afraid to Ask). In Proceedings of the IEEE Symposium
on Security and Privacy, pages 317–331, Oakland, CA, USA, 2010. IEEE
Computer Society.
[San09] D. Sangiorgi. On the Origins of Bisimulation and Coinduction. ACM
Transactions on Programming Languages and Systems (TOPLAS), 31(4):111–
151, 2009.
[Sim03] V. Simonet. The Flow Caml System, version 1.00, Documentation and User’s
Manual, 2003. http://www.normalesup.org/~simonet/soft/flowcaml/
flowcaml-manual.pdf.
[SM03] A. Sabelfeld and A. C. Myers. Language-based Information-Flow Security.
IEEE Journal on Selected Areas in Communication, 21(1):5–19, 2003.
[SMH01] F. B. Schneider, J. G. Morrisett, and R. Harper. A Language-Based Approach
to Security. In Informatics: 10 Years Back, 10 Years Ahead, LNCS 2000,
pages 86–101, Dagstuhl, Germany, 2001. Springer.
[Smi01] G. Smith. A New Type System for Secure Information Flow. In Proceedings
of the 13th IEEE Computer Security Foundations Workshop (CSFW), pages
115–125, Cape Breton, Nova Scotia, Canada, 2001. IEEE Computer Society.
[Smi03] G. Smith. Probabilistic Noninterference through Weak Probabilistic Bisim-
ulation. In Proceedings of the 16th IEEE Computer Security Foundations
Workshop (CSFW), pages 3–13, Pacific Grove, CA, USA, 2003. IEEE Com-
puter Society.
[Sop11] Sophos. Security Threat Report 2011, 2011.
[SS99] A. Sabelfeld and D. Sands. A Per Model of Secure Information Flow in
Sequential Programs. In Proceedings of the 8th European Symposium on
Programming (ESOP), LNCS 1576, pages 50–59, Amsterdam, Netherlands,
1999. Springer.
Bibliography 187
[SS00] A. Sabelfeld and D. Sands. Probabilistic Noninterference for Multi-threaded
Programs. In Proceedings of the 13th IEEE Computer Security Foundations
Workshop (CSFW), pages 200–215, Cambridge, UK, 2000. IEEE Computer
Society.
[Sta85] E. W. Stark. A Proof Technique for Rely/Guarantee Properties. In Pro-
ceedings of the 5th Conference on Foundations of Software Technology and
Theoretical Computer Science (FSTTCS), LNCS 206, pages 369–391, New
Delhi, India, 1985. Springer.
[SV98] G. Smith and D. Volpano. Secure Information Flow in a Multi-threaded
Imperative Language. In Proceedings of the 27th ACM Symposium on
Principles of Programming Languages (POPL), pages 355–364, San Diego,
CA, USA, 1998. ACM.
[Sym11] Symantec. Symantec Internet Security Threat Report – Trends for 2010,
April 2011.
[Var95] M. Y. Vardi. On the Complexity of Modular Model Checking. In Proceedings
of the 10th IEEE Symposium on Logic in Computer Science (LICS), pages
101–111, San Diego, CA, USA, 1995. IEEE Computer Society.
[VS97] D. M. Volpano and G. Smith. A Type-Based Approach to Program Security.
In Proceedings of the 7th Conference on Theory and Practice of Software
Development (TAPSOFT), LNCS 1214, pages 607–621, Lille, France, 1997.
Springer.
[VS98] D. Volpano and G. Smith. Probabilistic Noninterference in a Concurrent
Language. In Proceedings of the 11th IEEE Computer Security Foundations
Workshop (CSFW), pages 34–43, Rockport, MA, USA, 1998. IEEE Computer
Society.
[VS99] D. Volpano and G. Smith. Probabilistic Noninterference in a Concurrent
Language. Journal of Computer Security (JCS), 7(2,3):231–253, 1999.
[VSI96] D. Volpano, G. Smith, and C. Irvine. A Sound Type System for Secure Flow
Analysis. Journal of Computer Security (JCS), 4(3):1–21, 1996.
[Was09] D. Wasserrab. Backing up Slicing: Verifying the Interprocedural Two-Phase
Horwitz-Reps-Binkley Slicer. In The Archive of Formal Proofs. 2009.
[Was10] D. Wasserrab. Information Flow Noninterference via Slicing. In The Archive
of Formal Proofs. 2010.
[Wei69] C. Weissman. Security Controls in the ADEPT-50 Time-sharing System. In
Proceedings of the Fall Joint Computer Conference, AFIPS ’69 (Fall), pages
119–133, Las Vegas, NV, USA, 1969. ACM.
[WL08] D. Wasserrab and A. Lochbihler. Formalizing a Framework for Dynamic
Slicing of Program Dependence Graphs in Isabelle/HOL. In Proceedings
of the 21st International Conference on Theorem Proving in Higher Order
Logics (TPHOLs), LNCS 5170, pages 294–309, Montre´al, Que´bec, Canada,
2008. Springer.
188 Bibliography
[WLS09] D. Wasserrab, D. Lohner, and G. Snelting. On PDG-based Noninterference
and its Modular Proof. In Proceedings of the 4th Workshop on Programming
Languages and Analysis for Security (PLAS), pages 31–44, Dublin, Ireland,
2009. ACM.
[WW94] C. A. Waldspurger and W. E. Weihl. Lottery Scheduling: Flexible
Proportional-Share Resource Management. In Proceedings of the 1st USENIX
Symposium on Operating Systems Design and Implementation (OSDI), pages
1–11, Monterey, CA, USA, 1994. ACM.
[ZM03] S. Zdancewic and A. C. Myers. Observational Determinism for Concurrent
Program Security. In Proceedings of the 16th IEEE Computer Security
Foundations Workshop (CSFW), pages 29–43, Pacific Grove, CA, USA, 2003.
IEEE Computer Society.
Symbols and Notation
//, 64
=X , 26
=mdsL , 56
•, 19
c[i], 89
〈x1, x2, . . . , xk〉, 12
::, 12
](sin), 20
u,unionsq, 13
v
on dependent partial environments,
73
on lattices, 13
on partial environments, 68
v2, 25
2, 25
	, 89
→, 21
≺S , 40
](c), 88
](l), 12
∼lmm, 80
∼mdslmm, 81
∼mm, 57
∼mdsmm , 57
∼lm, 36
]a, b], [a, b], 12
l[i], 12
X+, 12
X∗, 12
Xω, 12
acq(m, x ), 64
adjust-dpe(∆, ann), 73
adjust-pe(Λ, ann), 66
a-inn,i,p, 95
α, 15
a-outn,i,p, 95
asm-no-r , 54
asm-no-w , 54
CFGc , 89
CFGI,O, 90
CFG-mdsc,mds , 100
Com, 14
c; c, 19
configurations
〈c,mds,mem〉, 55
〈c,mem〉, 14
〈thr ,mdss,mem, sst〉, 55
〈thr ,mem〉, 15
〈thr ,mem, sst〉, 15
D, 25
D2, 25
def , 88
defc , 89
∆, 71
dma, 25
dom(f), 12
dtr , 17
E, 88
E , 19
e, 19
Ec , 89
Ep, 95
ESDG , 96
eval(e,mem), 19
Exp, 19
F , 13
F(S, sc), 23
FE , 13
f : X → Y , 12
f : X ⇀ Y , 12
f [x 7→ g(x) | x ∈ X ′], 12
189
190 Symbols and Notation
f [x 7→ y], 12
f -inpi , 95
f -outpi , 95
getMem, 15
getSst , 15
getThr , 15
guar -no-r , 54
guar -no-w , 54
H , 34
HCom, 35
HI , 26
high, 25
if e then c1 else c2 fi, 19
img(f), 12
in, 89
judgments (transition)
(sst , sin)
k,p S sst ′, 16, 23
(thr ,mdss)
k,p
=⇒S (thr ′,mdss ′), 55
〈thr ,mem, sst〉 k,p=⇒S 〈thr ′,mem ′, sst ′〉,
15
〈c,mds,mem〉 α−_ 〈c′,mds ′,mem ′〉,
55
〈c,mem〉 α−_ 〈c′,mem ′〉, 15
judgments (typing)
Γ ` e : d , 65
pc `Ψ Γ {c} Γ′, 98
pc ` Γ {c} Γ′, 86
` ∆ {c} ∆′, 71
` Λ {c} Λ′ : (mdf , stp), 82
` Λ {c} Λ′, 65
` c : (mdf , stp), 44
` e : d , 43
` thr (FSI-security), 46
` thr (FSIFUM-security), 82
` thr (SIFUM-security), 69
L, 34
Lab, 15
Labm, 55
Λ, 66
Λ〈·〉, 66
LCom, 35
LO , 26
loc-reach(tc), 35
Lot , 22
low , 25
l -matchthr1,thr2 , 36
l -ρS , 40
mc, 15
mdf , 44
mds, 54
mds-update(mds, ann), 64
Mem, 14
Mod , 54
MultiConf , 15
N , 88
N, 12
n, 88
Nc , 89
new(thr), 15
nextSsst,sin , 21
Np, 95
obs, 16
(Ω(S, sc),F(S, sc), ρ(S, sc)), 23
Ω, 13
op(e, . . . , e), 19
out , 89
P , 94
PDG∗(CFGI,Oc ), 96
PDG ||(CFGH ,Lc ), 100
PDG(CFG), 91
PDGp, 95
eval(e, pm), 71
pm, 71
P(X), 12
Ψ, 98
Ψ∗, 98
R, 96
R, 12
reachS(scm), 59
rel(m, x ), 64
replacek, 16
ρ, 13
ρ(tr), 18
ρSsc , 21
ρSsst,sin , 21
ρζ , 13
ρS , 24
RR, 21
S, 16
sc, 15
Symbols and Notation 191
scm, 55
sIn, 16, 20
sin, 16
skip, 19
spawn(c1, . . . , ck), 19
spawn-mds(mds), 64
sSt , 14, 20
sst , 14
sst0, 21
start , 88
stop, 14, 19, 88
stp, 44
str , 17
SysConf , 15
Tr⇓, 17
Tr 6⇓, 17
Tr⇓mem , 17
T , 17
T⇓, 17
TS(sc), 17
T 6⇓, 17
tc, 15
tcm, 55
Thr , 14
thr , 14
ThreadConf , 15
tr , 17
Uni , 22
updatek, 16
update-dpe(∆, x , e), 72
use, 88
usec , 89
v , 19
Val , 14
Var , 14
Varin , 18
Varout , 18
vars(e), 19
while e do c od, 19
x , 19
x :=e, 19
Z, 12

Index
L-equal modulo mode state, 56
S-noninterferent, 26
S-simulation, 40
acquire, 100
actual in parameter, 94
actual out parameter, 94
analysis
context-sensitive, 93
flow-sensitive, 51
assumption
no-read, 53
no-write, 53
attacker with clearance d , 25
bisimulation
modulo low matching, 36
modulo low matching and modes,
80
modulo modes, 57
CFG, see control flow graph
closed under globally consistent changes,
56
command, 14
compatible modes, 59
compatible with strong low bisimulation
modulo modes, 61
compositionality
of FSI-security, 37
of SIFUM-security, 60
configuration
multi-threaded configuration, 15
system configuration, 15
system configuration with modes,
55
thread configuration, 14
thread configuration with modes, 55
confined, 39
consistent with partial environment, 67
context, evaluation, 19
context-sensitive analysis, 93
control dependent, 91
control flow graph, 88
graphical representation, 90
of command c, 89
data dependent, 90
def set, 88
definition reaches node, 90
dependent partial environment, 71
direct leak, 27
directed graph, 88
does not modify, 59
does not read, 59
domain assignment, 25
environment, 65
partial, 66
partial dependent, 71
evaluation context, 19
expression, 19
evaluation, 19
final configuration, 17
flow-sensitive analysis, 51
formal in parameter, 94
formal out parameter, 94
Frog scheduler, 42
FSI-secure, 37
FSIFUM-indistinguishable, 81
FSIFUM-secure, 81
globally consistent change, 56
graph
control flow, 88
directed, 88
path, 88
193
194 Index
procedure dependence, 95
program dependence, 91
program dependence with summary
edges, 96
system dependence, 95
greatest lower bound, 13
guarantee
no-read, 54
no-write, 54
respects, 60
high, 25
high command, 35
high thread, 35
indirect leak, 28
indistinguishable
FSIFUM, 81
SIFUM, 57
internal timing leak, 29
lattice, 13
least upper bound, 13
level of confidentiality, 25
lists
ith element, 12
concatenation, 12
empty, 12
finite, 12
infinite, 12
length, 12
projection, 12
locally reachable, 35, 60
lottery scheduler, 22
low, 25
low bisimulation modulo low matching,
36
low bisimulation modulo low matching
and modes, 80
low command, 35
low match, 35
low thread, 35
memory, 14
partial, 71
mode, 54
mode state, 54
modes compatible with obs, 60
modes, compatible, 59
modes, sound, 60
modify, does not, 59
multi-threaded configuration, 15
no-read assumptions at thread termina-
tion, 60
noninterferent, 26
observation, 16
order, partial, 12
parameter
actual in, 94
actual out, 94
formal in, 94
formal out, 94
partial environment, 66
dependent, 71
partial equivalence relation, 34
partial memory, 71
partial order, 12
partially ordered set, 12
path, 88
PDG, see program dependence graph
per, see partial equivalence relation
per approach, 34
policy, security, 25
postdominate, 91
probabilistic leak, 30
probability measure, 13
probability measure induced by ζ, 13
probability space, 13
event, 13
outcome, 13
procedure, 94
procedure dependence graph, 95
program dependence graph, 91
graphical representation, 91
program dependence graph with sum-
mary edges, 96
reachable
locally, 35
locally with modes, 60
system configuration with modes,
59
read, does not, 59
realizable, 96
release, 100
respect guarantees, 60
robust scheduler, 40
Index 195
Round-Robin scheduler, 21
scheduler, 21
decision, 16
initial state, 21
input, 16, 20
lottery, 22
robust, 40
Round Robin, 21
state, 20
uniform, 22
scheduler independence
of FSI-security, 42
of SIFUM-security, 60
SDG, see system dependence graph
security domain, 25
security lattice, 25
security policy, 25
set, partially ordered, 12
SIFUM-indistinguishable, 57
SIFUM-secure, 57
sigma-algebra, see σ − algebra
σ-algebra, 13
σ-algebra induced by E , 13
simulation, S, 40
sound modes, 60
soundness
dependent type system for SIFUM-
security, 73
type system for FSI-security, 46
type system for FSIFUM-security,
83
type system for SIFUM-security, 70
strong low bisimulation modulo modes,
57
compatible with, 61
summary edge, 96
system configuration, 15
system configuration with modes, 55
reachable under scheduler, 59
system dependence graph, 95
terminating under S, 24
termination leak, 28
termination-sensitive, 28
thread configuration, 14
thread configuration with modes, 55
thread pool, 14
timing leak, 28
timing-sensitive, 28
trace, 17
nonterminating, 17
nonterminating decision, 17
nonterminating system, 17
terminating, 17
terminating decision, 17
terminating system, 17
two-level security lattice, 25
type-based analysis for sequential pro-
grams, 87
uniform scheduler, 22
use set, 88
value, 14
variable, 14
input, 18
output, 18
