Type-Directed Compilation for Fault-Tolerant Non-Interference by Del Tedesco, Filippo et al.
ar
X
iv
:1
41
0.
49
17
v2
  [
cs
.C
R]
  2
5 O
ct 
20
14
Type-Directed Compilation
for Fault-Tolerant Non-Interference
Filippo Del Tedesco1, David Sands2, and Alejandro Russo2
1 Admeta AB, Sweden
2 Chalmers University of Technology, Sweden
Abstract. Environmental noise (e.g. heat, ionized particles, etc.) causes transient
faults in hardware, which lead to corruption of stored values. Mission-critical de-
vices require such faults to be mitigated by fault-tolerance – a combination of
techniques that aim at preserving the functional behaviour of a system despite the
disruptive effects of transient faults. Fault-tolerance typically has a high deploy-
ment cost – special hardware might be required to implement it – and provides
weak statistical guarantees. It is also based on the assumption that faults are rare.
In this paper, we consider scenarios where security, rather than functional cor-
rectness, is the main asset to be protected. Our contribution is twofold. Firstly,
we develop a theory for expressing confidentiality of data in the presence of tran-
sient faults. We show that the natural probabilistic definition of security in the
presence of faults can be captured by a possibilistic definition. Furthermore, the
possibilistic definition is implied by a known bisimulation-based property, called
Strong Security. Secondly, we illustrate the utility of these results for a simple
RISC architecture for which only the code memory and program counter are as-
sumed fault-tolerant. We present a type-directed compilation scheme that pro-
duces RISC code from a higher-level language for which Strong Security holds –
i.e. well-typed programs compile to RISC code which is secure despite transient
faults. In contrast with fault-tolerance solutions, our technique assumes relatively
little special hardware, gives formal guarantees, and works in the presence of
an active attacker who aggressively targets parts of a system and induces faults
precisely.
1 Introduction
Transient faults, or soft errors, are alterations of the state in one or more electronic
components, e.g., bit flips in a memory module [1]. In some situations, we are willing
to accept that a system may fail due to transient faults, for example, that an occasional
message may be lost or corrupted. The problem we address in this paper is how to
prevent transient faults (which will be referred to as “faults” in the rest of the paper)
from compromising the security of the system – for example, by allowing an attacker
to access a secret.
It has indeed been shown that bit flips can effectively be used to attack, e.g., the AES
encryption algorithm and reveal the cipher key [2]. More recently, it has been shown
that faults occurring in the computation of an RSA signature can permit an attacker to
extract the private key from an authentication server [3]. Moreover, it is not just the
security of crypto systems that is potentially vulnerable. Risks are greatly amplified if
the attacker can influence the code executed by a system that can experience faults: it
has been demonstrated that a single fault can cause (with high probability) a malicious
but well-typed Java applet to violate the fundamental memory-safety property of the
virtual machine [4].
Traditional countermeasures against faults aim to make devices fault-tolerant, i.e.
able to preserve their functional behavior despite soft errors. Most fault-tolerance mech-
anisms are based on redundancy: resources are replicated (either in software or in hard-
ware) so that it is possible to detect, if not repair, anomalies. Typically, such solutions
are designed for protection against a very simple fault model, in which a limited num-
ber of faults are assumed. Moreover, the formal guarantees of software-based fault-
tolerance mechanisms, according to Perry et al. [5], are usually not stated – it is more
common that their efficacy is explored statistically. In reasoning about security it is
more difficult to give a statistical model of the environment’s behaviour – it might be
that the environment is an active adversary with a laser and a stopwatch (cf. [6]) rather
than just passive background radiation. Similarly, experimental evidence based on typ-
ical deployment of representative programs is not likely to be so useful if an attack, as
it often does, requires an atypical deployment of an unusual program.
Overview of the Paper and Contributions In order to be precise about the guarantees
that we provide and the assumptions we make, we develop a formal, abstract model of
fault-prone systems, attackers who can induce faults based on the observations made of
the system’s public output, and the resulting interaction between the two (Section 2.1).
From this, we define our central notion of security in the presence of faults, probabilistic
fault-tolerant non-interference (PNI). A system is secure in the presence of faults if, for
any attacker, the probability of a given public output is independent of the secrets held
by the system (Section 2.2).
Reasoning directly about fault-tolerant noninterfence is difficult because (i) it de-
mands reasoning about probabilities, and (ii) it quantifies over all possible attackers (in
a given class).
Our first contribution tackles these difficulties with two key theorems. Theorem 1
(Section 2.3) shows that PNI can be characterised exactly by a simpler possibilistic def-
inition of noninterference, defined by assuming that the exact presence and location of
faults are observable to the attacker. This removes difficulty (i), the need to reason about
probabilities. Theorem 2 (Section 2.4) then shows that the possibilistic definition is im-
plied by a form of strong bisimulation property, adapting ideas from its use in scheduler
independent security of concurrent programs [7]. This theorem eliminates difficulty (ii),
enabling PNI to be proved without explicit quantification over all attackers.
Our second contribution (Section 3) illustrates the applicability of Theorem 2 in
a specific setting: a fault-prone machine modeling a program running on a RISC-like
architecture. The aim is to give a sound characterisation of RISC programs which, when
placed in the context of the machine, give a system which is secure despite faults. Our
approach combines ideas from security type systems for simple imperative programs
with a type-directed compilation scheme. Roughly speaking, our type-directed compi-
lation of simple imperative programs guarantees that a well-typed program compiles to
RISC code which, for this architecture, is secure despite faults. A key assumption for
this result to hold is assuming fault-tolerant code memory and program counter, while
general purpose registers and data memory are susceptible to bit flips.
Our innovative perspective on the problem of guaranteeing security in the presence
of transient faults combines a lot of concepts from other works, coming from both
security and dependability literature. In order to clarify these connections, we discuss
related works in Section 4, whereas in Section 5 we focus on the main limitations of
our results (including those shared with other approaches). We complete the paper in
Section 6, where we briefly summarize the conclusions of our study.
2 A Theory for Probabilistic Fault-Tolerant Non-Interference
We begin (Section 2.1) by setting up a rigorous but abstract semantic model for
systems that can experience transient faults, and for environments inducing these faults.
Then, we establish a model for their interactions and a security definition (Section 2.2)
for the composition of a system with a fault environment as probabilistic fault-tolerant
non-interference (PNI). We continue (Section 2.3) by simplifying the security model
introduced for PNI in two steps. Firstly, we propose a simpler, nondeterministic fault
model for fault-prone systems. This model leads to a more straightforward notion of
security called possibilistic fault-tolerant non-interference (PoNI)3which is then shown
to be equivalent to PNI. Finally, we introduce (Section 2.4) the notion of Strong Security
(SS), a bisimulation-based security condition which is proved stronger than PoNI, hence
PNI.
2.1 Probabilistic Fault-Tolerant Non-Interference
We model a fault-prone system as a deterministic labelled transition system. Since we
have to reason about bit flips, we model the state of a system as just a collection of
bits, each of which is identified by a unique location. The locations are partitioned into
a fault tolerant part of the system (e.g. memory with error correcting codes), and a
faulty part. Only the faulty locations are affected by soft errors from the environment.
The labels of the transition system model outputs of the fault-prone system and “clock
ticks” (τ ) which mark the discrete passage of time. We assume that some outputs can
be distinguished by an external observer, whereas the others appear as τ .
Definition 1 (Fault-prone System). A fault-prone system Sys is defined as Sys =
{Loc,Act ,−→ ⊆ S ×Act × S}, where:
r The set Loc contains all the locations (addresses) of the system. It is partitioned
into a fault-tolerant subset and a faulty one, namely T and F . Fault-tolerant lo-
cations are not affected by soft errors, whereas bits stored in the faulty part of the
hardware can get flipped because of transient faults.
r Act includes system outputs and a distinguished silent action τ marking the pas-
sage of time. We assume that “public” observations (what an attacker can see)
are limited to events in LAct ⊆ Act , whereas any other action performed by the
system is observed as τ .
r The relation−→ formalizes the system behavior. Given the set of all possible states
for the system, namely S = Loc → {0, 1}, the relation −→ models how the system
3 A similar but weaker notion of security has been presented in [8].
evolves. We write transitions in the usual infix manner S a−→ S′ for S, S′ ∈ S. The
system is deterministic in the sense that for any S ∈ S there is at most one state
S′ and one action l and a transition S l−→ S′.
We now introduce a probabilistic fault model, which induces transient faults in F .
We refer to this model as the environment, or, synonymously as the attacker.
A simple environment can be modeled as an agent that induces bit flips in the faulty
locations with some fixed (small) probability. Unfortunately, this representation does
not capture many realistic scenarios: for example, some locations in the system may
be more error-prone than others, and (due to high densities of transistors) the probabil-
ity of a location being flipped may be higher if a neighboring bit is flipped. We could
therefore consider environments that can induce faults according to a probability dis-
tribution over the powerset of faulty locations, where the probability associated with a
given set of locations L is the probability that exactly the bits of L are flipped before
the next computation step occurs. However, such static model of the environment is not
sufficient to model an active attacker. An active attacker may have physical access to
the system (e.g., a tamper-proof smart card), and may be able to influence the likelihood
of an error occurring at a specific location and time with high precision (see, e.g., [6]).
What is more, the attacker may do this in a way that depends on the previous obser-
vations, namely the passage of time and the publicly observable actions. We therefore
formalize these capabilities of an environment as follows (recall that ℘(A) here denotes
the powerset of a given set A).
Definition 2 (Fault environment).
Consider a fault-prone system Sys = {Loc,Act ,−→}. A fault environment (Err ,Fault)
for Sys consists of:
r a labelled transition system Err = 〈E ,LAct ∪{τ},❀ ⊆ E × (LAct ∪{τ})×E〉,
where E represents the set of environment’s states;
r a function Fault ∈ E → ℘(F ) → [0, 1] such that for all states E ∈ E , we have
that Fault(E) is a probability distribution on sets of locations.
We require that for all states E ∈ E and for all actions a ∈ LAct ∪ {τ} there exists
a unique state E′ ∈ E such that E a❀ E′. Intuitively, the state E ∈ E determines the
probability that a given set of locations (and no others) will experience a fault in the
current execution step of the system. At each step, the state of the attacker evolves by
the observation of “low” events and the passing of time.
Example 1. We illustrate the use of Definition 2 by characterizing the simplest most
uniform fault-inducing environment: a bit flip may occur in any location with a fixed
probability ǫ. To model this as a fault environment, we need only a trivial transition
system involving the single state r (E = { r}), whose transitions are ∀a ∈ LAct ∪
{τ}. r
a
❀
r
. As for the Fault function consider a set L ⊆ F where |L| = k and |F | = n.
Then the probability that flips occur in all locations in L and nowhere else is equal to
the probability of faults in every location in L, namely ǫk, multiplied by the probability
of the remaining locations not flipping, namely (1− ǫ)n−k. Hence
Fault( r)(L) = ǫk(1 − ǫ)n−k where k = |L| and n = |F |
We now define, in outline (details are discussed in Appendix A), how fault envi-
ronments are composed together with fault-prone systems. Some preliminary consid-
erations are needed. We need to model the physical modification performed by the
environment on the faulty part of the system. For this, a function flip is defined as
flip(S,L) = S[l 7→ ¬S[l], l ∈ L], which gives the result of flipping the value of every
location in L of state S (assuming L ⊆ F ). We also need to formalize that an attacker
can distinguish only a subset of all possible actions of the system. This is obtained by
assuming that there is a function low ∈ Act → LAct ∪{τ} that behaves as the identity
for actions in LAct , and maps any other action to τ . This provides the public view of
the system’s output. Finally, we say that a state S is stuck if there is no transition from
that state.
Definition 3 (Fault-prone System and Environment). Consider a fault-prone sys-
tem Sys = {Loc,Act ,−→}, and an environment Env = (Err ,Fault) where Err =
〈E ,LAct ∪ {τ},❀〉. The composition of Sys and Env , defined as Sys × Env =
〈S × E , (Act , [0, 1]),−→〉 where S is the set of all possible states for Sys , defines a
labelled transition system whose states are pairs of the system state and the environ-
ment state, and with transitions labelled with an action a and a probability p, written
a
−→p. Transitions depend on the state of the system as follows:
r If the system state S is not stuck, it undergoes a transient fault according to the flip
function; then, providing the flipped state is not stuck, the execution takes place,
namely
Step
π = {L | L ∈ ℘(F ) and flip(S,L) a−→ S′}
p = ΣL∈piFault(E)(L) E
low(a)
❀ E′
〈 S, E 〉
a
−→p 〈 S
′, E′ 〉
Observe that, in general, there might be several subsets of L ⊆ F such that
flip(S,L) results in a state that (i) performs the same action a and (ii) performs a
transition to the final state S′. For this reason, the probability associated with the
rule corresponds to the sum of all probabilities associated with locations in the
set π.
r If the system state is stuck, or it is made stuck by a transient fault, it does not
perform any action. However, both the environment and the composition of the
system state with the environment state evolve as if the system had performed a τ
action. We enforce these restrictions because an error environment should not be
able to distinguish between an active but “silent” and a stuck state. Notice that
this way of modeling the composition of systems and environments guarantees
that any state of the composition can progress.
This form of transition system is sometimes known as a fully probabilistic labelled
transition system, or a labelled markov process.
2.2 Defining Security
We can now reason about security of a system operating in an environment: Sys×Env .
Firstly, we define the observations that the attacker can perform. Then, we define when
sensitive data remains secure despite the attacker observations.
Our attacker sees sequences of actions in LAct ∪ {τ}, called traces, and measures
their probability, but does not otherwise have access to the state of the fault-prone sys-
tem.
We say that the sequence r = Z a0→p0 Z1 . . . Zn−1
an−1
→ pn−1 Zn is a run of size n of
a system state Z ∈ Sys ×Env and has probability Pr(r) = Π0≤i≤n−1pi. The set of all
n-runs of Z are denoted runn(Z), and we define the set of all runs for Z as run(Z) =
∪nrunn(Z). Consider a run r = Z
a0→p0 Z1 . . . Zn−1
an−1
→ pn−1 Zn and let trace ∈
run(Z) → (LAct ∪ {τ})∗ be a function such that trace(r) = low (a0) . . . low (an−1).
For any t ∈ (LAct ∪ {τ})n, define PrZ(t) = Σ{r∈runn(Z)|trace(r)=t}Pr(r). This defini-
tion induces a probability distribution over (LAct ∪ {τ})n.
Proposition 1. For any stateZ ∈ Sys×Env and for anyn ≥ 0Σt∈(LAct∪{τ})nPrZ(t) =
1.
Proof. Appendix B.
We can now define the notion of probabilistic noninterference [9] that characterises
security for fault-prone systems. For this purpose, we consider the case when the ini-
tial state of a fault-prone system is an encoding of three different components: (i) a
“program”, the set of instructions executed by the system, (ii) “public data”, that stores
values known by an attacker and (iii) “private data” for confidential information. We
formalize this partition by defining three mutually disjoint sets ProgLoc, LowLoc and
HighLoc (such that Loc = ProgLoc ∪ LowLoc ∪ HighLoc) and, for a system state S,
by defining the program component P as S
∣∣
ProgLoc
, the public data L as S
∣∣
LowLoc
and
H as S
∣∣
HighLoc
.
Observe that the way locations are partitioned between program and data is orthog-
onal to the way they are partitioned between fault-tolerant and faulty components. This
is because fault-tolerance is orthogonal to the way security is defined.
Our definition of security, Probabilistic Fault-Tolerant Non-Interference (PNI), re-
quires a notion of equivalence to be defined for states that look the same from an
attacker’s point of view. Two system states S and S′ are low equivalent, written as
S =L S
′
, if S
∣∣
LowLoc
= S′
∣∣
LowLoc
. Low equivalence provides us a way for defin-
ing when the program component of a state is secure even in the presence of transient
faults. Intuitively the definition says that a program component P is secure if the ob-
served probability for any trace is independent of the sensitive data, for all system states
where P is the program component.
Definition 4 (PNI). Let Sys be a fault-prone system and let P be a program component
of Sys . We say that P is probabilistic fault-tolerant noninterfering, if for any system
states S, S′ ∈ Sys such that S′
∣∣
ProgLoc
= S
∣∣
ProgLoc
= P and S =L S′, it holds that
for any state E of any environment Env , for any n ≥ 0 and for any t ∈ (LAct ∪ {τ})n
we have Pr〈 S, E 〉(t) = Pr〈 S′, E 〉(t).
The definition demands that probability of publicly observable traces only depends on
values stored in the low locations. Also, it requires that this must hold for any fault-
environment.
2.3 Possibilistic Characterisation of Fault-Tolerant Non-Interference
Reasoning directly about fault-tolerant noninterference is difficult because (i) it de-
mands reasoning about probabilities, and (ii) it quantifies over all possible attackers (in
a given class). In this section, we address the first of these problems.
A possibilistic model (i.e. not probabilistic) of the interaction between a fault-prone
system and the error environment can be obtained by interleaving the transitions of the
fault prone system with a nondeterministic flipping of zero or more bits. While this
model avoids reasoning about probability distributions as well as injection of faults
by an attacker, it is not adequate to directly capture security, as it is well-known that
possibilistic noninterference suffers from probabilistic information leaks (see e.g. [9]).
In order to capture PNI precisely, we augment this transition system by making the
location of the faults observable (details are discussed in Appendix C).
Definition 5 (Augmented Fault-prone System). Given a fault-prone system Sys =
{Loc,Act ,−→} we define the augmented system Sys+ as Sys+ = {Loc,℘(F )×Act,
} , where is defined according to two cases:
r If the system state S is not stuck, it undergoes a nondeterministic transient fault
first; then, providing the flipped state is not stuck, execution takes place, namely
flip(S,L)
a
−→ S′ L ⊆ F
S
L,a
S′
Observe that, compared to the corresponding rule in Definition 3, we have that L
induces a unique transition since it appears in the transition label.
r If the system state is stuck, or it is made stuck by a transient fault, the transition
does not modify it. However, the label attached to the transition is (L, τ) so that,
as in Definition 3, we make a stuck state indistinguishable from a silently diverging
one.
The model resembles the composition of fault-prone systems and fault environ-
ments presented in Definition 3, including the fact that it hides the termination of a
system configuration. However, it introduces two main differences that influence the
way security is defined. On one hand, the augmented system is purely nondeterminis-
tic, and this supports a simpler definition of security. On the other hand, the augmented
system has more expressive labels, that include not only the action performed by the
system but also information about flipped locations.
We call the sequence r = S
L0,a0
S1 . . . Sn−1
Ln−1,an−1
Sn a possibilistic run
of a system state S ∈ Sys+, and we say that t = L0,low (a0),. . . , Ln−1, low(an−1)
is its corresponding trace. We write S t when there exists a run r, produced by S,
that corresponds to t. With these conventions, security for augmented systems, Possi-
bilistic Fault-Tolerant Non-Interference (PoNI), is defined by using the same notation
presented in the previous section for fault-prone systems composed with environments.
Definition 6 (PoNI). We say that a program component P enjoys possibilistic fault-
tolerant non-interference, if for any S, S′ ∈ Sys+ such that S′∣∣
ProgLoc
= S
∣∣
ProgLoc
=
P and S =L S′, for any trace t, it holds that S t ⇔ S′ t .
The following result says that the definitions of PNI and PoNI coincide.
Theorem 1. A program component P enjoys PNI if and only if it enjoys PoNI.
Proof. Appendix D.
This theorem makes clear that, from an enforcement perspective, security in the
presence of transient faults can be achieved by targeting either PNI or PoNI.
2.4 Strong Security Implies PNI
We now formalize a different notion of security that guarantees PoNI (and hence PNI)
without explicitly modeling the effects of transient faults in a fault-prone system. This
notion, called Strong Security, was developed as a way to capture a notion of scheduler
independent compositional security for multithreaded programs [7].
Strong security is a bisimulation relation over program components of fault-prone
systems. Our goal is to relate strong security to the possibilistic security definition
established for augmented systems, and show that indeed it is stronger. Before do-
ing so, we need to make sure that the semantics of fault-prone systems hides termi-
nation, as it is the case for augmented systems. In particular, for a fault-prone sys-
tem Sys = {Loc,Act ,−→}, we define its termination-transparent version as Sys∞ =
{Loc,Act ,−→∞}where−→∞ coincides with−→ for active states, but has additional tran-
sitions S τ−→∞ S whenever S 6−→ (details are discussed in Appendix C). With this, we
define strong security for termination-transparent fault-prone systems as follows.
Definition 7 (Strong Security (SS)). Let Sys be a fault-prone system and Sys∞ =
{Loc,Act ,−→∞} be the corresponding termination-transparent fault-prone system. A
symmetric relation R between program components is a strong bisimulation if for
any (P, P ′) ∈ R we have that for any two states S, V in S, if S∣∣
ProgLoc
= P and
V
∣∣
ProgLoc
= P ′ and S =L V and S
a
−→∞ S
′ then V b−→∞ V ′ such that (i) low (a) =
low (b) and (ii) S′ =L V ′ and (iii) (S′
∣∣
ProgLoc
, V ′
∣∣
ProgLoc
) ∈ R. We say that a pro-
gram component P is strongly secure if there exists a strong bisimulation R such that
(P, P ) ∈ R.
Intuitively, a program component P is strongly secure when differences in the pri-
vate part of the data are neither visible in the computed public data, nor in the transition
label. This anticipates the fact that even though an external agent (the error environ-
ment, in our scenario) might alter the data component, the program behavior does not
reveal anything about secrets.
The next result shows that Strong Security is sufficient to obtain PoNI. Notice, how-
ever, that the definition of Strong Security only deals with the modifications that occur
in the data part of a fault-prone system. Hence, it only makes sense for the class of
systems that host the program component in the fault-tolerant part of the configuration.
Theorem 2 (Strong security ⇒ PoNI). Let P be a program component such that
ProgLoc ⊆ T . If P satisfies SS then P satisfies PoNI.
Proof. Appendix E.
We conclude this section with a negative result by saying that the reverse impli-
cation between SS and PoNI does not hold. Strong security requires that the partition
of the state into a program, a low and a high part is preserved (respected) during the
whole computation whereas the definition of PNI imposes no special requirement on
intermediate states of the computation.
3 A Type System for FTNI
In this section, we present an enforcement mechanism capable of synthesizing strongly
secure assembly code. The enforcement is given as a type-directed compilation from a
source while-language. All in all, we present a concrete instance of our fault-prone sys-
tem formalization by defining the RISC architecture (Section 3.1) and propose a tech-
nique to enforce strong security over RISC programs (Section 3.2), whose soundness
is sketched in Section 3.3. By achieving strong security, we automatically get secure
RISC code that is robust against transient faults (recall Theorem 2).
3.1 A Fault-Prone RISC Architecture
The architecture we are interested in has various hardware components to operate over
data and instructions.
Data resides in the memory and in the register bank. We model the memory M as
a function W → W, where W is the set of all constants that can be represented with a
machine word. The register bank R is modeled as a function Reg → W, where Reg ,
ranged over by r, r′, is a set of register names.
I ::= [l :]B
B ::= load r k | store k r | jmp l | jz l r | nop
movek r n | mover r r′ | op r r′ | out ch r
ch ::= low | high
Fig. 1. RISC instructions syntax
Figure 1 de-
scribes the instruc-
tion set of our ar-
chitecture. We con-
sider that every in-
struction I could
be optionally la-
beled by a label in
the set Lab. Instruction load r k accesses the data memory M with the pointer k ∈W
and writes the value pointed by k into register r ∈ Reg . The corresponding store k r
instruction writes the content of r into the data memory address k. Instruction jmp l
causes the control-flow to transfer to the instruction labeled as l. Instruction jz l r per-
forms the jump only if the content of register r is zero. Instruction nop performs no
computation. The instruction movek r k writes the constant k to r, whereas the instruc-
tion mover r r′ copy the content in r′ to r. The instruction op stands for a generic binary
operator that combines values in r and r′ and stores the result in r. Instruction out ch r
outputs the constant contained in r into the channel ch, that can be either low or high .
The processor fetches RISC instructions from the code memory P , separated from
M. The code memory is modeled as a list of instructions. We require the code memory
to be well-formed, namely not having two instruction bodies labeled in the same way.
A dedicated program counter register stores the location in P hosting the instruction
being currently executed. The value of the program counter is ranged over by pc.
As described in Section 2, we partition the architecture into faulty and fault-tolerant
components. Both R and M are considered to be faulty: transient faults can strike
Load
P (pc) = load r p
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R[r 7→ M(p)],M〉
Store
P (pc) = store p r
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R,M[p 7→ R(r)]〉
Jz-S
P (pc) = jz l r R(r) = 0
〈P, pc,R,M〉
τ
−→ 〈P, pc 7→ resP (l),R,M〉
Jz-F
P (pc) = jz l r R(r) 6= 0
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R,M〉
Out
P (pc) = out ch r Reg(r) = n
〈P, pc,R,M〉
ch!n
−−−→ 〈P, pc+,R,M〉
Fig. 2. Selected rules for RISC instructions semantics
any location at any time during the execution. On the other hand, we assume P and
the program counter are implemented in the fault-tolerant part of the architecture. The
fact that the code memory is fault-tolerant corresponds to having the machine code in
a read-only memory with ECC, a common assumption in dependability domain. The
requirement on the program counter is a restriction that turns out to be necessary for
proving the soundness of our enforcement mechanism.
We instantiate the RISC architecture as a fault-prone system by defining the se-
mantics of the language as a labelled transition system. A state is defined as a quadruple
〈P, pc,R,M〉, for pc ∈W, where the first two elements correspond to the fault-tolerant
portion of the hardware. Any action of the system is either an output (low !k when the
output is performed on the publicly observable channel, high !k otherwise) or the silent
action τ . A few examples of transition rules are described in Figure 2 (the full presen-
tation can be found in Appendix F). We write P (pc) as a shorthand for the instruction
at position pc in P and pc+ as a shorthand for pc + 1. We assume that the function
resP ∈ Lab ⇀ W returns the position at which label l occurs in P : resP (l) = i iff
P (i) = l : B for some B.
Once the rule [Load] is triggered, the register content at r is updated with the
memory content at p (R[r 7→ M(p)]), and the program counter is incremented by
one (pc+). Conversely, the rule [Store] writes the content at register r in memory
location p (M[p 7→ R(r)]). In case of a jump instruction, neither memory nor registers
are modified. If the guard is 0, as in rule [Jz − S], the execution is restarted at the
instruction of the label used as the jump argument pc 7→ resP (l), otherwise the program
counter is just incremented. All previous instructions map to silent actions τ : channels
are written by instruction [Out] which, on the other hand, leaves both register and
memory untouched.
3.2 Strong Security Enforcement
We guarantee strong security for some RISC programs via a novel approach based on
type-directed compilation. Our strategy targets a simple high-level imperative language,
while. For while programs we define a type system that performs two tasks: (i)
translation of while programs into RISC programs (ii) enforcement of Strong Security
on while programs. The compilation is constructed so that the strong security at the
level of while programs is preserved by the compilation.
To facilitate the proof of strong security, the method is factored into a two-step
process: a type-directed translation to an intermediate language followed by a simple
compilation to RISC. In this section, we limit ourself to an overview of the method and
therefore elide this intermediate step from the presentation.
The grammar of the while language is presented in Figure 3. Both expressions and
commands are standard, and assume that the language contains an output command out.
C ::= skip | x := E | if E then C1 else C2 | out ch E | C1;C2 | while x do C
E ::= k ∈W | x ∈ Var | E1 op E2
ch ::= low | high
Fig. 3. while programs syntax
Typing Expressions The general structure of the typing judgement for expressions is
presented in Figure 4.
Φ,A, l︸ ︷︷ ︸
(1)

(2)︷︸︸︷
E →֒ P︸︷︷︸
(3)
,
(4)︷ ︸︸ ︷
〈λ, n〉, r, Φ′︸︷︷︸
(5)
Fig. 4. General structure for expression typing rules
The core part of the judgement
says that while expression E (2)
can be compiled to secure RISC pro-
gram P (3), with security annotation
(4). For defining the security anno-
tation, we assume while variables
and RISC registers are partitioned
into two security levels {L,H} (ordered according to ⊑, which is the smallest reflexive
relation for which L ⊑ H) according to the function level ∈ Var ∪ Reg → {L,H}.
The first component λ of a security annotation (λ, n) specifies the security level of the
registers that are used to evaluate an expression. The second component n represents
the number of RISC computation steps that are necessary to evaluate E. The reason
for tracking this specific information about expressions (and in commands later on) is
related to obtain assembly code which avoids timing leaks – the type-directed compila-
tion will use n, for instance, to do padding of code when needed [10]. In fact, most of
the involved aspects in our type-system arises from avoiding timing leaks in low-level
code.
Because the compilation is defined compositionally, some auxiliary information (1)
is required: we firstly need to know the label l which is to be attached to the first in-
struction of P . Also, we have to consider the set A of registers which cannot be used
in the compilation of E, since they hold intermediate values that will be needed after
the computation of E is complete. Finally, we need to keep track of how variables are
mapped to registers. This is done via the register record Φ, which requires a slightly
more elaborate explanation.
Register Records In order to allow for efficiently compiled code, expression compi-
lation builds up a record of associations between while variables and RISC registers
in a register record Φ ∈ Reg ⇀ Var . If Φ(r) = x then it means that the current value
of variable x is present in register r. The register record produced by a compilation is
highly nondeterministic, meaning that we do not build any particular register allocation
mechanism into the translation.
The rules (in particular the later rules for commands) involve a number of operations
on register records which we briefly describe here. We ensure that a register record is
always a partial bijection, namely a register is associated to at most one variable and
a variable is associated with at most one register. We write Φ[r ↔ x] to denote the
minimal modification of Φ which results in a partial bijection mapping r to x. Similarly,
Φ[r 6→] denotes the removal of any association to r in Φ. The intersection of records
Φ ⊓ Φ′ is just the subset of the bijections on which Φ and Φ′ agree. Finally, inclusion
between register records, written as Φ ⊑ Φ′, holds if all associations in Φ are also found
in Φ′.
Beside the compiled expression and its security annotation, each rule returns a mod-
ified register record and specifies the actual register where the evaluation of the expres-
sion E is found at the end of the execution of P (5).
Expression Rules
It will be convenient to extend the set of instructions with the empty instruction ǫI .
Some sample rules for computing the types of expressions are presented in Figure 5
(the full presentation can be found in Appendix G).
K
r 6∈ A
Φ,A, l  k →֒ [l : movek r k], 〈level(r), 1〉, r, Φ[r 6→]
V-cached
Φ(r) = x
Φ,A, l  x →֒ [l : ǫI ], 〈level(r), 0〉, r, Φ
Fig. 5. Selected type system rules for while expressions
In rule [K] the
constant k is com-
piled to code which
write the constant
to some register r
via the movek r k
instruction, provid-
ing r is not already
in use (r 6∈ A). As
a result, any previ-
ous association between register r and a variable is lost (Φ[r 6→]). The security level of
the result is simply the level of the register, and the computation time is one.
In rule [V−cached] the variable to be compiled is already associated to a register,
hence no code is produced.
Φ, l︸︷︷︸
(1)
⊢ C →֒ P,
(3)︷ ︸︸ ︷
〈w, t〉, l′, Φ′︸︷︷︸
(2)
Fig. 6. General structure for command typing
rules
Typing Commands The general struc-
ture of a typing rule for commands is pre-
sented in Figure 6. Judgements for com-
mands assume a starting label for the
code to be produced, and an incoming
register record (1). A compilation will re-
sult in a new (outgoing) register record,
and the label of the next instruction following this block (2) (cf. Figures 8, 9 and 10).
The security annotation (3) is similar to that for expressions; w, the write effect, pro-
vides information about the security level of variables, registers, and channels to which
the compiled code writes, and t describes its timing behaviour. However, w and t are
drawn from domains which include possible uncertainty.
The write effect w is described with a label defined in the set {Wr H,Wr L}, with
partial ordering Wr H ⊑ Wr L. The value Wr H is for programs that never write
to registers and memory locations outside of H . The value Wr L is used when write
operations might occur at any security level.
Trm 0 ⊑ · · · ⊑ Trm n ⊑ · · · ⊑ Trm L ⊑ Trm H, n ∈ N
t1 ⊔− t2 =
{
Trm L if t1 ⊑ Trm L and t2 ⊑ Trm L
TrmH otherwise
t1 ⊎ t2 =
{
Trm n1 + n2 if ∀i ∈ {1, 2} ti = Trm ni
t1 ⊔− t2 otherwise
Fig. 7. Termination Partial Ordering
The timing behav-
ior of a command is de-
scribed by an element
of the partial order (and
associated operations)
defined in Figure 7. We
use timing t = Trm n,
for n ∈ N, when ter-
mination of the code is
guaranteed in exactly n
steps (and hence is in-
dependent of any secrets); t = Trm L is used for programs whose timing characteriza-
tion does not depend on secret values, but whose exact timing is either unimportant, or
difficult to calculate statically. When secrets might directly influence the timing behav-
ior of a program, the label TrmH is used.
Command Rules We now introduce some of the actual rules for commands. The con-
catenation of code memories P and P ′ is written P ++ P ′ and is well defined if the
resulting program remains well-formed. It will be convenient to extend the set of la-
bels Lab with a special empty label ǫlab such that ǫlab : B simply denotes B. Also,
we consider that the empty instruction ǫI is such that if P = [B, I1, . . . , In] we define
[l : ǫI ] ++ P as [l : B, I1, I2, . . . , In].
:=
Φ, {}, l  E →֒ P, 〈level(x), n〉, r, Φ′ Φ′′ = Φ′[r ↔ x]
Φ, l ⊢ x := E →֒ {P ++ [store v2p(x) r]}, tp, ǫlab, Φ
′′
where tp =
{
〈Wr H,Trm n+ 1〉 if level(x) = H
〈Wr L,Trm L〉 otherwise.
Fig. 8. Type system rule for assignment
The rule [:=] in
Figure 8 requires
that the security
level of expression
E matches the level
of the variable x
(〈level(x), n〉). If this
is possible, the com-
pilation is completed
by storing the value
of r into the pointer corresponding to x via the instruction store v2p(x) r (assuming
there exists an injective function v2p ∈ Var → W which maps while variables to
memory locations), and the register record is updated by associating r and x (Φ′[r ↔
x]). The resulting security annotation depends on the level of x: when level(x) = H the
security annotation is 〈WrH,Trm n+1〉, otherwise it is 〈Wr L,Trm L〉. Rules for skip
and out can be found in Appendix H.
The rule [if − any] in Figure 9 builds the translation of the if statement by joining
together several RISC fragments. The basic idea of this rule is that it follows Den-
ning’s classic condition for certifying information flow security [11]: if the conditional
involves high data then the branches of the conditional cannot write to anything except
high variables. This is obtained by imposing the side condition wi ⊑ write(λ), where
wi is the write-effect of the respective branches, and write is a function mapping the se-
if-any
Φ, {}, l  E →֒ P0, 〈λ, n0〉, r, Φ1 ∀i ∈ {1, 2} Φ1, ǫlab ⊢ Ci →֒ Pi, 〈wi, ti〉, li, Φi+1
wi ⊑ write(λ) br , ex fresh
Φ, l ⊢
if E
then C1
else C2
→֒


P0 ++ [jz br r]++
P1 ++ [l1 : jmp ex]++
br : P2 ++ [l2 : nop]

 ,
〈
write(λ)
term(λ) ⊔− t1 ⊔− t2
〉
, ex, Φ2 ⊓ Φ3
if-H
Φ, {}, l  E →֒ P0, 〈H,n0〉, r, Φ1
∀i ∈ {1, 2} Φ1, ǫlab ⊢ Ci →֒ Pi, 〈WrH,Trm ni〉, li, Φi+1
m = n0 +max(n1, n2) + 2 br , ex fresh
Φ, l ⊢
if E
then C1
else C2
→֒


P0 ++ [jz br r]
++P1 ++ l1 : nop
n2−n1 ++ [jmp ex]
++P2 ++ l2 : nop
n1−n2 ++ [nop]

 ,
〈
WrH
Trmm
〉
, ex, Φ2 ⊓ Φ3
Fig. 9. Type rules for if
curity level of the guard into its corresponding write-effect (such that write(H) = WrH
and write(L) = Wr L). In this rule, in contrast to the [if −H] rule for the conditional,
the timing properties of the two branches may be different, so we do not attempt to re-
turn an accurate timing. Hence, the use of the operator⊔− which just records whether the
timing depends on only low data, or possibly any data (notice that the security level of
the guard is mapped into its corresponding timing label by the function term, such that
term(L) = Trm L and term(H) = Trm H). The compilation of the conditional code
into RISC is fairly straightforward: compute the expression (P0) into register r, jump
to else-branch (P2) if r is zero, otherwise fall through to “then” branch (P1) and then
jump out of the block. The resulting register record of the whole command compilation
is the common part of the register records resulting from the respective branches.
The rule [if−H] (Figure 9) allows the system to be more permissive. It deals with a
conditional expression which computes purely with high data – a so-called high condi-
tional. This rule, when applicable, compiles the high conditional in a way that guaran-
tees that its timing behaviour is independent of the high data. This is important since it
is the only way that we can permit a computation to securely write to low variables after
a high conditional. This is related to timing-sensitive information-flow typing rules for
high conditionals by Smith [12]. The basic strategy is to compute the timing of each
branch (n1 and n2 respectively) and pad the respective branches in the compiled code
with sequences of nop instructions so that they become equally long, where nopm is a
sequence of m consecutive nop instructions when m > 0, and is ǫI otherwise.
The rule [; ] for sequential composition (Figure 10) is largely standard: the label and
register records are passed sequentially from inputs to outputs, and the security types are
combined in the obvious way. The only twist, the side condition, encodes the key idea
in the type system of Smith [12]. If the computation of the first command has timing
behaviour which might depend on high data (t1 = Trm H), then the second command
cannot be allowed to write to low data (w2 = Wr H), as this would otherwise reveal
information about the high data through timing of low events.
seq
Φ, l ⊢ C1 →֒ P1, 〈w1, t1〉, l1, Φ1 Φ1, l1 ⊢ C2 →֒ P2, 〈w2, t2〉, l2, Φ2
t1 = TrmH ⇒ w2 = WrH
Φ, l ⊢ C1;C2 →֒
{
P1 ++ P2
}
, 〈w1 ⊔ w2, t1 ⊎ t2〉, l2, Φ2
while
λ = level(x) = level(r) t = TrmH ⇒ write(λ) = Wr H w ⊑ write(λ)
ΦB ⊑ Φ[r ↔ x] ΦB ⊑ ΦE[r ↔ x] lp, ex fresh
ΦB, ǫlab ⊢ C →֒ P, 〈w, t〉, l
′, ΦE Pi = [load r v2p(x), store v2p(x) r]
Φ, l ⊢ while x do C →֒
{
l : Pi ++ [lp : jz ex r] ++ P ++
l′ : Pi ++ [jmp lp]
}
,
〈
write(λ)
term(λ) ⊔− t
〉
, ex, ΦB
Fig. 10. Type rules for sequential composition (;) and while
The compilation of thewhile command (Figure 10) is quite involved for two reasons.
Firstly, as one would expect in a typing rule for a looping construct, there are technical
conditions relating the register record at the beginning of the loop, and the register
record on exit. This is because we need a single description of the exit register record
ΦB which approximates both the register record at the start of the loop body (Φ[r ↔ x])
and the register record after computing the loop body and putting x back into register r
(ΦE [r ↔ x]). Secondly, for technical reasons relating purely to the proof of correctness
(security), the code is (i) a little less compact that one would expect to write due to an
unnecessarily repeated subexpression, and (ii) contains a redundant instruction store x r
immediately after having loaded x into r. The lack of compactness is due to the fact that
the proof goes via an intermediate language that cannot represent the ideal version of
the code. The redundant instruction establishes a particular invariant that is needed in
the proof: not only is x in register r, but it arrived there as the result of writing r into x.
The security concerns are taken care of by ensuring that the security level of the whole
loop is consistent with the levels of the branch variable x and the branch register r,
and that if the timing of the body might depend on high data, then the level of the loop
variable (and hence the whole expression) must be H .
All the rules introduced in this section are used in Appendix J to compile a simple
while program that computes a hash function.
3.3 Soundness
We open this section by instantiating the definition of strong security for RISC pro-
grams, which requires to view the RISC machine as an instance of a fault-prone system
(Definition 1). For this we consider the set of locationsLoc of the RISC fault-prone sys-
tem to be the names of the individual bits comprising the registers and memories. So,
for example, a general purpose register r corresponds to some set of locations r0, . . . r31
(for a word-size of 32). With this correspondence, the set of states of the RISC system
are isomophic to the set of functions Loc → {0, 1}. As mentioned earlier, the fault-
prone locations F are those which correspond to the general purpose registers and the
data memory.
For the definition of security we must additionally partition the locations into the
programProgLoc, the low locations LowLoc, and the high locations HighLoc: ProgLoc
comprises the locations of the code and the program counter register, LowLoc the loca-
tions of the low variables and registers, and HighLoc the locations of the high variables
and registers.
Since assembly programs are run starting at their first instruction, the following
slightly specialised version of strong security is appropriate:
Definition 8 (Strong Security for RISC programs). We say that an assembly program
P is strongly secure if (P, 0) is strongly secure according to Definition 7 instantiated
on the fault-prone system A = {Loc, {ch!k|ch ∈ {low , high} and k ∈W} ∪ {τ},−→}.
The type system defined in Section 3.2 guarantees that any type-correctwhile pro-
gram is compiled into a strongly secure RISC program. This is formalized as follows.
Theorem 3 (Strong security enforcement). Let C be a while program, and suppose
{}, ǫlab ⊢ C →֒ P, 〈w, t〉, l, Φ. Then P is strongly secure.
Proof. See Section I.
According to Theorem 3, we can obtain strongly secure RISC programs from type-
correct while programs. Theorem 2 (Section 2.3) states that strong security is a suffi-
cient condition to guarantee PoNI. The two results together express a strategy to trans-
late while programs into RISC programs that enjoy PoNI. We state this formally by
instantiating the definition of PoNI for RISC programs.
Definition 9 (PoNI for RISC programs). We say that an assembly program P enjoys
PoNI if (P, 0) is PoNI according to Definition 6 instantiated on the fault-prone system
A = {Loc, {ch!k|ch ∈ {low , high} and k ∈W} ∪ {τ},−→}.
Corollary 1 (PoNI enforcement on RISC programs). Let C be a while program,
and suppose {}, ǫlab ⊢ C →֒ P, 〈w, t〉, l, Φ. Then P is PoNI.
Proof. Direct application of Theorem 3 and Theorem 2.
4 Related Work
Fault Tolerant Non-Interference The only previous work of which we are aware that
aims to prevent transient faults from violating noninterference is by Del Tedesco et
al. [8]. The enforcement approach of that paper is radically different from the approach
studied here, and the two approaches are largely complimentary. Here we highlight the
differences and tradeoffs:
r Targeting a similar RISC machine, the implementation mechanism of [8] is a com-
bination of software fault isolation [13] and a black-box non-interference tech-
nique called secure multi-execution [14]. This can be applied to any program, but
only preserves the behaviour of noninterfering memory-safe programs. Verifying
that a program is memory-safe would have to be done separately, but could be
achieved by compiling correctly from a memory-safe language.
r In [8], fault-tolerance is assumed for the code memory but not in the program
counter register. The cost of this is that the method described in that paper can
only tolerate up to a statically chosen number of faults, whereas in the present
work we can tolerate any number.
r The security property enforced by the method described in [8] is a restriction
of PoNI to runs with a limited number of faults. However, the work does not
justify this definition with respect to the more standard notion of probabilistic
noninterference. The limitation in the number of faults, together with our result,
shows that the established security property is strictly weaker than PNI.
Strong Security for Fault Tolerance This paper is not the first to realise that Sabelfeld
and Sands’s strong security [7] implies security in the presence of faults. Mantel and
Sabelfeld [15] used strong security in a state-based encoding of channel-based com-
munication. They observed that strong security is not affected by faults occurring in
message transmission. Another way to think of this is that strong security of individ-
ual threads implies strong security of their composition; a faulty environment is itself a
strongly secure thread, simply because it has no ability to read directly from secrets in
the state.
Related Type Systems The type-directed compilation presented here combines sev-
eral features which are inspired by existing non-interference type systems for sequen-
tial and concurrent programming languages. Our security notion is timing sensitive and
has some similarities with Agat’s [10] type-directed source-to-source transformation
method that maps a source program into an equivalent target program where timing
leaks are eliminated by padding. Similar ideas were shown to apply to a type system for
strong security [7]. Our padding mechanism is different from Agat’s, since it is based
on counting the number of computation steps in the branches of a high conditional ex-
pressions, and our system is more liberal, since it allows e.g. loops with a secret guard.
These distinguishing features are both present in Smith’s type system for a concurrent
language [12] (see also [16]).
Non-interference for Low-level Programming Languages Medel et al. [17] pro-
pose a type system for a RISC-like assembly language capable to enforce (termination
and time insensitive) non-interference. Enforcing the same security condition, Barthe et
al. [18] introduce a stack-based assembly language equipped with a type system. Subse-
quent work [19] shows a compilation strategy which enforces non-interference across
all the intermediate steps until reaching a JVM-like language. Bartuti et al. [20] use
a different notion for confidentiality, called σ-security, which is enforced by abstract
interpretation.
Dependability The need for a stronger connection between security and dependability
has been stated in many works (e.g. [21,22]). Interestingly, it can be observed that many
solutions for dependability are based on information-flow security concepts. In [23],
well-known concepts from the information-flow literature are introduced as building
blocks to achieve dependability goals. In [24], non-interference-like definitions are used
to express fault tolerance in terms of program semantics. On the other hand, one could
argue that the security domain has been influenced by dependability principles as well.
For instance, our enforcement is sound only if fault-tolerant hardware components are
deployed for the code memory and the program counter.
Language-Based Techniques for Fault-tolerance The style of our work – in terms of
the style of formalisation, the use of programming language techniques, and the level of
semantic precision in the stated goals – is in the spirit of Perry et al’s fault-tolerant typed
assembly language [5]. Because we need to reason about security and not conventional
fault tolerance, our semantic model of faults is necessarily much more involved than
theirs, which is purely deterministic.
Security and Transient Faults We have not been the first ones to consider the impli-
cations of transient faults for security – Bar-El et al. [25] survey a variety of methods
that can be used to induce transient faults on circuits that manipulate sensitive data. Xu
et al. [26] study the effect of a single bit flip that strikes the opcode of x86 control flow
instructions; their work states the non-modifiability of the source code, which is a cru-
cial assumption in our framework. Bao et al. [27] illustrate several transient-fault based
attacks on crypto-schemes. Their protection mechanisms either involve some form of
replication or a more intensive usage of randomness (to increase the unpredictability of
the result). In a similar scenario, Ciet et al. [28] show how the parameters of an elliptic
curve crypto-system can be compromised by transient faults, and illustrate how a com-
parison mechanism is sufficient to prevent the attack from being successful. Canetti et
al. [29] discuss security in the presence of transient faults for cryptographic protocol
implementations where they focus on how random number generation is used in the
code.
Our approach relies on fault-tolerant support for the program counter. While it
seems a bit restrictive, there are fault-tolerant solutions for registers (e.g. [30,31]).
5 Limitations
The hardware model discussed here is similar to those introduced in [5,8] and, in
common with many informal models of faults, has similar shortcomings: faults occur-
ring at lower levels e.g. in combinatorial circuits, are not modelled. It has been argued
[32] that these non-memory elements of a processor have much lower sensitivity to
faults than state elements, but in our attacker model this does not say so much.
For timing channels discussed in Section 3.2 we make a large simplifying assump-
tion: that the time to compute an instruction is constant. This ignores cache effects, so
either implies a greatly simplified achitecture, or a need for further refinements to the
method to ensure that cache effects are mitigated by preloading or using techniques
from [10].
The language we are able to compile is too small to be practical, containing neither
functions nor arrays. The type system can perhaps be extended to handle such features,
based on our understanding of other security type systems, and with the help of some
additional fault-tolerant components (an extra fault-tolerant register should be sufficient
to guarantee SS in the presence of dynamic pointers). However, the main challenge
was in the non-trivial correctness proof (Appendix I). Clearly, mechanically verifiable
proofs will facilitate extending our system to other features as well as verifying our
confidence in the formal results.
6 Conclusion
We formalize security in presence of transient faults as Probabilistic Fault-Tolerant
Non-Interference (PNI). We simplify it by reducing it to possibilistic framework (PoNI),
and we show that another well-known security condition, called Strong Security [7],
implies it. We explore a concrete instance of our formalism. We consider a simple RISC
architecture, in which the only fault-tolerant components are the program counter and
the code memory. We define a type system that maps programs written in a toy while-
language to the assembly language executed by our architecture and, at the same time,
ensures that the produced code enjoys Strong Security (hence PNI).
References
1. E. Normand, “Single event upset at ground level,” Nuclear Science, IEEE Transactions on,
vol. 43, no. 6, pp. 2742–2750, Dec 1996.
2. J. Blo¨mer and J.-P. Seifert, “Fault based cryptanalysis of the advanced encryption standard
(aes),” in Financial Cryptography, ser. Lecture Notes in Computer Science, R. Wright, Ed.
Springer Berlin Heidelberg, 2003, vol. 2742, pp. 162–181.
3. A. Pellegrini, V. Bertacco, and T. Austin, “Fault-based attack of rsa authentication,” in De-
sign, Automation Test in Europe Conference Exhibition (DATE), 2010, 2010, pp. 855–860.
4. S. Govindavajhala and A. W. Appel, “Using memory errors to attack a virtual machine,” ser.
Security and Privacy. Washington, DC, USA: IEEE Computer Society, 2003.
5. F. Perry, L. Mackey, G. A. Reis, J. Ligatti, D. I. August, and D. Walker, “Fault-tolerant typed
assembly language,” in Proceedings of the 2007 ACM SIGPLAN conference on Programming
language design and implementation, ser. PLDI ’07. New York, NY, USA: ACM, 2007,
pp. 42–53.
6. S. P. Skorobogatov and R. J. Anderson, “Optical fault induction attacks,” in Revised Papers
from the 4th International Workshop on Cryptographic Hardware and Embedded Systems,
ser. CHES ’02. Springer-Verlag, 2003, pp. 2–12.
7. A. Sabelfeld and D. Sands, “Probabilistic noninterference for multi-threaded programs,” in
Proceedings of the 13th IEEE workshop on Computer Security Foundations, ser. CSFW ’00.
Washington, DC, USA: IEEE Computer Society, 2000, pp. 200–.
8. F. Del Tedesco, A. Russo, and D. Sands, “Fault tolerant non-interference,” in Proceeding
of the International Symposium on Engineering Secure Software and Systems, ser. LNCS,
2014.
9. I. Gray, J.W., “Toward a mathematical foundation for information flow security,” in Research
in Security and Privacy, 1991. Proceedings., 1991 IEEE Computer Society Symposium on,
1991, pp. 21–34.
10. J. Agat, “Transforming out timing leaks,” in Proc. ACM Symp. on Principles of Programming
Languages, Jan. 2000, pp. 40–53.
11. D. E. Denning and P. J. Denning, “Certification of programs for secure information flow,”
vol. 20, no. 7, pp. 504–513, Jul. 1977.
12. G. Smith, “A new type system for secure information flow,” in Proc. IEEE Computer Sec.
Foundations Workshop, Jun. 2001.
13. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham, “Efficient software-based fault iso-
lation,” in Proceedings of the fourteenth ACM symposium on Operating systems principles,
ser. SOSP ’93. New York, NY, USA: ACM, 1993, pp. 203–216.
14. D. Devriese and F. Piessens, “Noninterference through secure multi-execution,” in Proc. of
the 2010 IEEE Symposium on Security and Privacy, ser. SP ’10. IEEE Computer Society,
2010.
15. A. Sabelfeld and H. Mantel, “Static confidentiality enforcement for distributed programs,”
in Static Analysis, ser. Lecture Notes in Computer Science, M. Hermenegildo and G. Puebla,
Eds. Springer Berlin Heidelberg, 2002, vol. 2477, pp. 376–394.
16. G. Boudol and I. Castellani, “Non-interference for concurrent programs and thread systems,”
Theoretical Computer Science, vol. 281, no. 1, Jun. 2002.
17. R. Medel, A. Compagnoni, and E. Bonelli, “A typed assembly language for non-
interference,” in Theoretical Computer Science, ser. Lecture Notes in Computer Science,
M. Coppo, E. Lodi, and G. Pinna, Eds. Springer Berlin Heidelberg, 2005, vol. 3701, pp.
360–374.
18. G. Barthe, A. Basu, and T. Rezk, “Security types preserving compilation,” in Verifica-
tion, Model Checking, and Abstract Interpretation, ser. Lecture Notes in Computer Science,
B. Steffen and G. Levi, Eds. Springer Berlin Heidelberg, 2004, vol. 2937, pp. 2–15.
19. G. Barthe, D. Pichardie, and T. Rezk, “A certified lightweight non-interference java bytecode
verifier,” in Proceedings of the 16th European Conference on Programming, ser. ESOP’07.
Berlin, Heidelberg: Springer-Verlag, 2007, pp. 125–140.
20. R. Barbuti, C. Bernardeschi, and N. De Francesco, “Checking security of java bytecode by
abstract interpretation,” in Proceedings of the 2002 ACM Symposium on Applied Computing,
ser. SAC ’02. New York, NY, USA: ACM, 2002, pp. 229–236.
21. E. Jonsson, “Towards an integrated conceptual model of security and dependability,” in Avail-
ability, Reliability and Security, 2006. ARES 2006. The First International Conference on,
2006, pp. 8 pp.–.
22. D. Nicol, W. Sanders, and K. Trivedi, “Model-based evaluation: from dependability to se-
curity,” Dependable and Secure Computing, IEEE Transactions on, vol. 1, no. 1, pp. 48–65,
2004.
23. J. Rushby, “Partitioning for safety and security: Requirements, mechanisms, and assurance,”
NASA Langley Research Center, NASA Contractor Report CR-1999-209347, Jun. 1999,
also to be issued by the FAA.
24. D. G. Weber, “Formal specification of fault-tolerance and its relation to computer security,”
in Proceedings of the 5th international workshop on Software specification and design, ser.
IWSSD ’89. New York, NY, USA: ACM, 1989, pp. 273–277.
25. H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan, “The sorcerer’s apprentice
guide to fault attacks,” Proceedings of the IEEE, vol. 94, no. 2, pp. 370–382, 2006.
26. J. Xu, S. Chen, Z. Kalbarczyk, and R. Iyer, “An experimental study of security vulnerabilities
caused by errors,” in Dependable Systems and Networks, 2001. DSN 2001. International
Conference on, 2001, pp. 421–430.
27. F. Bao, R. Deng, Y. Han, A. Jeng, A. Narasimhalu, and T. Ngair, “Breaking public key
cryptosystems on tamper resistant devices in the presence of transient faults,” in Security
Protocols, ser. Lecture Notes in Computer Science, B. Christianson, B. Crispo, M. Lomas,
and M. Roe, Eds. Springer Berlin Heidelberg, 1998, vol. 1361, pp. 115–124.
28. M. Ciet and M. Joye, “Elliptic curve cryptosystems in the presence of permanent and tran-
sient faults,” Des. Codes Cryptography, vol. 36, no. 1, pp. 33–43, Jul. 2005.
29. R. Canetti and A. Herzberg, “Maintaining security in the presence of transient faults,” in
Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryp-
tology, ser. CRYPTO ’94. London, UK: Springer-Verlag, 1994.
30. R. Oliveira, A. Jagirdar, and T. Chakraborty, “A tmr scheme for seu mitigation in scan flip-
flops,” in Quality Electronic Design, 2007. ISQED ’07. 8th International Symposium on,
March 2007, pp. 905–910.
31. T. Maruyama, T. Yoshida, R. Kan, I. Yamazaki, S. Yamamura, N. Takahashi, M. Hondou, and
H. Okano, “Sparc64 viiifx: A new-generation octocore processor for petascale computing,”
Micro, IEEE, vol. 30, no. 2, pp. 30–40, March 2010.
32. N. J. Wang, J. Quek, T. M. Rafacz, and S. J. Patel, “Characterizing the effects of transient
faults on a high-performance processor pipeline,” in International Conference on Depend-
able Systems and Networks (DSN 2004), 2004.
33. S. Brookes, “Full abstraction for a shared-variable parallel language,” Information and Com-
putation, vol. 127, no. 2, pp. 145 – 163, 1996.
To avoid unintentional printing of the lengthy appendices of this submission, they
have been removed from this version. The paper plus appendices can be obtained from
arxiv.org.
A Full Definition of Fault-prone Systems with Environments
We formally account the composition of a Fault-prone System together with an error
environment as follows.
Definition 10 (Fault-prone System with an Environment). Consier a fault-prone
system Sys = {S,Act ,−→}, and an environment Env = (Err ,Fault) where Err =
〈E ,LAct ∪ {τ},❀〉. The composition of Sys and Env , defined as Sys × Env =
〈S × E , (Act , [0, 1]),−→〉 where S is the set of all possible states for Sys , defines a
labelled transition system whose states are pairs of the system state and the environ-
ment state, and with transitions labelled with an action a and a probability p, written
a
−→p. Transitions are determined according to the following rules:
Step
∃lS
l
−→ S′ π = {L | L ∈ ℘(F ) and flip(L, S) a−→ S′}
p = ΣL∈piFault(E)(L) E
low(a)
❀ E′
〈 S, E 〉
a
−→p 〈 S
′, E′ 〉
Stuck-1
∃lS
l
−→ S′ L ∈ ℘(F ) flip(L, S) 6→ p = Fault(E)(L) E
τ
❀ E′
〈 S, E 〉
τ
−→p 〈 flip(L, S), E
′ 〉
Stuck-2
S 6−→ E
τ
❀ E′
〈 S, E 〉
τ
−→1 〈 S, E
′ 〉
In rule [Step] some locations in the fault-prone component of the system are flipped,
then the execution can take place. In general, there might be several subsets of L ⊆ F
such that flip(L, S) results in a state that (i) performs the same action a and (ii) per-
forms a transition to the final state S′. For this reason the probability associated to the
rule corresponds to the sum of all probabilities associated to locations in the set π.
We assume that a stuck configuration cannot be resumed. In rule [Stuck− 1] a flip
on given subset of locations produces a stuck configuration with a certain probability.
In rule [Stuck − 2] a stuck configuration remains as such regardless of any possible
flip of the faulty component.
B Proof of Proposition 1
In order to prove Proposition 1, we prove an auxiliary result which ensures that our
assignment of probability to n-sized runs is a probability distribution.
Proposition 2. Let Sys be a fault-prone system and Env an environment. Then ∀Z ∈
Sys × Env and ∀n ≥ 0 Σr∈runn(Z)Pr(r) = 1.
Proof. We prove the statement by induction on n.
Base case
When n = 0, the set run0(Z) contains only one element, the empty run, and its
probability is 1.
Inductive step
Consider n > 0.
Any run r ∈ runn(Z) can be written as r = Z
a0→p0 Z1 . . . Zn−1
an−1
→ pn−1 Zn =
(Z
a0→p0 Z1 . . . Zn−1).(Zn−1
an−1
→ pn−1 Zn), where r′ = Z
a0→p0 Z1 . . . Zn−1 is a
prefix of r in runn−1(Z) with probability Pr(r′) = pr′ .
Consider the set Rr′ ⊆ runn(Z) of all n-sized runs from Z that has r′ as pre-
fix. Since for all subsets in ℘(F ) there is a transition rule in Sys × Env , we have
Σr∈run1(Zn−1)Pr(r) = 1. Hence we have that Σr∈Rr′Pr(r) = pr′ and we can conclude
that Σr∈runn(Z)Pr(r) = Σr′∈runn−1(Z)Σr∈Rr′PrZ(r) = Σr′∈runn−1(Z)pr′ = 1, where
the last result holds by inductive hypothesis.
Proof (Proof of Proposition 1). Recall that for any trace t ∈ (LAct ∪ {τ})n, PrZ(t) =
Σ{r∈runn(Z)|trace(r)=t}Pr(r). Since for any run r there is a trace t ∈ (LAct∪{τ})n such
that trace(r) = t, we have as a result thatΣt∈(LAct∪{τ})nPrZ(t) = Σr∈runn(Z)Pr(r) =
1, where the last equality holds because of Proposition 2.
C Full definitions of Augmented Fault-prone and Termination Trans-
parent Systems
An augmented fault-prone system is formally described as follows.
Definition 11 (Augmented Fault-prone System). Given a fault-prone system Sys =
{Loc,Act ,−→} we define the augmented system Sys+ as Sys+ = {Loc,Act×℘(F ),
} by the following rules:
∃lS
l
−→ S′ flip(S,L)
a
−→ S′ L ⊆ F
S
L,a
S′
∃lS
l
−→ S′ flip(S,L) 6−→ L ⊆ F
S
L,τ
flip(S,L)
S 6−→ L ⊆ F
S
L,τ
S
A termination transparent system is formalized as follows.
Definition 12 (Termination Transparent System). For a fault-prone system Sys =
{Loc,Act ,−→}we define its termination-transparent version as Sys∞ = {Loc,Act ,−→∞
} where −→∞ is defined with the following rules:
S
a
−→ S′
S
a
−→∞ S
′
S 6−→
S
τ
−→∞ S
D Proof of Theorem 1
Before proving the theorem in question, we need to define some auxiliary concepts.
Definition 13 (Enabling set). Let Z = 〈 S, E 〉 and Z ′ = 〈 S′, E′ 〉 be a pair of states
in Sys × Env such that Z a−→p Z ′. We say that L is an enabling set (of locations) for
Z
a
−→p Z
′ in the following cases:
– the transition is derived from rule [Step] and L ∈ π;
– the transition is derived from rule [Stuck−1] and L is the argument in flip(S,L);
– the transition is derived from rule [Stuck − 2].
Definition 14 (Enabling sequence). Let r be a run for 〈 S0, E0 〉 in Sys × Env such
that 〈 S0, E0 〉
a0−→p0 〈 S1, E1 〉 . . .
an−1
−−−→pn−1 〈 Sn, En 〉. The sequence L =
L0 . . . Ln−1 such that ∀0 ≤ i ≤ n − 1 Li is an enabling set for 〈 Si, Ei 〉 ai−→pi
〈 Si+1, Ei+1 〉 is called an enabling sequence for r. We define the probability of L as
Prr(L) = Π0≤i≤n−1Fault(Ei)(Li). We define the set of all enabling sequences for r
as φ(r).
We also need the following intermediate result.
Lemma 1. Let r be a run forZ in Sys×Env . Then we have thatPr(r) = ΣL∈φ(r)PrZ(L).
We can now prove Theorem 1.
Proof (Proof of Theorem 1). Suppose P enjoys PoNI, we now show it enjoys PNI as
well.
Consider a faulty system Sys , an error environment Env = (Err ,Fault) and two
states Z = 〈 S, E 〉 and Z ′ = 〈 S′, E 〉, for S, S′ ∈ Sys and E ∈ Err . Assume
S
∣∣
ProgLoc
= S′
∣∣
ProgLoc
= P and S =L S′.
We first show that for any n ≥ 0 and for any trace t ∈ (LAct ∪ {τ})n, PrZ(t) ≤
PrZ′(t), and hence by symmetry that PrZ(t) = PrZ′(t).
We prove the inequality by relating the probability of a trace to the probability deter-
mined by the enabling sequences that corresponds to it.
Consider a trace t such that PrZ(t) > 0. Let ρZ(t) = {r ∈ run(Z)|trace(r) = t} be
the (nonempty) set of runs from Z whose trace is t.
We have PrZ(t) = Σr∈ρZ(t)Pr(r) = Σr∈ρZ(t)ΣL∈φ(r)PrZ(L), where the first equality
holds by definition and the second one follows from Lemma 1.
We now show that all enabling sequences for Z are also enabling sequences for Z ′.
Let κZ = ∪r∈ρZ(t)φ(r) be the set of all enabling sequences for t in Z and let L be an
enabling sequence for a run r ∈ run(Z). Since P is PoNI, there must be a run r′ from
Z ′ such that L is an enabling sequence for r′, and trace(r′) = t. Hence, for the set
κZ′ = ∪r′∈ρZ′ (t)φ(r
′) we have that κZ ⊆ κZ′ .
Also, observes that for any L ∈ κZ . PrZ(L) = PrZ′(L), since trace(u) = trace(u′).
Then PrZ(t) = ΣL∈κZPrZ(L) ≤ ΣL∈κZ′PrZ′(L) = PrZ′(t).
We continue by showing that PNI implies PoNI by proving the contrapositive. Suppose
that P is not PoNI. Then there must a fault-prone system Sys , two states S, S′ such that
S
∣∣
ProgLoc
= S′
∣∣
ProgLoc
= P and S =L S′, together with a location set λ ∈ ℘(F ),
a trace t = L0, a0, . . . , Lj, aj and a, b ∈ LAct ∪ {τ} such that a 6= b, S
t,λ,a
and
S′
t,λ,b
.
Define an error environment Env = (Err ,Fault) such that Err = 〈{Li|Li ∈ t} ∪
{λ},LAct ∪ {τ}, {Li
a
❀ Li+1|0 ≤ i ≤ j − 1 and a ∈ LAct ∪ {τ}} ∪ {Lj
a
❀ λ|a ∈
LAct ∪ {τ}}〉 and Fault(λ)(λ) = Fault(L)(L) = 1. Essentially, Env deterministically
traverses all flipped locations included in t, and terminates in λ, regardless of the ac-
tions performed by the fault-prone system.
Consider now the composition of Sys with Env and let Z = 〈 S, L0 〉 and Z ′ =
〈 S′, L0 〉. Let t′ = a0. . . . .aj .a be a trace in (LAct ∪ {τ})∗ obtained from t by (i)
striping flipped locations and (ii) appending the action a at the end. Then there exists a
unique run r ∈ run(Z) such that trace(r) = t′ and Pr(r) = PrZ(t′) = 1 6= PrZ′(t′) =
0. The inequality between PrZ(t′) and PrZ′(t′) follows from the hypothesis of P not
being PoNI, which implies that there is no r′ ∈ run(Z ′) such that trace(r′) = t′.
E Proof of Theorem 2
Rather than showing that Strong Security implies PoNI directly, we take an indirect
approach.
First we characterize the semantics of a termination-transparent system in terms
of “transition traces”, borrowing ideas from [33]. Then we define an ad-hoc security
property, called Strong Trace-based Security within this semantic model. We finally
show that Strong Security implies Strong Trace-based Security, which in turn implies
PoNI.
For improving readability we represent S
∣∣
LowLoc∪HighLoc
as M , the data compo-
nent, therefore the state of a fault-prone system is represented as (P,M). We adapt the
concept of low equality between states to data components by saying that M =L M ′ if
M
∣∣
LowLoc
=M ′
∣∣
LowLoc
.
Definition 15 (Transition trace semantics). Let Sys be a fault-prone system and let
Sys∞ = {Loc,Act ,−→∞} be its termination-transparent version. The n-step transition-
trace semantic of a program component P0 is defined as the set Tn(P0), such that
Tn(P0) = {(M0, a0,M
′
0), (M1, a1,M
′
1) . . . (Mn−1, an−1,M
′
n−1)| ∀0 ≤ i ≤ n −
1(Pi,Mi)
ai−→∞ (Pi+1,M
′
i)}. The transition trace semantics ofP0 is defined as T (P0) =
∪nTn(P0).
In the transition trace model, the semantics of a program component P is built in
sequences of steps. In particular, at any step, the program component is executed on
a certain data component, then the data component is modified and the execution is
restarted. Observe that the model is very similar to the way a fault-prone system and
an error environment interact with each other. This is even more clear when viewing
the modification of the data component as the effect of its interaction with the error
environment.
We say that two transition traces
t = (M0, a0,M
′
0), (M1, a1,M
′
1) . . . (Mn−1, an−1,M
′
n−1)
t′ = (N0, b0, N
′
0), (N1, b1, N
′
1) . . . (Nn−1, bn−1, N
′
n−1)
are input low-equivalent, written t =I t′, if ∀0 ≤ i < n, Mi =L Ni, whereas they
are output low-equivalent, written t =O t′ if ∀0 ≤ i < n, low (ai) = low (bi) and
M ′i =L N
′
i .
Definition 16 (Strong Trace-based Security (StbS)). We say that a program compo-
nent P is n-Strong Trace-based Secure if for any two transition traces t, t′ ∈ Tn(P ), if
t =I t
′ then t =O t′. We say that a program componentP is Strong Trace-based Secure
if it is n-Strong Trace-based Secure for any n ∈ N.
We now show how to use the notion of Strong Trace-based Security to bridge the
gap between Strong Security and PoNI. We show that Strong Security implies Strong
Trace-based Security first.
Lemma 2 (SS implies StbS). Let P be a program component. If P enjoys SS then P
enjoys StbS.
Proof. We define some notation first. We refer to the i-th triple in a transition trace
t as ti, and to the program component used to evaluate it as Pti (for a trace t =
(M0, a0,M
′
0), (M1, a1,M
′
1) . . . (Mn−1, an−1,M
′
n−1) we therefore say that the i-th triple
(Mi, ai,M
′
i) is induced by (Pti ,Mi)
ai−→∞ (Pti+1 ,M
′
i)).
Consider a program component P and two n-transition traces
t = (M0, a0,M
′
0), (M1, a1,M
′
1) . . . (Mn−1, an−1,M
′
n−1)
and
t′ = (N0, b0, N
′
0), (N1, b1, N
′
1) . . . (Nn−1, bn−1, N
′
n−1)
in Tn(P ).
We want to show that if P enjoys SS and t =I t′, then t =O t′.
Starting from a strong bisimulation R for (P, P ), the idea of the proof is to infer
properties of t′ by unwinding R for n-steps. We proceed by showing that for all 0 ≤
i < n we have that (Pti , Pt′i) ∈ R. For i = 0 Pt0 = Pt′0 = P and (P, P ) ∈ R. If
(Pti , Pt′i) ∈ R, then by definition of R we have that if (Pti ,Mi)
ai−→∞ (Pti+1 ,M
′
i) and
Mi =L Ni then (Pt′
i
, Ni)
ti−→∞ (Pt′
i+1
, N ′i) and (Pti+1 , Pt′i+1) ∈ R. But this is the case
for t and t′, since t =I t′.
The statement of the lemma is therefore proved by recalling that two program com-
ponents P and P ′ in a strong bisimulation R are such that their executions from low
equivalent data result in (i) low equivalent data and (ii) low equivalent actions.
We now discuss the relation between Strong Trace-based Security and PoNI. In
general it is not true that Strong Trace-based Security is stronger than PoNI. Consider,
for example, the class of systems such that ProgLoc 6⊆ T . Due to transient faults, a
completely innocuous program component can be converted into a harmful one, even
when it enjoys Strong Trace-based Security.
Surprisingly, this is not the only constraint that we must impose to the systems of
our interest. We must also require that they show a uniform behavior for termination, as
shown in the following example.
Example 2. Consider the fault-prone system in Figure 11. For each state S = {bi →
{0, 1}|i ∈ {0, 1, 2}} we consider ProgLoc = {b0}, HighLoc = {b1} and LowLoc =
{b2}. We also assume that the states where P is 1 are stuck and therefore are omitted.
S0 = 000 S2 = 010
S1 = 001 S3 = 011
τ
aa
Fig. 11. StbS does not imply PoNI in general
The system is Strongly Trace-based Secure: all states are either stuck or perform a
transition on themselves, therefore low equivalence is preserved. The only difference
in the output behavior is observable between S0 and S2: the former is stuck, the lat-
ter perform a τ transition. Nonetheless they result indistinguishable in the termination
transparent version of the system. However, the system is not PoNI. In fact, if a bit flip
on b2 can transform S2 into S3 so we have S0
{b2},τ but S2
{b2},a
.
From now onwards we focus our attention on “standard fault-prone” systems. For
such systems, we have that the whole program component is fault-tolerant (formally
ProgLoc ⊆ T ) and it is either stuck or active, regardless of the data component.
Definition 17 (Standard fault-prone systems). A fault-prone system is called stan-
dard if ProgLoc ⊆ T and, for all P , either for any data component M there exists an
action l such that (P,M) l−→ or for any data component M the system is stuck, namely
(P,M) 6−→.
For the class of systems of our interest, Strong Trace-based Security is indeed
stronger than PoNI.
Lemma 3 (Strong Trace-based Security implies PoNI). Let P be a program compo-
nent in a standard fault-prone system Sys . If P enjoys StbS then P enjoys PoNI.
Proof. We prove this lemma by showing the contrapositive. Suppose thatP is not PoNI.
Then there must be two states S = (P,M0) and S′ = (P,N0) in the augmented version
of a fault-prone system Sys such that M0 =L N0, and two runs that exit from them
whose corresponding traces violate the security condition. Let
r = (P,M0)
L0,a0
(P1,M1) . . . (Pj−1,Mj−1)
Lj−1,aj−1
(Pj ,Mj)
L,a
and
r′ = (P,N0)
L0,b0
(P 1, N1) . . . (P
j−1, Nj−1)
Lj−1,bj−1
(P j , Nj)
L,b
be the runs in question, such that ∀0 ≤ i < j low (ai) = low(bi) but low (a) 6=
low (b).
Before continuing, we observe that, in the initial configuration, P cannot be stuck.
Also, it must be that at most one run between r and r′ contains a sequence of stuck
configurations. Both conditions are necessary to have low (a) 6= low (b).
We now show that it is possible to build two transition traces for P that violate
Strong Trace-based Security. Recall that the flip function can be applied only to loca-
tions in F , and that we consider systems whose faulty locations are restricted to the data
component (F ⊆ LowLoc ∪ HighLoc). Hence, when S = (P,M), we write flip(S,L)
as (P, flip(M,L)), and we focus on the data component flip(M,L) when necessary.
We proceed by distinguishing two cases, depending on whether or not a stuck con-
figuration is traversed by r (equivalently r′).
Case 1: no stuck configurations are traversed in either r or r′.
Consider the following two transition traces
t = (flip(M0, L0), a0,M1), (flip(M1, L1), a1,M2) . . . (flip(Mj , L), a,Mj+1)
and
t′ = (flip(N0, L0), b0, N1), (flip(N1, L1), b1, N2) . . . (flip(Nj , L), b, Nj+1)
Since r does not traverse stuck configurations, all transitions are computed by an ap-
plication of the rule [Step]. This means that for any transition we have (Pi,Mi)
Li,ai
(Pi+1,Mi+1) if (Pi, flip(Mi, Li))
ai−→ (Pi+1,Mi+1). Hence t is in T (P ). By applying
a similar argument for r′, we conclude that t′ is in T (P ) as well.
Observe that flip preserves low equivalence between data components (ifMi =L Ni
then for all set of locations L it is true that flip(Mi, L) =L flip(Ni, L)). Considering
that M0 =L N0, there are two possible cases. Either there exists k, such that 0 ≤ k < j
and (flip(Mk, Lk), ak,Mk+1) and (flip(Nk, Lk), bk, Nk+1) and Mk+1 6=L Nk+1, or
∀k0 ≤ k ≤ j Mk =L Nk and low (a) 6= low (b). In both cases Strong Trace-based
Security is violated.
Case 2: there is a stuck configuration in r.
We consider the case in which a configuration in r is stuck. The symmetric case for
r′ is similar, and it is omitted.
Since Sys is a “standard fault-prone” system, the rule [Stuck−2] cannot be applied
in the first step. Let 1 ≤ w ≤ j be the index of the first stuck state (Pw ,Mw) in r.
Consider the following transition traces
t = (flip(M0, L0), a0,M1), . . . , (flip(Mw−1, Lw−1), aw,Mw),
(flip(Nw, Lw), τ, flip(Nw, Lw)), . . . , (flip(Nj , L), τ, flip(Nj , L))
t′ = (flip(N0, L0), b0, N1), . . . , (flip(Nw−1, Lw−1), bw−1, Nw),
(flip(Nw, Lw), bw, Nw+1), . . . , (flip(Nj , L), b, Nj+1)
As observed in the previous case, since flip preserves low equivalence of data com-
ponents, there are the following cases to be considered. Either there exists k such that
0 ≤ k < w and (flip(Mk, Lk), ak,Mk+1) and (flip(Nk, Lk), bk, Nk+1) and Mk+1 6=L
Load
P (pc) = load r p
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R[r 7→ M(p)],M〉
Store
P (pc) = store p r
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R,M[p 7→ R(r)]〉
Jmp
P (pc) = jmp l
〈P, pc,R,M〉
τ
−→ 〈P, pc 7→ resP (l),R,M〉
Jz-S
P (pc) = jz l r R(r) = 0
〈P, pc,R,M〉
τ
−→ 〈P, pc 7→ resP (l),R,M〉
Jz-F
P (pc) = jz l r R(r) 6= 0
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R,M〉
Nop
P (pc) = nop
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R,M〉
Move-k
P (pc) = movek r n
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R[r 7→ n],M〉
Move-r
P (pc) = mover r r′
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R[r 7→ R(r′)],M〉
Op
P (pc) = op r r′
〈P, pc,R,M〉
τ
−→ 〈P, pc+,R[r 7→ R(r) op R(r′)],M〉
Out
P (pc) = out ch r Reg(r) = n
〈P, pc,R,M〉
ch!n
−−−→ 〈P, pc+,R,M〉
Fig. 12. RISC instructions semantics
Nk+1, or there exists k such that w ≤ k < j and (flip(Nk, Lk), τ, flip(Nk, Lk)) and
(flip(Nk, Lk), bk, Nk+1) and flip(Nk, Lk) 6=L Nk+1, or τ 6= low (b). In all cases Strong
Trace-based Security is violated.
Proof (Proof of Theorem 2). Directly obtained by applying Lemma 2 and Lemma 3.
F RISC instructions semantics
Figure 12 formalizes the semantics of the RISC language.
G Typing rule for expressions
Figure 13 shows all the (abstract) rules for the compilation of while expressions
into RISC code.
H Typing rule for atomic statements
All rules for typing atomic statements are presented in Figure 14.
K
r 6∈ A
Φ,A, l  k →֒ [l : movek r k], 〈level(r), 1〉, r, Φ[r 6→]
V-cached
[r ↔ x] ∈ Φ
Φ,A, l  x →֒ [l : ǫI ], 〈level(r), 0〉, r, Φ
V-uncached
r 6∈ A level(r) ⊒ level(x)
Φ,A, l  x →֒ [l : load r v2p(x)], 〈level(r), 1〉, r, Φ[r
R
← x]
C
Φ,A, l  E1 →֒ P1, 〈λ, n1〉, r, Φ1 Φ1, A ∪ {r}, ǫlab  E2 →֒ P2, 〈λ, n2〉, r
′, Φ2
Φ,A, l  E1 op E2 →֒ P1 ++ P2 ++ [op r r
′], 〈λ,n1 + n2 + 1〉, r, Φ2[r 6→]
Fig. 13. (Abstract) Type system for while expressions
skip
−
Φ, l ⊢ skip →֒ [l : nop], 〈WrH,Trm 1〉, ǫlab, Φ
:=
Φ, {}, l  E →֒ P, 〈level(x), n〉, r, Φ′ Φ′′ = Φ′[r
W
→ x]
Φ, l ⊢ x := E →֒
{
P++
[store v2p(x) r]
}
,
level(x) = H ? 〈Wr H,Trm n+ 1〉
: 〈Wr L,Trm L〉
, ǫlab, Φ
′′
out
Φ, {}, l  E →֒ P, 〈level(ch), n〉, r, Φ′
Φ, l ⊢ out ch E →֒
{
P++
[out ch r]
}
,
level(ch) = H ? 〈WrH,Trm n+ 1〉
: 〈Wr L,Trm L〉
, ǫlab, Φ
′
Fig. 14. (Abstract) Type system for atomic while commands
I Proof of Theorem 3
The type system presented in Section 3.2 is an abstraction of the method that we
use to enforce Strong Security over RISC programs. In this section we describe such
method, together with all the necessary results to prove the Theorem 3.
We begin (Section I.1) by introducing the i-while language, an intermediate rep-
resentation that bridges the translation between while and RISC programs. We also
define the type system, whose abstraction is presented in Section 3.2, that translates
while programs into i-while programs. For a type correct while program, the
type system ensures that (i) it is strongly secure (Proposition 3) and (ii) is mapped to a
strongly secure i-while program (Proposition 6).
In Section I.2 we define a strategy for translating i-while programs into RISC
programs. The strategy ensures that the target RISC program is semantically equivalent
to the source i-while program (Proposition 7), hence Strong Security can be inferred
for the RISC program via Strong Security enjoyed by the source i-while program.
I.1 From while programs to i-while programs
The syntax of i-while programs is presented in Figure 15.
i-while programs are a subclass of while programs that take into account fea-
tures of the RISC architecture. The first feature is that an i-while program distin-
D ::= skip | x := r | r := F | D1;D2 | out ch r |
while r do {D; skip} | if r then {D1; skip} else {D2; skip}
F ::= k ∈ N | r ∈ Reg | x ∈ Var | r1 op r2
ch ::= low | high
Fig. 15. i-while programs syntax
guishes between pure and register variables, respectively in the sets Var and Reg. This
distinction equips the i-while language with the concept of “register” that is used
in the target machine. The second feature is a more restrictive syntax for conditionals
and loops, that enables a simpler translation between i-while and RISC programs.
Specifically, both while and if commands in i-while syntax require the guard to be
a register variable, and require the branches (in the case of if) or the loop body (in the
case of while) to be terminated by a skip command.
K
r ∈ Reg r 6∈ A
Φ,A 
Reg
Var k →֒ {r := k}, 〈level(r), 1〉, r, Φ[r 6→]
V-cached
x ∈ Var r ∈ Reg [r ↔ x] ∈ Φ
Φ,A 
Reg
Var x →֒ {
r}, 〈level(r), 0〉, r, Φ
V-uncached
x ∈ Var r ∈ Reg r 6∈ A level(r) ⊒ level(x)
Φ,A 
Reg
Var x →֒ {r := x}, 〈level(r), 1〉, r, Φ[r
R
← x]
C
r, r′ ∈ Reg
Φ,A 
Reg
Var E1 →֒ {D1}, 〈λ, n1〉, r, Φ1
Φ1, A ∪ {r} 
Reg
Var E2 →֒ {D2}, 〈λ, n2〉, r
′, Φ2
Φ,A 
Reg
Var E1 op E2 →֒ {D1;D2; r := r op r
′}, 〈λ, n1 + n2 + 1〉, r, Φ2[r 6→]
Fig. 16. Type system for while expressions
In Figures 16, 17 and 18 the type system that performs both the translation of a
while program C into an i-while program D and the security analysis on C is
described. We now discuss these aspects in details.
skip
−
Φ ⊢RegVar skip →֒ {skip}, 〈WrH,Trm (1, 1)〉, Φ
:=
x ∈ Var r ∈ Reg Φ, {} RegVar E →֒ {D}, 〈level(x), n〉, r, Φ
′
Φ ⊢RegVar x := E →֒ {D; x := r}, level(x) = H?〈WrH,Trm (1, n+ 1)〉 : 〈Wr L,Trm L〉, Φ
′[r
W
→ x]
out
r ∈ Reg Φ, {} RegVar E →֒ {D}, 〈level(ch), n〉, r, Φ
′
Φ ⊢RegVar out ch E →֒ {D; out ch r}, level(ch) = H?〈WrH,Trm (1, n+ 1)〉 : 〈Wr L,Trm L〉, Φ
′
Fig. 17. Type system for atomic while statements
;Φ ⊢RegVar C →֒ {D}, 〈w1, t1〉, Φ1 Φ1 ⊢
Reg
Var C
′ →֒ {D′}, 〈w2, t2〉, Φ2
t1 = TrmH ⇒ w2 = WrH
Φ ⊢RegVar C;C
′ →֒ {D;D′}, 〈w1 ⊔ w2, t1 ⊎ t2〉, Φ2
if-any
r ∈ Reg
Φ, {} RegVar E →֒ {Dg}, 〈λ,ng〉, r, Φ1
Φ1 ⊢
Reg
Var Ct →֒ {Dt}, 〈w1, t1〉, Φ2 Φ1 ⊢
Reg
Var Ce →֒ {De}, 〈w2, t2〉, Φ3
D′t = Dt; skip D
′
e = De; skip
write(λ) ⊒ wi ΦF = Φ2 ⊓ Φ3
Φ ⊢RegVar
if E
then Ct
else Ce
→֒


Dg ;
if r
thenD′t
else D′e


,
〈
write(λ) ⊔ w1 ⊔ w2
term(λ) ⊔− t1 ⊔− t2
〉
, ΦF
if-H
r ∈ Reg
Φ, {} RegVar E →֒ Dg , 〈H,ng〉, r, Φ1
Φ1 ⊢
Reg
Var Ct →֒ {Dt}, 〈Wr H,Trm (m,nt)〉, Φ2 Φ1 ⊢
Reg
Var Ce →֒ {De}, 〈Wr H,Trm (m,ne)〉, Φ3
D′t = Dt; skip
ne−nt ; skip D′e = De; skip
nt−ne ; skip
ΦF = Φ2 ⊓ Φ3
Φ ⊢RegVar
if E
then Ct
else Ce
→֒
{
Dg ;
if r thenD′t else D
′
e
}
,
〈 WrH
Trm (m+ 1,
ng +max(nt, ne) + 2)
〉
, ΦF
while
x ∈ Var r ∈ Reg
D0 = r := x;x := r;
Φ′ = Φ[r
W
→ x] ΦB ⊑ Φ
′ ΦB ⊑ ΦE[r
W
→ x]
ΦB ⊢
Reg
Var C →֒ {D}, 〈w, t〉, ΦE
λ = level(x) = level(r) write(λ) ⊒ w t = TrmH ⇒ write(λ) = WrH
Φ ⊢RegVar while x do C →֒
{
D0;
while r do {D;D0; skip}
}
,
〈
write(λ) ⊔ w
term(λ) ⊔− t
〉
, ΦB
Fig. 18. Type system for non-atomic while statements
Type System: Translation The type system described in Figures 16, 17 and 18 con-
verts a while program into an i-while program.
In general, observe that none of the rules involve labels, since these are no longer
part of the target language. However, the rules still require that a register record is
carried along the compilation. We assume, similarly to what has been done in Section
3.2, that there is a register record functionΦ ∈ Reg ⇀ ({R,W}×Var) which not only
associates variables to registers, but also records the modality (read/write) in which the
association was created. Notice that in this context Reg are just variables and have not
direct hardware interpretation. Finally, observe that the rules are parametrized in the
set of pure and register variables (Var and Reg). Implementing our translation strategy
does not require this parametrization, since the set of registers that are used in the RISC
machine is known beforehand. However it turns out to be a useful tool for implementing
our proof strategy: first we show that a type-correct while program C is strongly
secure, then we show that the correspondent i-while program D is strongly secure
by retyping it under a different set of register variables, that are solely used for stating
the security property of D (all the details are formalized in Proposition 6).
The rules in Figure 16, that formalize the compilation of expressions, are very sim-
ilar to the rules in Figure 13, beside the fact that operations over registers and memory
locations are replaced by assignments between pure and register variables. In order to
represent a compilation that produces no code (see rule [V − cached]) we explicitly
extend the syntax of i-while programs (i.e. while programs) with r, the empty state-
ment, that represents the i-while correspondent of the ǫI statement used for RISC
programs. However, since r has no semantic meaning, we assume that the composi-
tion operator ; strips the occurrences of rwhen composing commands together. This
is formalized by defining structural equivalence to be the least congruence4 relation ≡
between programs such that r;C ≡ C; r≡ C.
Commands translation, implemented by the rules in Figures 17 and 18, are also
similar to the rules in Figures 14, 9 and 10, hence we only focus on the main differences.
The compilation of if E then Ct else Ce performed by the [if − any] rule pro-
duces the code Dg for E first, that corresponds to evaluating E in register variable
r. Then, subprograms Dt and De are obtained from Ct and Ce respectively. In or-
der to comply with the i-while syntax, a skip instruction is appended to both Dt
and De, obtaining respectively programs D′t and D′e that are used in the rule output
Dg; if r then D
′
t else D
′
e. In the rule [if − H] we follow a padding strategy which is
similar to the one used for RISC programs: we say skipn is a sequence of n skip com-
mands when n > 0, whereas it is r for n ≤ 0. In the compilation of a while x do C
command, we deploy the fragment of code D0 to establish the invariant property on the
register record. Moreover, we append skip toD;D0 in order to make the code compliant
with i-while syntax.
Type System: Security analysis In order to reason about security of while programs,
we distinguish between public and secret data. In particular, as we did in Section 3.2,
we assume that variables are labeled in a way that does not change during the execution
and it is determined by the function level ∈ Reg ∪ Var → {L,H}.
The security information calculated by the type system is essentially the same one
presented for the type system in Section 3.2. A type-correct while expression is dec-
orated with a label (λ, n), which indicate the security level of the register variables that
are used to evaluate E and the number of i-while steps that are required to evaluate
E, exactly as in Figure 13. A type-correctwhile program is associated to a label (w, t)
describing its write effect (label w) and timing behavior (label t). Write labels are taken
from the two-element set {WrH,Wr L}, with partial orderingWrH ⊑Wr L, and have
the same semantics introduced in Section 3.2. The timing label t is an element from the
partial order Lt which is described in Figure 19 (notice that, for improving readability,
the order relation is just sketched). Compared to the partial order presented in Figure
7, we define a refined annotation for programs that are certainly terminating in a finite
number of steps. In particular we label such programs with values Trm (m,n), which
specifies that (i) the source while program terminates in m steps and (ii) the com-
piled i-while program terminates in n steps, no matter which values the variables
4 A congruence relation, in this context, is an equivalence relation on commands that is closed
under the syntactic constructors of the language.
are set to. As for rules parametrization, this feature is a tool for our proof strategy. In
fact, the type system has to track timing behavior of both the original program and its
compiled version because it might happen that the timing behavior is modified in the
recompilation of a compiled program.
TrmH
Trm L
Trm (0, 0)Trm (0, 1) . . . Trm (0, n) . . .
Trm (1, 0)Trm (1, 1) . . . Trm (1, n) . . .
. . .
Trm (m, 0)Trm (m, 1) . . . Trm (m,n) . . .
t1 ⊔− t2 =
{
Trm L if ∀i ∈ {1, 2}ti ⊑ Trm L
TrmH otherwise
t1 ⊎ t2 =
{
Trm (m1 +m2, n1 + n2) if ∀i ∈ {1, 2} ti = Trm (mi, ni)
t1 ⊔− t2 otherwise
Fig. 19. Termination partial order
We now explain how security annotations are computed by the type system in Fig-
ures 17 and 18.
The skip commands takes exactly one step to be completed in both its original and
its compiled version. Moreover, it does not modify the value of any of the variables
used in the program. For this reason, [skip] rule assigns 〈Wr H,Trm (1, 1)〉 as security
annotation for skip.
The security annotation for an assignment command x := E depends on the secu-
rity level of the variable x. If level(x) = H , we require that all instructions used to eval-
uate the expression perform write actions solely on H variables. This, in turn, requires
that E has an associated type 〈H,n〉, which not only specifies the information about
written variables, but also states that E has been compiled into n i-while instruc-
tions. Hence, for level(x) = H , rule [:=] assigns 〈Wr H,Trm (1, n + 1)〉 to x := E,
since a single instruction is mapped to n + 1 i-while instructions (n instructions
correspond to E, the last instruction x := r counts for one). If level(x) = L, then we
require that written variables are at security levelL5, beside making sure that no content
from H variables is used. In this case the final type for x := E is 〈Wr L,Trm L〉.
The rule [out] follows a similar argument, with the role of x taken by the channel
ch.
The rule [; ] requires that whenever a componentC1 has a timing behavior described
by TrmH , the following componentC2 induces a WrH write effects, in order to avoid
timing channel leaks. The annotation computed by rule [; ] considers the least upper
5 In fact security could be established in a more liberal setting, however this strictness simplifies
arguments in proofs.
bound of the writing effects of C1 and C2, and uses an extended least upper bound
operator ⊎ (cf. Figure 19).
The rule [if−any] prevents implicit flows from happening in the program by apply-
ing the same strategy presented for the type system in Figure 9. In particular, the security
label λ of an expression is translated into a write effect by the functionwrite (cf. Section
3.2), and write effects of both branches are expected to be lower than write(λ). The re-
sulting security annotation for the if E then Ct else Ce command is computed in terms
of the least upper bound of the security annotations for E, Ct and Ce. In particular, the
write effect write(λ)⊔w1⊔w2 corresponds to the least upper bound of all write effects,
whereas the time behavior term(λ) ⊔− t1 ⊔− t2 is determined from the time behavior of
branches, together with the corresponding time behavior of the guard, according to the
function term (where term is defined in Section 3.2). Notice that the exact label for
termination would be Trm (0, ng) ⊎ term(λ) ⊎ (t1 ⊎ Trm (0, 1)) ⊔− (t2 ⊎ Trm (0, 1)),
because of the codeDg that is executed at the loop entrance and the skip commands that
are appended at the end of Dt and De. However, we can omit this information because
term always returns a label in {Trm L,Trm H}, hence the exact number of steps for
Dg and skip is irrelevant.
When it is known that the if statement involves only write actions on H variables,
the timing behavior can be computed more accurately, as for the type system in Figure
9. In particular, as shown by rule [if − H], if Ct and Ce are associated to a security
type 〈Wr H,Trm (m,nt)〉 and 〈Wr H,Trm (m,ne)〉, the resulting annotation for the
statement becomes 〈Wr H,Trm (m + 1,max(nt, ne) + ng + 2)〉. The first timing
value, namely m+ 1, adds one expression evaluation step to the timing behavior of the
branches, which is required to have the same value. The second timing value, namely
max(nt, ne) + ng + 2 considers the expression compilation (factor ng), the final skip
command and the register evaluation (they count for the factor 2), together with the
biggest factor between nt and ne for branches. Notice that alignment of branches is
performed by applying the usual padding strategy.
As for the type system in Figure 10, the rule [while] prevents implicit flow from
happening by enforcing several constraints. Indirect information flows involving the
loop guard are prevented by requiring the write effect of the loop to be lower than the
write effect of the guard. The timing channel induced by the loop body is prevented
by requiring the write effect of the body to be Wr H if its timing behavior depends on
secrets.
Type System: Results In order to formalize the properties of the type system we pro-
ceed with specifying the semantics of the while language. Since we are targeting the
notion of Strong Security, we instantiate the abstract machine for the while language
as a fault-prone system.
Observe that we formulate the semantic definition generally enough to be suitable
for i-while programs as well. Since i-while programs are a subclass of while
programs, the only difference to be considered is the set of variables on which pro-
grams are defined in the two languages. We therefore define the rules in Figure 20 to
be parametric on V , the set of variables, such that V = Var for while programs and
V = Var ∪Reg for i-while programs.
We define the memory as an element M from the set {Var ∪ Reg → N} of
mappings between variables and values in N. The semantics for the while language
as a fault-prone system is described by the LTS Sw = {{〈C,M〉},−→, {ch!n|ch ∈
{low , high} and n ∈ N} ∪ {τ}} where C is the fault-tolerant part of configura-
tions, M is the fault-prone part and −→ is obtained by rules in Figure 20. Notice that
rules for sequential composition are expressed using evaluation contexts, defined as
R ::= [−]|R;C. The rule [c − 2] requires a particular attention: since we need a fine
control over the number of execution steps, rule [c− 2] simultaneously executes state-
ments that terminates in one step (like skip, :=, out) and stripes off the terminating
command r they are reduced to. In this way, the number of reductions performed by
a while program according to while semantics are easily mapped to the number of
steps performed by the corresponding RISC program in the RISC semantics.
skip
〈skip,M〉
τ
−→ 〈 r,M〉
:=
v ∈ V [[EV ]](M) = n
〈v := E,M〉
τ
−→ 〈 r,M [v\n]〉
out
[[EV ]](M) = n
〈out ch E,M〉
ch!n
−−−→ 〈 r,M〉
if-1
[[EV ]](M) 6= 0
〈if E then C1 else C2,M〉
τ
−→ 〈C1,M〉
if-2
[[EV ]](M) = 0
〈if E then C1 else C2,M〉
τ
−→ 〈C2,M〉
w-1
v ∈ V M(v) 6= 0
〈while v do C,M〉
τ
−→ 〈C;while v do C,M〉
w-2
v ∈ V M(v) = 0
〈while v do C,M〉
τ
−→ 〈 r,M〉
c-1
〈C,M〉
l
−→ 〈C′,M ′〉 C′ 6= r
〈R[C],M〉
l
−→ 〈R[C′],M ′〉
c-2
〈C1,M〉
l
−→ 〈 r,M ′〉
〈R[C1;C2],M〉
l
−→ 〈R[C2],M
′〉
Fig. 20. while and i-while programs semantics
We want to show that any type-correct while program is SS. First we instantiate
the definition of Strong Security for while programs.
Definition 18 (Strong Security for while programs). We say that a while program
C is strongly secure if it is strongly secure according to Definition 7 instantiated for the
fault-prone system Sw.
The first property of the type system presented in Figures 16, 17 and 18 is that any
type-correct program is strongly secure. We formalize this result as follows.
Proposition 3 (Type System Enforces Strong Security). Let C be a while program.
If there exists Φ such that Φ ⊢RegVar C →֒ {D}, 〈w, t〉, Φ′, then C is strongly secure.
Proving this statement requires few auxiliary results. The first one, formalized in
Lemma 6, illustrates a property of the type system which we refer to as “upward clo-
sure”: if a command is type-correct with respect to a register record Φ, it also results
type-correct with respect to any other register record Φ′ that is bigger than Φ. Also, the
output register record corresponding to Φ′ results bigger than the one corresponding to
Φ.
In order to prove Lemma 6, two auxiliary results are required. The first one formal-
izes some properties of the operations over register records.
Lemma 4. Let Φ and Φ′ two register records such that Φ′ ⊒ Φ. Then:
– Φ′[r 6→] ⊒ Φ[r 6→];
– Φ′[r
µ
↔ x] ⊒ Φ[r
µ
↔ x].
Proof. The first statement follows directly by the fact that inclusion is preserved by
set difference. Proving the second statement is slightly more challenging, since the up-
date operation requires the bijection property of register records to be preserved. In
particular, implementing Φ[r µ↔ x] requires that (i) any existing association [r′ ↔ x]
is removed, and (ii) the new association [r µ↔ x] is added to the register record. The
statement is proved by distinguishing the following cases:
– assume x is not associated in Φ. This implies that there is no r′ ∈ Reg such that
[r′ ↔ x] ∈ Φ. We distinguish four cases:
r x is not associated in Φ′. Then Φ′[r µ↔ x] ⊒ Φ[r µ↔ x] is true because
Φ′[r
µ
↔ x]
∣∣∣
Reg\{r}
= Φ′
∣∣
Reg\{r}
and Φ[r µ↔ x]
∣∣∣
Reg\{r}
= Φ
∣∣
Reg\{r}
.
r there exists r′ 6= r such that [r′ ↔ x] ∈ Φ′. Then Φ′[r µ↔ x] ⊒ Φ[r µ↔ x]
because r′ is unassociated in Φ.
r [r
µ′
↔ x] ∈ Φ′ butµ′ 6= µ. ThenΦ′[r µ↔ x] ⊒ Φ[r µ↔ x] becauseΦ′[r µ↔ x]
∣∣∣
Reg\{r}
=
Φ′
∣∣
Reg\{r}
and Φ[r µ↔ x]
∣∣∣
Reg\{r}
= Φ
∣∣
Reg\{r}
.
r [r
µ
↔ x] ∈ Φ′. Then Φ′[r µ↔ x] = Φ′. Hence Φ′[r µ↔ x] = Φ′ ⊒ Φ[r µ↔ x]
since Φ[r µ↔ x]
∣∣∣
Reg\{r}
= Φ
∣∣
Reg\{r}
.
– Assume x is associated in Φ, hence there exists r′ ∈ Reg such that [r′ µ
′
↔ x] ∈ Φ.
Since Φ′ ⊒ Φ, [r′ µ
′
↔ x] ∈ Φ′. We distinguish three cases:
r r′ 6= r. Then Φ′[r µ↔ x] ⊒ Φ[r µ↔ x] since (i) Φ′[r µ↔ x]
∣∣∣
Reg\{r,r′}
=
Φ′
∣∣
Reg\{r,r′}
and Φ[r µ↔ x]
∣∣∣
Reg\{r,r′}
= Φ
∣∣
Reg\{r,r′}
and (ii) r′ results unas-
sociated in both Φ′[r µ↔ x] and Φ[r µ↔ x].
r r′ = r butµ′ 6= µ. ThenΦ′[r µ↔ x] ⊒ Φ[r µ↔ x] holds becauseΦ′[r µ↔ x]
∣∣∣
Reg\{r}
=
Φ′
∣∣
Reg\{r}
and Φ[r µ↔ x]
∣∣∣
Reg\{r}
= Φ
∣∣
Reg\{r}
.
r If r′ = r and µ′ = µ. Then Φ′[r µ↔ x] = Φ′ ⊒ Φ = Φ[r µ↔ x].
The second result that supports the proof of Lemma 6 formalizes the notion of
“upward closure” for expressions.
Lemma 5 (Register Record Upward Closure for Expressions). Let E be a while
expression. If there exists Φ such thatΦ,A RegVar E →֒ {D}, 〈λ, n〉, r, Φα then ∀Φ′ ⊒ Φ
Φ′, A 
Reg
Var E →֒ {D}, 〈λ, n〉, r, Φβ such that Φβ ⊒ Φα.
Proof. We prove the proposition by induction on the structure of E and by cases on the
last rule applied in the type derivation.
Base case
Case E = k. We know that there exists Φ such that Φ,A RegVar k →֒ {r :=
k}, 〈level(r), 1〉, r, Φ[r 6→] and consider Φ′ ⊒ Φ. Then Φ′, A RegVar k →֒ {r :=
k}, 〈level(r), 1〉, r, Φ′[r 6→] and Φβ = Φ′[r 6→] ⊒ Φ[r 6→] = Φα by Lemma 4.
Case E = x. Assume that the rule [V − cached] is used. Then there exists Φ
such that [r µ↔ x] ∈ Φ and Φ,A RegVar x →֒ { r}, 〈λ, 0〉, r, Φ. Consider Φ′ ⊒ Φ. Then
[r
µ
↔ x] ∈ Φ′ and Φ′, A RegVar x →֒ { r}, 〈λ, 0〉, r, Φ′ and Φβ = Φ′ ⊒ Φ = Φα by
hypothesis.
Assume that the rule [V − uncached] is used instead. Then there exists Φ such that
Φ,A 
Reg
Var x →֒ {r := x}, 〈level(r), 1〉, r, Φ[r
R
← x]. Let Φ′ ⊒ Φ. Then Φ′, A RegVar
x →֒ {r := x}, 〈level(r), 1〉, r, Φ′[r
R
← x] and Φβ = Φ′[r
R
← x] ⊒ Φ[r
R
← x] = Φα by
Lemma 4.
Inductive step
CaseE = E1 opE2. We know that there exists Φ such that Φ,A RegVar E1 opE2 →֒
{D1;D2; r := r op r
′}, 〈λ, n1 + n2 + 1〉, r, Φ2[r 6→], under the assumption that
Φ,A 
Reg
Var E1 →֒ {D1}, 〈λ, n1〉, r, Φ1 andΦ1, A∪{r} 
Reg
Var E2 →֒ {D2}, 〈λ, n2〉, r
′, Φ2.
Consider Φ′ ⊒ Φ. By applying the inductive hypothesis on E1 we obtain Φ′, A RegVar
E1 →֒ {D1}, 〈λ, n1〉, r, Φ
′
1, such that Φ′1 ⊒ Φ1. By applying the inductive hypothesis
on E2 we obtain Φ′1, A ∪ {r} 
Reg
Var E2 →֒ {D2}, 〈λ, n2〉, r
′, Φ′2 such that Φ′2 ⊒ Φ2.
Hence Φ′, A RegVar E1 op E2 →֒ {D1;D2; r := r op r′}, 〈λ, n1 + n2 + 1〉, r, Φ′2[r 6→]
and Φβ = Φ′2[r 6→] ⊒ Φ2[r 6→] = Φα by Lemma 4.
We continue with the formalization (and the proof) of “upward closure” for com-
mands.
Lemma 6 (Register Record Upward Closure for Commands). Let C be a while
program. If there exists Φ such that Φ ⊢RegVar C →֒ {D}, 〈w, t〉, Φα then ∀Φ′ ⊒ Φ
Φ′ ⊢RegVar C →֒ {D}, 〈w, t〉, Φβ such that Φβ ⊒ Φα.
Proof. We prove the proposition by induction on the structure of C and by cases on the
last rule applied in the type derivation.
Base case
Case C = skip. We know that Φ ⊢RegVar skip →֒ {skip}, 〈Wr H,Trm (1, 1)〉, Φ. Con-
sider Φ′ ⊒ Φ. Then Φ′ ⊢RegVar skip →֒ {skip}, 〈Wr H,Trm (1, 1)〉, Φ′ and Φβ = Φ′ ⊒
Φ = Φα by hypothesis.
Case C = x := E. We know that Φ ⊢RegVar x := E →֒ {D;x := r}, level(x) =
H?〈Wr H,Trm (1, n + 1)〉 : 〈Wr L,Trm L〉, Φe[r
W
→ x], under the assumption that
Φ, {} RegVar E →֒ {D}, 〈level(x), n〉, r, Φe. Consider Φ′ ⊒ Φ. By applying Lemma
5 we obtain that Φ′, {} RegVar E →֒ {D}, 〈level(x), n〉, r, Φ′e, such that Φ′e ⊒ Φe,
and Φ′ ⊢RegVar x := E →֒ {D;x := r}, level(x) = H?〈Wr H,Trm (1, n + 1)〉 :
〈Wr L,Trm L〉, Φ′e[r
W
→ x] and Φβ = Φ′e[r
W
→ x] ⊒ Φe[r
W
→ x] = Φα by Lemma 4.
CaseC = out chE. The derivationΦ ⊢RegVar out ch E →֒ {D; out ch r}, level(ch) =
H?〈Wr H,Trm (1, n+ 1)〉 : 〈Wr L,Trm L〉, Φe holds, under the assumption that that
Φ, {} RegVar E →֒ {D}, 〈level(ch), n〉, r, Φe. Consider Φ′ ⊒ Φ. By applying Lemma
5 we obtain that Φ′, {} RegVar E →֒ {D}, 〈level(ch), n〉, r, Φ′e such that Φ′e ⊒ Φe.
Hence Φ′ ⊢RegVar out ch E →֒ {D; out ch r}, level(ch) = H?〈Wr H,Trm (1, n+ 1)〉 :
〈Wr L,Trm L〉, Φ′e and Φβ = Φ′e ⊒ Φe = Φα.
Inductive step
Case C = if E then Ct else Ce. An if statement can be typed according to two
rules, [if − any] and [if −H].
Assume the rule [if−any] is used. By hypothesis, we have that the derivationΦ ⊢RegVar
if E thenCt elseCe →֒ {Dg; if r thenD
′
t elseD
′
e} , 〈write(λ)⊔w1⊔w2, term(λ)⊔−t1⊔−
t2〉 , Φ2 ⊓ Φ3 holds, for D′t = Dt; skip and D′e = De; skip, providing that Φ, {} 
Reg
Var
E →֒ {Dg}, 〈λ, ng〉, r, Φ1 and Φ1 ⊢RegVar Ct →֒ {Dt}, 〈w1, t1〉, Φ2 and Φ1 ⊢
Reg
Var
Ce →֒ {De}, 〈w2, t2〉, Φ3. Consider Φ′ ⊒ Φ. By applying Lemma 5 on E we obtain
Φ′, {} RegVar E →֒ {Dg}, 〈λ, ng〉, r, Φ
′
1 such that Φ′1 ⊒ Φ1. By applying the inductive
hypothesis on Ct we obtain Φ′1 ⊢
Reg
Var Ct →֒ {Dt}, 〈w1, t1〉, Φ
′
2 such that Φ′2 ⊒ Φ2. By
applying the inductive hypothesis on Ce we obtain Φ′1 ⊢
Reg
Var Ce →֒ {De}, 〈w2, t2〉, Φ
′
3
such that Φ′3 ⊒ Φ3. Hence we conclude that Φ′ ⊢
Reg
Var if E then Ct else Ce →֒
{Dg; if r then D
′
t else D
′
e} , 〈write(λ) ⊔ w1 ⊔ w2, term(λ) ⊔− t1 ⊔− t2〉 , Φ
′
2 ⊓ Φ
′
3 and
Φβ = Φ
′
2 ⊓ Φ
′
3 ⊒ Φ2 ⊓ Φ3 = Φα.
Consider the case in which the rule [if − H] is used instead. We know that Φ ⊢RegVar
if E then Ct else Ce →֒ {Dg; if r then D
′
t else D
′
e} , 〈Wr H,Trm (m + 1, ng +
max(nt, ne)+2)〉 , Φ2⊓Φ3, forD′t = Dt; skip
ne−nt ; skip andD′e = De; skipnt−ne ; skip,
providing that Φ, {} RegVar E →֒ {Dg}, 〈H,ng〉, r, Φ1 together with Φ1 ⊢
Reg
Var Ct →֒
{Dt}, 〈Wr H,Trm (m,nt)〉, Φ2 and Φ1 ⊢RegVar Ce →֒ {De}, 〈Wr H,Trm (m,ne)〉, Φ3.
By applying Lemma 5 on E we obtain Φ′, {} RegVar E →֒ {Dg}, 〈H,ng〉, r, Φ′1 such
that Φ′1 ⊒ Φ1. By applying the inductive hypothesis on Ct we obtain Φ′1 ⊢
Reg
Var Ct →֒
{Dt}, 〈Wr H,Trm (m,nt)〉, Φ
′
2 such that Φ′2 ⊒ Φ2. By applying the inductive hy-
pothesis on Ce we obtain Φ′1 ⊢
Reg
Var Ce →֒ {De}, 〈Wr H,Trm (m,ne)〉, Φ
′
3 such that
Φ′3 ⊒ Φ3. Hence we can conclude that the derivationΦ′ ⊢
Reg
Var if E thenCt elseCe →֒
{Dg; if r then D
′
t else D
′
e} , 〈Wr H,Trm (m+ 1, ng +max(nt, ne) + 2)〉 , Φ
′
2 ⊓ Φ
′
3
holds and Φβ = Φ′2 ⊓ Φ′3 ⊒ Φ2 ⊓ Φ3 = Φα.
Case C = while x do C′. By considering the rule definition we know that Φ ⊢RegVar
while x do C →֒ {D0;while r do {D;D0; skip}} , 〈write(λ) ⊔ w, term(λ) ⊔− t〉 , ΦB
for D0 = r := x;x := r, Φ∗ = Φ[r
W
→ x], ΦB ⊑ Φ∗ and ΦB ⊑ ΦE [r
W
→ x], providing
that ΦB ⊢RegVar C →֒ {D}, 〈w, t〉, ΦE . Consider Φ′ ⊒ Φ. By Lemma 4 we know that
Φ′[r
W
→ x] ⊒ Φ[r
W
→ x], hence the same ΦB used for Φ can be used for Φ′ to conclude
that that Φ′ ⊢RegVar while x do C →֒ {D0;while r do {D;D0; skip}} , 〈write(λ) ⊔
w, term(λ) ⊔− t〉 , ΦB and Φβ = ΦB ⊒ ΦB = Φα.
Case C = C1;C2. We know that Φ ⊢RegVar C1;C2 →֒ {D1;D2}, 〈w1 ⊔ w2, t1 ⊎
t2〉, Φ2, providing that Φ ⊢RegVar C1 →֒ {D1}, 〈w1, t1〉, Φ1 as well as Φ1 ⊢
Reg
Var C2 →֒
{D2}, 〈w2, t2〉, Φ2 hold. Consider Φ′ ⊒ Φ. By applying the inductive hypothesis on
C1 we obtain Φ′ ⊢RegVar C1 →֒ {D1}, 〈w1, t1〉, Φ′1 such that Φ′1 ⊒ Φ1. By applying the
inductive hypothesis on C2 we obtain Φ′1 ⊢
Reg
Var C2 →֒ {D2}, 〈w2, t2〉, Φ
′
2 such that
Φ′2 ⊒ Φ2. Hence Φ′ ⊢
Reg
Var C1;C2 →֒ {D1;D2}, 〈w1 ⊔w2, t1 ⊎ t2〉, Φ
′
2 and Φβ = Φ′2 ⊒
Φ2 = Φα.
The second result that supports the proof of Proposition 3 is subject reduction. In
order to characterize subject reduction we have to reason about the connection between
the operational semantics and the type system. For this purpose it is convenient to gen-
eralize the syntax to include r (the terminated program) as a possible sub term of any
sequential composition term. We extend the type system to include the following typing
rule for r:
T
Φ ⊢RegVar
r→֒ { r}, 〈Wr H,Trm (0, 0)〉, Φ
We choose this particular typing value since rrepresents the final configuration, which
does not perform any reduction step.
Lemma 7 (Extended typing is compatible with structural equivalence). For any
while program C, if Φ ⊢RegVar C →֒ {D}, 〈w, t〉, Φ′ and C ≡ C′, then Φ ⊢RegVar C′ →֒
{D′}, 〈w, t〉, Φ′ such that D ≡ D′.
Proof. Induction on derivation, which follows easily from the fact that the typing of
r;C, C; rand C are all equivalent.
This compatibility property allows us to implicitly view a typing derivation as ap-
plying to structural equivalence classes of terms (much in the same way that one reasons
informally about alpha equivalence in languages with variable binding). When reason-
ing about induction on the size of a derivation, we will view the size of a derivation
to be the size of the [T]-rule free derivation - i.e. the smallest derivation of the given
typing.
Lemma 8 (Reduction Context Typing). For any while command C and reduction
context R[], there exists Φ such that Φ ⊢RegVar R[C] →֒ {. . . }, 〈w, t〉, Φ′ if and only if
there exist Φ and pairs t1, t2 andw1, w2 such thatΦ ⊢RegVar C →֒ {. . . }, 〈w1, t1〉, Φ1 and
Φ1 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈w2, t2〉, Φ
′ and t1 = TrmH ⇒ w2 = WrH for w = w1⊔w2
and t = t1 ⊎ t2.
Proof. We prove the lemma by induction on the structure of R.
Base case
Assume R = []. Then R[C] = C.
(⇒) Assume Φ ⊢RegVar R[C] →֒ {. . . }, 〈w, t〉, Φ′. Since R[C] = C then Φ ⊢RegVar C →֒
{. . . }, 〈w, t〉, Φ′ hence t1 = t and w1 = w. Also, R[ r] = r, and we know that ∀Φ
Φ ⊢RegVar
r →֒ { r}, 〈Wr H,Trm (0, 0)〉, Φ, hence t2 = Trm (0, 0) and w2 = Wr H .
Notice that w = w1 = w1 ⊔ w2 and t = t1 = t1 ⊎ t2.
(⇐) Assuming Φ ⊢RegVar C →֒ {. . . }, 〈w, t〉, Φ′ the following type derivation is correct
Φ ⊢RegVar C →֒ {. . . }, 〈w, t〉, Φ
′ Φ′ ⊢RegVar
r→֒ { r}, 〈Wr H,Trm (0, 0)〉, Φ′
Φ ⊢RegVar C;
r→֒ {. . . }, 〈w, t〉, Φ′
and C; r≡ C = R[C].
Inductive Step
Assume R[] = R1[];C1. Then there exists a command C′ such that R[C] =
R1[C
′];C1.
(⇒) Assume Φ ⊢RegVar R[C] →֒ {. . . }, 〈w, t〉, Φ′ Then the following type derivation
must exist:
Φ ⊢RegVar R1[C
′] →֒ {. . . }, 〈wα, tα〉, Φα
Φα ⊢
Reg
Var C1 →֒ {. . . }, 〈wβ , tβ〉, Φβ
w = wα ⊔ wβ t = tα ⊎ tβ
Φ ⊢RegVar R1[C
′];C1 →֒ {. . . }, 〈w, t〉, Φ
′
such that tα = Trm H ⇒ wβ = Wr H . We now focus on R1[C′]. By applying the
inductive hypothesis we know that there exist ta, tb andwa, wb such that Φ ⊢RegVar C′ →֒
{. . . }, 〈wa, ta〉, Φ1 and Φ1 ⊢RegVar R1[ r] →֒ {. . . }, 〈wb, tb〉, Φα and wα = wa ⊔ wb and
tα = ta ⊎ tb. Hence, the following type derivation
Φ1 ⊢
Reg
Var R1[
r] →֒ {. . . }, 〈wb, tb〉, Φα
Φα ⊢
Reg
Var C1 →֒ {. . . }, 〈wβ , tβ〉, Φβ
Φ1 ⊢
Reg
Var R1[
r];C1 →֒ {. . . }, 〈wb ⊔ wβ , tb ⊎ tβ〉, Φ
′
is correct. In particular, if tb = Trm H , then tα = Trm H , hence wβ = Wr H for
hypothesis.
(⇐) Assume thatΦ ⊢RegVar C′ →֒ {. . . }, 〈wa, ta〉, Φ1 together withΦ1 ⊢RegVar R1[ r];C1 →֒
{. . . }, 〈wc, tc〉, Φ
′ such that ta = Trm H ⇒ wc = Wr H . Then the following type
derivation
Φ ⊢RegVar C
′ →֒ {. . . }, 〈wa, ta〉, Φ1
Φ1 ⊢
Reg
Var R1[
r];C1 →֒ {. . . }, 〈wc, tc〉, Φ
′
Φ ⊢RegVar R1[C
′];C1 →֒ {. . . }, 〈wa ⊔ wc, ta ⊎ tc〉, Φ
′
is correct.
We can now present all the details related to subject reduction.
Proposition 4 (Subject Reduction). Let C be a while program. If there exists Φ
such that Φ ⊢RegVar C →֒ {D}, 〈wα, tα〉, Φα and there exists M such that 〈C,M〉
l
−→
〈C′,M ′〉, then there exists Φ′ such that Φ′ ⊢RegVar C′ →֒ {D′}, 〈wβ , tβ〉, Φβ and:
– wβ ⊑ wα and tβ ⊑ tα;
– Φβ ⊒ Φα.
Proof. We prove the proposition by induction on the structure of C and by cases on the
last rule applied in the type derivation. In the proof we omit the explicit representation
of the code production since it is not relevant in this context.
Base case
In this case C ∈ {skip, x := E, out ch E}. For any such C we have that ∀M
〈C,M〉
l
−→ 〈 r,M ′〉 for suitable l andM ′. Since ∀Φ Φ ⊢RegVar r→֒ { r}, 〈WrH,Trm (0, 0)〉, Φ
the statement trivially holds.
Inductive step
Case C = if E then C1 else C2. An if statement can be typed according to two
rules, [if − any] and [if −H].
Assume the rule [if − any] is used. Then Φ ⊢RegVar if E then Ct else Ce →֒
{. . . } , 〈write(λ) ⊔ w1 ⊔ w2, term(λ) ⊔− t1 ⊔− t2〉 , ΦF holds under the assumption
that Φ, {} RegVar E →֒ {. . . }, 〈λ, ng〉, r, Φ1 and Φ1 ⊢
Reg
Var Ct →֒ {. . . }, 〈w1, t1〉, Φ2 and
Φ1 ⊢
Reg
Var Ce →֒ {. . . }, 〈w2, t2〉, Φ3 , such that ΦF = Φ2 ⊓ Φ3. Assume that M is such
that 〈if E then Ct else Ce,M〉
τ
−→ 〈Ct,M〉. The statement is true for Φ′ = Φ1 since
wβ = w1 ⊑ write(λ)⊔w1 ⊔w2 = wα and tβ = t1 ⊑ term(λ)⊔− t1⊔− t2 = tα and Φβ =
Φ2 ⊒ Φ2 ⊓ Φ3 = ΦF = Φα. The case for M such that 〈if E then Ct else Ce,M〉
τ
−→
〈Ce,M〉 is analogous, hence it is omitted.
Consider the case in which the rule [if −H] is used instead. Then we know Φ ⊢RegVar
if E then Ct else Ce →֒ {. . . } , 〈Wr H,Trm (m+ 1, ng +max(nt, ne) + 2)〉 , ΦF
under the assumption that Φ, {} RegVar E →֒ {. . . }, 〈H,ng〉, r, Φ1 and Φ1 ⊢
Reg
Var Ct →֒
{. . . }, 〈Wr H,Trm (m,nt)〉, Φ2 and Φ1 ⊢RegVar Ce →֒ {. . . }, 〈Wr H,Trm (m,ne)〉, Φ3
such that ΦF = Φ2 ⊓ Φ3. Assume that M is such that 〈if E then Ct else Ce,M〉
τ
−→
〈Ct,M〉. The statement is true for Φ′ = Φ1 since wβ = Wr H ⊑ Wr H = wα and
tβ = Trm (m,nt) ⊑ Trm (m + 1, ng + max(nt, ne) + 2) = tα and Φβ = Φ2 ⊒
Φ2 ⊓Φ3 = ΦF = Φα. The case for M such that 〈if E then Ct else Ce,M〉
τ
−→ 〈Ce,M〉
is analogous, hence it is omitted.
Case C = while x do C′. Then we know that Φ ⊢RegVar while x do C′ →֒
{. . . } , 〈write(λ) ⊔ w, term(λ) ⊔− t〉 , ΦB . This is true under the assumption that, for
Φ∗ = Φ[r
W
→ x], there exists ΦB such that ΦB ⊑ Φ∗ and ΦB ⊑ ΦE [r
W
→ x] for
which ΦB ⊢RegVar C′ →֒ {. . . }, 〈w, t〉, ΦE . It is required that λ = level(x) = level(r)
and write(λ) ⊒ w and t = Trm H ⇒ write(λ) = Wr H . Assume that M is such
that 〈while x do C′,M〉 τ−→ 〈C′;while x do C′,M〉 and consider the following type
derivation
ΦB ⊢
Reg
Var C
′ →֒ {. . . }, 〈w, t〉, ΦE
ΦB ⊑ ΦE [r
W
→ x]
ΦB ⊢
Reg
Var C
′ →֒ {. . . }, 〈w, t〉, ΦE
write(λ) ⊒ w
t = Trm H ⇒ write(λ) = Wr H
∆
ΦB ⊢
Reg
Var
{
C′;
while x do C′
}
→֒ {. . . },
〈
write(λ) ⊔ w
t ⊎ (term(λ) ⊔− t)
〉
, ΦB
for ∆ = ΦE ⊢RegVar while x do C′ →֒ {. . . }, 〈write(λ) ⊔ w, term(λ) ⊔− t〉, ΦB .
Notice that the proposition is true for Φ′ = ΦB since wβ = write(λ) ⊔ w ⊑
write(λ) ⊔ w = wα and tβ = t ⊎ (term(λ) ⊔− t) = term(λ) ⊔− t ⊑ term(λ) ⊔− t = tα
and Φβ = ΦB ⊒ ΦB = Φα. The case for M such that 〈while x do C′,M〉
τ
−→ 〈 r,M〉 is
trivial, hence it is omitted.
Case C = C1;C2. Then we know that Φ ⊢RegVar C1;C2 →֒ {. . . }, 〈w1 ⊔ w2, t1 ⊎
t2〉, Φ2 under the assumption that Φ ⊢RegVar C1 →֒ {. . . }, 〈w1, t1〉, Φ1 and Φ1 ⊢
Reg
Var
C2 →֒ {. . . }, 〈w2, t2〉, Φ2 and t1 = Trm H ⇒ w2 = Wr H . We now consider the
reduction of C by distinguishing two cases.
Assume the rule [c − 1] is applied. Hence there exists C3 such that C = R[C3] and
〈R[C3],M〉
l
−→ 〈R[C′3],M
′〉, given that 〈C3,M〉
l
−→ 〈C′3,M
′〉 and C′3 6= r. By hypoth-
esis of type-correctness and Lemma 8, this type derivation for C must exist
Φ ⊢RegVar C3 →֒ {. . . }, 〈w3, t3〉, Φ3 Φ3 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈wc, tc〉, Φ2
t3 = Trm H ⇒ wc = Wr H
Φ ⊢RegVar R[C3] →֒ {. . . }, 〈w3 ⊔ wc, t3 ⊎ tc〉, Φ2
Notice that it must also be that w3 ⊔ wc = w1 ⊔ w2 and t3 ⊎ tc = t1 ⊎ t2. By ap-
plying the inductive hypothesis on C3, there must exist a Φ′ such that Φ′ ⊢RegVar C′3 →֒
{. . . }, Φ′3, 〈w
′
3, t
′
3〉 such that w′3 ⊑ w3 and t′3 ⊑ t3 and Φ′3 ⊒ Φ3. Consider this type
derivation for R[C′3]
(i)
Φ3 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈wc, tc〉, Φ2
Φ′3 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈wc, tc〉, Φ
′
2(ii)
t′3 = Trm H ⇒ wc = Wr H
Φ′ ⊢RegVar R[C
′
3] →֒ {. . . }, 〈w
′
3 ⊔ wc, t
′
3 ⊎ tc〉, Φ
′
2
where (i) stays for Φ′ ⊢RegVar C′3 →֒ {. . . }, 〈w′3, t′3〉, Φ′3 and holds by hypothesis, and (ii)
is an application of Lemma 6. We have that wβ = w′3⊔wc ⊑ w3⊔wc = w1⊔w2 = wα
and tβ = t′3⊎ tc ⊑ t3⊎ tc = t1⊎ t2 = tα and Φβ = Φ′2 ⊒ Φ2 = Φα because of Lemma
6.
Assume the rule [c − 2] is applied instead. Hence ∃C3, C4 such that C = R[C3;C4]
and 〈R[C3;C4],M〉
l
−→ 〈R[C4],M
′〉, given that 〈C3,M〉
l
−→ 〈 r,M ′〉. By hypothesis of
type-correctness, this type derivation for C must exist
Φ ⊢RegVar C3 →֒ {. . . }, 〈w3, t3〉, Φ3 Φ3 ⊢
Reg
Var R[C4] →֒ {. . . }, 〈wc, tc〉, Φ2
t3 = Trm H ⇒ wc = Wr H
Φ ⊢RegVar R[C3;C4] →֒ {. . . }, 〈w3 ⊔wc, t3 ⊎ tc〉, Φ2
Notice that it must also be that w3 ⊔ wc = w1 ⊔ w2 and t3 ⊎ tc = t1 ⊎ t2. By having
Φ′ = Φ3 we immediately have that Φ3 ⊢RegVar R[C4] →֒ {. . . }, 〈wc, tc〉, Φ2 and wβ =
wc ⊑ w3 ⊔ wc = w1 ⊔ w2 = wα and tβ = tc ⊑ t3 ⊎ tc = t1 ⊎ t2 = tα and
Φβ = Φ2 ⊒ Φ2 = Φα.
Before illustrating the details of the proof for Proposition 3 we continue with some
other auxiliary results that formalize features of commands that are associated to a
write effect Wr H . The first result states that a Wr H command does not produce low-
distinguishable actions and does not alter the low part of the memory.
Lemma 9 (Low transparency of 〈WrH, t〉 commands). LetC be a while command
such that C 6= rand there exists Φ such that Φ ⊢RegVar C →֒ {. . . }, 〈Wr H, t〉, Φα. Then
for any M we have 〈C,M〉 l−→ 〈C′,M ′〉 such that low (l) = τ and M =L M ′.
Proof. We prove the proposition by induction on the structure of C and by cases on the
last rule applied in the type derivation. In the proof we omit the explicit representation
of the code production since it is not relevant in this context. Recall that ∀Φ Φ ⊢RegVar
r→֒ { r}, 〈Wr H,Trm (0, 0)〉, Φ.
Base case
Case C = skip. We know that Φ ⊢RegVar skip →֒ {. . . }, 〈Wr H,Trm (1, 1)〉, Φ and
that, for any memory M , 〈skip,M〉 τ−→ 〈 r,M〉.
Case C = x := E. Assume that Φ ⊢RegVar x := E →֒ {. . . }, 〈Wr H,Trm (1, n +
1)〉, Φ′. Then level(x) = H and we know that, for any memory M , 〈x := E,M〉 τ−→
〈 r,M [x\[[E]](M)]〉 such that M [x\[[E]](M)] =L M .
Case C = out ch E. Assume that Φ ⊢RegVar out ch E →֒ {. . . }, 〈Wr H,Trm (1, n+
1)〉, Φ′. Then level(ch) = H and we know that, for any memory M , it is true that
〈out ch E,M〉
ch![[E]](M)
−−−−−−−→ 〈 r,M〉 such that low (ch![[E]](M)) = τ .
Inductive step
CaseC = if E thenCt elseCe. Regardless of the typing derivation, for any memory
M there are two cases that are possible: either 〈if E thenCt elseCe,M〉
τ
−→ 〈Ct,M〉 or
〈if E thenCt elseCe,M〉
τ
−→ 〈Ce,M〉. Hence, regardless ofM , the transition produces
a silent action and does not alter the memory, therefore the property trivially holds.
Case C = while x do C′. Regardless of the typing derivation, for any memory
M there are two cases that are possible: either we have that 〈while x do C′,M〉 τ−→
〈 r,M〉 or 〈while x do C′,M〉
τ
−→ 〈C′;while x do C′,M〉. Hence, regardless of M ,
the transition produces a silent action and does not alter the memory, and the property
trivially holds.
Case C = C1;C2. We proceed by cases according to the semantic rule used to
reduce the first element of the pair.
Assume M is considered such that rule [c − 1] is applied. Hence there exists C3 ∈
{if E then Ct else Ce,while x do C
′} such that C1;C2 = R[C3] and 〈R[C3],M〉
l
−→
〈R[C′3],M
′〉, given that C′3 6= r.
As it has been observed previously, regardless of their type derivation, none of the
commands produce a visible action and alter the memory, hence the property trivially
holds. Assume M is considered such that rule [c − 2] is applied instead. Hence there
exist two commands C3 and C4 such that C1;C2 = R[C3;C4] and 〈R[C3;C4],M〉
l
−→
〈R[C4],M
′〉, given that 〈C3,M〉
l
−→ 〈 r,M ′〉. We distinguish two cases. Assume C3 in
{skip, x := E, out ch E}. If Φ ⊢RegVar C1;C2 →֒ {. . . }, 〈Wr H, t〉, Φα then, by Lemma
8, a type derivation
Φ ⊢RegVar C3 →֒ {. . . }, 〈Wr H,Trm (1, na)〉, Φ1
Φ1 ⊢
Reg
Var R[
r;C4] →֒ {. . . }, 〈Wr H, t
′〉, Φα
Φ ⊢RegVar R[C3;C4] →֒ {. . . }, 〈Wr H, t〉, Φα
must exist such that t = Trm (1, na)⊎t′. By applying the inductive hypothesis onC3 we
know that for all M we have 〈C3,M〉
l
−→ 〈 r,M ′〉 such that low (l) = τ and M =L M ′,
hence the property holds. Assume C3 = while x do C′. As observed previously, the
command neither produces a visible action nor alter the memory. Therefore the property
trivially holds.
The second result investigates the features of Wr H commands further.
Lemma 10 (Progress properties of 〈Wr H, t〉 commands). Let C be a while com-
mand for which there exists Φ such that Φ ⊢RegVar C →֒ {. . . }, 〈Wr H,Trm (m,n)〉, Φα.
Then for any memory M such that 〈C,M〉 l−→ 〈C′,M ′〉 there exists Φ′ such that
Φ′ ⊢RegVar C
′ →֒ {. . . }, 〈Wr H,Trm (m− 1, n′)〉, Φβ and Φβ ⊒ Φα.
Proof. We prove the proposition by induction on the structure of C and by cases on the
last rule applied in the type derivation. In the proof we omit the explicit representation
of the code production since it is not relevant in this context. Recall that ∀Φ Φ ⊢RegVar
r →֒ { r}, 〈Wr H,Trm (0, 0)〉, Φ, and observe that there is no type derivation that can
associate 〈Wr H,Trm (m,n)〉 to while x do C.
Base case
Case C = skip. We know that Φ ⊢RegVar skip →֒ {. . . }, 〈Wr H,Trm (1, 1)〉, Φ and
that, for any memory M , 〈skip,M〉 τ−→ 〈 r,M〉.
Case C = x := E. Assume that Φ ⊢RegVar x := E →֒ {. . . }, 〈Wr H,Trm (1, n +
1)〉, Φ′. Then we know that, for any memory M , it is true that 〈x := E,M〉 τ−→
〈 r,M [x\[[E]](M)]〉.
Case C = out ch E. Assume that Φ ⊢RegVar out ch E →֒ {. . . }, 〈Wr H,Trm (1, n+
1)〉, Φ′. Then we know that, for any memory M , 〈out ch E,M〉 ch![[E]](M)−−−−−−−→ 〈 r,M〉.
Inductive step
Case C = if E then Ct else Ce. Assume Φ ⊢RegVar if E then Ct else Ce →֒
{. . . } , 〈Wr H,Trm (m + 1, ng + max(nt, ne) + 2)〉 , Φ2 ⊓ Φ3. Then it must be
Φ, {} RegVar E →֒ {. . . }, 〈H,ng〉, r, Φ1 together with the derivation Φ1 ⊢
Reg
Var Ct →֒
{. . . }, 〈Wr H,Trm (m,nt)〉, Φ2 and Φ1 ⊢RegVar Ce →֒ {. . . }, 〈WrH,Trm (m,ne)〉, Φ3.
Hence, regardless of which branch is triggered by the reduction step, the property holds.
Case C = C1;C2. Assume Φ ⊢RegVar C1;C2 →֒ {. . . }, 〈WrH,Trm (m,n)〉, Φα. We
proceed by cases according to the semantic rule used to reduce the first element of the
pair.
Assume M is considered such that rule [c − 1] is applied. Hence there exists C3 =
if E then Ct else Ce such that C1;C2 = R[C3] and 〈R[C3],M〉
l
−→ 〈R[C′3],M
′〉, given
that C′3 6= r.
By Lemma 8, a type derivation
Φ ⊢RegVar C3 →֒ {. . . }, 〈Wr H,Trm (ma, na)〉, Φ1
Φ1 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈Wr H,Trm (mb, nb)〉, Φα
Φ ⊢RegVar R[C3] →֒ {. . . }, 〈Wr H,Trm (m,n)〉, Φα
must exist such that Trm (m,n) = Trm (ma, na) ⊎ Trm (mb, nb). By applying the
inductive hypothesis on C3 we know that for all M we have 〈C3,M〉
l
−→ 〈C′3,M
′〉 and
exists Φ′ such that Φ′ ⊢RegVar C′3 →֒ {. . . }, 〈WrH,Trm (ma− 1, n′a)〉, Φ′1 and Φ′1 ⊒ Φ1.
Hence
Φ′ ⊢RegVar C
′
3 →֒ {. . . }, 〈Wr H,Trm (ma − 1, n
′
a)〉, Φ
′
1
Φ′1 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈Wr H,Trm (mb, nb)〉, Φ
′
α
Φ′ ⊢RegVar R[C
′
3] →֒ {. . . }, 〈Wr H,Trm (m− 1, n
′
a + nb)〉, Φ
′
α
is a valid type derivation and Φ′α ⊒ Φα, by Lemma 8 and Lemma 6.
Assume M is considered such that rule [c − 2] is applied instead. Hence there exist
two commands C3 ∈ {skip, x := E, out ch E} and C4 such that C1;C2 = R[C3;C4]
and 〈R[C3;C4],M〉
l
−→ 〈R[C4],M
′〉, given that 〈C3,M〉
l
−→ 〈 r,M ′〉. By the hypothesis
about the type of C and Lemma 8, a type derivation
Φ ⊢RegVar C3 →֒ {. . . }, 〈Wr H,Trm (1, na)〉, Φ1
Φ1 ⊢
Reg
Var R[
r;C4] →֒ {. . . }, 〈Wr H,Trm (m− 1, nb)〉, Φα
Φ ⊢RegVar R[C3;C4] →֒ {. . . }, 〈Wr H,Trm (m,na + nb)〉, Φα
hence Φ1 ⊢RegVar R[C4] →֒ {. . . }, 〈Wr H,Trm (m− 1, nb)〉, Φα is a derivation proving
the property.
Proof (of Proposition 3).
Let us consider the relation R between while programs defined as follows:
H = {C|∃Φ.Φ ⊢RegVar C →֒ {. . . }, 〈Wr H, t〉, Φ
′} ∪ { r}
A = {(C,C)|∃Φ.Φ ⊢RegVar C →֒ {. . . }, 〈w, t〉, Φ
′}
X = {(R[C1], R[C2]|∃ΦαΦβ such that
Φα ⊢
Reg
Var R[C1] →֒ {. . . }, 〈w1, t1〉, Φ
′
α and
Φβ ⊢
Reg
Var R[C2] →֒ {. . . }, 〈w2, t2〉, Φ
′
β and
Φα ⊢
Reg
Var C1 →֒ {. . . }, 〈Wr H,Trm (m,n1)〉, Φ1 and
Φβ ⊢
Reg
Var C2 →֒ {. . . }, 〈Wr H,Trm (m,n2)〉, Φ2 and
Φ1 ⊓ Φ2 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈w3, t3〉, Φ3}
R = A ∪X ∪H2
We now show that R is a strong bisimulation for while programs. Recall that
strong bisimulation is defined for termination transparent systems, hence we should
lift the semantics of while programs to a termination transparent system first, and
then proceed with the proof. However, for improving readability, we take a different
approach. Wherever it is possible (i.e. wherever the commands are not r) we reason
directly on the semantics of the while language, and we appeal to the features of the
termination transparent semantics for while programs only where it is strictly neces-
sary (Part 2).
Part 1.
We start by showing that pairs inA perform transitions that correspond to low equiv-
alent actions and preserve low equality of memories. Also, we show that transitions are
performed towards pairs of commands that are either in A, X or H2. We proceed by
cases on C.
Case (skip, skip). We know that ∀M =L N 〈skip,M〉
τ
−→ 〈 r,M〉 if and only if
〈skip, N〉
τ
−→ 〈 r, N〉. Moreover, ( r, r) ∈ H2.
Case (x := E, x := E). Assume that level(x) = H . Then ∀M =L N 〈x :=
E,M〉
τ
−→ 〈 r,M [x\[[E]](M)]〉 if and only if 〈x := E,N〉 τ−→ 〈 r, N [x\[[E]](N)]〉.
Moreover M [x\[[E]](M)] =L N [x\[[E]](N)] since level(x) = H .
Assume that level(x) = L. Then we know that the derivation Φ ⊢RegVar x := E →֒
{. . . }, 〈Wr L,Trm L〉, Φ′[r
W
→ x] holds under the assumption that Φ, {} RegVar E →֒
{. . . }, 〈L, n〉, r, Φ′. Since the security level of an expression represents the upper bound
of the security levels of written registers, which in turns represent the upper bound of
the security levels of read variables, the type derivation ensures that E does not involve
variables from H . Hence ∀M =L N [[E]](M) = [[E]](N) = k. We therefore conclude
that 〈x := E,M〉 τ−→ 〈 r,M [x\k]〉 if and only if 〈x := E,N〉 τ−→ 〈 r, N [x\k]〉. Moreover
M [x\k] =L N [x\k].
Case (out ch E, out ch E). Assume that level(ch) = H . In this case ∀M =L N it
must be that 〈out ch E,M〉 ch![[E]](M)−−−−−−−→ 〈 r,M〉 if and only if 〈out ch E,N〉 ch![[E]](N)−−−−−−→
〈 r, N〉. Moreover low(ch![[E]](M)) = low (ch![[E]](M)) = τ since level(ch) = H .
Assume that level(ch) = L. Then we know that the derivation Φ ⊢RegVar out ch E →֒
{. . . }, 〈Wr L,Trm L〉, Φ′ holds provided that Φ, {} RegVar E →֒ {. . . }, 〈L, n〉, r, Φ′.
Since the security level of an expression represents the upper bound of the security
levels of written registers, which in turns represent the upper bound of the security
levels of read variables, the type derivation ensures that E does not involve variables
from H . Hence ∀M =L N [[E]](M) = [[E]](N) = k. We therefore conclude that
〈out ch E,M〉
ch!k
−−−→ 〈 r,M〉 if and only if 〈out ch E,N〉 ch!k−−−→ 〈 r, N〉.
Case (if E then Ct else Ce, if E then Ct else Ce). Regardless of the typing deriva-
tion used for including the pair in A, for any memory M two cases are possible: either
〈if E then Ct else Ce,M〉
τ
−→ 〈Ct,M〉 or 〈if E then Ct else Ce,M〉
τ
−→ 〈Ce,M〉.
Hence, regardless of M , the transition produces a silent action and does not alter the
memory. This reduces checking the strong bisimulation condition to checking that the
pairs of reduced commands are in R. This aspect is ensured by a careful analysis of the
type derivation used to include the pair in A.
An if statement can be typed according to two rules, [if − any] and [if −H].
Assume the rule [if − any] is used. Then we know that the derivation Φ ⊢RegVar
if E then Ct else Ce →֒ {. . . } , 〈term(λ) ⊔− t1 ⊔− t2,write(λ) ⊔ w1 ⊔ w2〉 , ΦF
holds under the assumption that Φ, {} RegVar E →֒ {. . . }, 〈λ, ng〉, r, Φ1 and Φ1 ⊢
Reg
Var
Ct →֒ {. . . }, 〈w1, t1〉, Φ2 and Φ1 ⊢RegVar Ce →֒ {. . . }, 〈w2, t2〉, Φ3 and write(λ) ⊒ wi
Assume that λ = H . Then write(λ) = H and w1 = w2 = H . Hence, all possible pairs
of reduced terms, namely (Ct, Ct), (Ct, Ce), (Ce, Ct) and (Ce, Ce) are in H2. Assume
that λ = L. Since the security level of an expression represents the upper bound of
the security levels of written registers, which in turns represent the upper bound of the
security levels of read variables, the type derivation ensures that E does not involve
variables from H . Then ∀M =L N 〈if E then Ct else Ce,M〉
τ
−→ 〈C∗,M〉 if and only
if 〈if E then Ct else Ce, N〉
τ
−→ 〈C∗, N〉, for C∗ ∈ {Ct, Ce}. Moreover, (C∗, C∗) ∈ A
follows directly by Proposition 4.
Assume the rule [if − H] is used instead. Then we know that it must be Φ ⊢RegVar
if E thenCt elseCe →֒ {. . . } , 〈WrH,Trm (m+1, ng+max(nt, ne)+2)〉 , ΦF un-
der the assumption that Φ1 ⊢RegVar Ct →֒ {. . . }, 〈Wr H,Trm (m,nt)〉, Φ2 and Φ1 ⊢
Reg
Var
Ce →֒ {. . . }, 〈Wr H,Trm (m,ne)〉, Φ3. Hence, as it was concluded in the previous
subcase, all possible pairs of reduced terms, namely (Ct, Ct), (Ct, Ce), (Ce, Ct) and
(Ce, Ce) are in H2.
Case (while x do C,while x do C). Regardless of the typing derivation used for
including the pair in A, for any memory M two cases are possible: either it is true that
〈while x do C,M〉
τ
−→ 〈 r,M〉 or 〈while x do C,M〉
τ
−→ 〈C;while x do C,M〉. Hence,
regardless of M , the transition produces a silent action and does not alter the memory.
This reduces checking the strong bisimulation condition to checking that the pairs of
reduced commands are in R. This aspect is ensured by a careful analysis of the type
derivation used to include the pair in A. We know that Φ ⊢RegVar while x do C →֒
. . . , 〈write(λ)⊔w, term(λ)⊔− t〉 , ΦB providing that ΦB ⊢RegVar C →֒ {. . . }, 〈w, t〉, ΦE
and write(λ) ⊒ w and t = Trm H ⇒ write(λ) = Wr H , for λ = level(x) = level(r).
Assume that λ = H . Then write(λ) = w = Wr H , hence all possible pairs of reduced
terms, namely (C,C), (C, r), ( r, C) and ( r, r) are in H2. Assume that λ = L. Then
∀M =L N 〈while x do C,M〉
τ
−→ 〈C∗,M〉 if and only if 〈while x do C,N〉
τ
−→
〈C∗, N〉, for C∗ ∈ {C;while x do C, r}. Moreover we can conclude that the pair
(C;while x do C,C;while x do C) is in A by Proposition 4, and ( r, r) ∈ H2 by
definition.
Case (C1;C2, C1;C2). We proceed by cases according to the semantic rule used to
reduce the first element of the pair.
Assume M is considered such that rule [c − 1] is applied. Hence there exists C3 ∈
{if E then Ct else Ce,while x do C} such that C1;C2 = R[C3] and 〈R[C3],M〉
l
−→
〈R[C′3],M
′〉, given that C′3 6= r.
Let us consider C3 = if E then Ct else Ce. As it has been observed previously, for any
memory M two cases are possible: either we have that 〈if E then Ct else Ce,M〉
τ
−→
〈Ct,M〉 or 〈if E then Ct else Ce,M〉
τ
−→ 〈Ce,M〉. Hence, regardless of M , the tran-
sition produces a silent action and does not alter the memory. We only need to ensure
that the pair of reduced commands remains in R.
Assume the rule [if − any] was used for typing C3. Then we know Φ ⊢RegVar C3 →֒
{. . . } , 〈write(λ) ⊔ w1 ⊔ w2, term(λ) ⊔− t1 ⊔− t2〉 , ΦF under the assumption that
Φ, {} RegVar E →֒ {. . . }, 〈λ, ng〉, r, Φ1 and Φ1 ⊢
Reg
Var Ct →֒ {. . . }, 〈w1, t1〉, Φ2 and
Φ1 ⊢
Reg
Var Ce →֒ {. . . }, 〈w2, t2〉, Φ3 and write(λ) ⊒ wi, such that ΦF = Φ2 ⊓ Φ3.
Assume that λ = H . Then write(λ) = H and w1 = w2 = H , hence Φ ⊢RegVar
C3 →֒ {. . . } , 〈Wr H,Trm H〉 , ΦF . Since R[C3] is typable, R[ r] must be ty-
pable (Lemma 8) and it must have type 〈Wr H, t〉 for an appropriate t. Hence, R[Ct]
must have type 〈Wr H, t′〉 and R[Ce] must have type 〈Wr H, t′′〉 (Proposition 4).
Therefore all possible pairs of reduced terms, namely (R[Ct], R[Ct]), (R[Ct], R[Ce]),
(R[Ce], R[Ct]) and (R[Ce], R[Ce]) are in H2. Assume that λ = L. Since the secu-
rity level of an expression represents the upper bound of the security levels of written
registers, which in turns represent the upper bound of the security levels of read vari-
ables, the type derivation ensures that E does not involve variables from H . Then for
all memories N such that M =L N 〈if E then Ct else Ce,M〉
τ
−→ 〈C∗,M〉 implies
〈if E then Ct else Ce, N〉
τ
−→ 〈C∗, N〉, for C∗ ∈ {Ct, Ce}. Moreover, by Proposition
4, R[C∗] is typable, hence pairs (R[C∗], R[C∗]) are in A.
Assume the rule [if −H] is used instead. Then we know that the derivation Φ ⊢RegVar
C3 →֒ {. . . } , 〈Wr H,Trm (m + 1, ng + max(nt, ne) + 2)〉 , Φ2 ⊓ Φ3 holds
under the assumption that Φ, {} RegVar E →֒ {. . . }, 〈H,ng〉, r, Φ1, Φ1 ⊢
Reg
Var Ct →֒
{. . . }, 〈Wr H,Trm (m,nt)〉, Φ2 and Φ1 ⊢RegVar Ce →֒ {. . . }, 〈WrH,Trm (m,ne)〉, Φ3.
Since R[C3] is typable, R[ r] must be typable in Φ2 ⊓ Φ3 (Lemma 8). Also, since
Φi ⊒ Φ2 ⊓ Φ3, for i ∈ {2, 3}, R[ r] must be also typable in Φ2 and Φ3 (Lemma
6). Hence all possible pairs of reduced terms, namely (R[Ct], R[Ct]), (R[Ct], R[Ce]),
(R[Ce], R[Ct]) and (R[Ce], R[Ce]) are in X2.
Let us consider C3 = while x do C. Since C1;C2 is typable, both C3 and R[ r] must be
typable (Lemma 8). We know that Φ ⊢RegVar C3 →֒ {. . . } , 〈write(λ) ⊔w, term(λ) ⊔−
t〉 , ΦB for λ = level(x) = level(r), providing that ΦB ⊢RegVar C →֒ {. . . }, 〈w, t〉, ΦE
and write(λ) ⊒ w and t = Trm H ⇒ write(λ) = Wr H . Assume that λ = H . Then
write(λ) = H and w = H , hence Φ ⊢RegVar C3 →֒ {. . . } , 〈Wr H,Trm H〉 , ΦB
and R[ r] must have type 〈Wr H, t〉 for an appropriate t. Since we know, for the as-
sumption on M , that 〈R[C3],M〉
τ
−→ 〈R[C;C3],M〉 it must be, by Proposition 4, that
also R[C;C3] has type 〈Wr H, t′〉, for a suitable t′. Hence, for all memories N such
that M =L N , either 〈R[C3], N〉
τ
−→ 〈R[C;C3], N〉 and (R[C;C3], R[C;C3]) is in
H2, or 〈R[C3], N〉
τ
−→ 〈R[ r], N〉 and therefore (R[C;C3], R[ r]) is in H2. Assume that
λ = L. Then for all memories N such that M =L N 〈R[C3], N〉
τ
−→ 〈R[C;C3], N〉.
By Proposition 4 R[C;C3] is typable, hence the pair (R[C;C3], R[C;C3]) is in A.
Assume the rule [c − 2] is applied instead. Hence there exist two commands C3
and C4 such that C1;C2 ≡ R[C3;C4] and 〈R[C3;C4],M〉
l
−→ 〈R[C4],M
′〉, given that
〈C3,M〉
l
−→ 〈 r,M ′〉. We distinguish two cases. AssumeC3 in {skip, x := E, out ch E}.
For what we observed previously, since C3 is typable, ∀M =L N 〈C3,M〉
l
−→ 〈 r,M ′〉
if and only if 〈C3, N〉
l′
−→ 〈 r, N ′〉 such that low(l) = low(l′) and M ′ =L N ′. Also,
by Proposition 4, R[C4] is typable, hence (R[C4], R[C4]) ∈ A. Assume that C3 is
while x do C. Since C1;C2 is typable, both C3 and R[C4] must be typable (Lemma
8). We know that Φ ⊢RegVar C3 →֒ {. . . } , 〈write(λ) ⊔ w, term(λ) ⊔− t〉 , ΦB
for λ = level(x) = level(r), providing that ΦB ⊢RegVar C →֒ {. . . }, 〈w, t〉, ΦE and
write(λ) ⊒ w and t = Trm H ⇒ write(λ) = Wr H . Assume that λ = H . Then
write(λ) = H and w = H , hence Φ ⊢RegVar C3 →֒ {. . . } , 〈Wr H,Trm H〉 , ΦB
and ΦB ⊢RegVar C →֒ {. . . }, 〈Wr H, t〉, ΦE . Since R[C4] is typable (Proposition 4),
R[ r] must have type 〈Wr H, t〉 for an appropriate t. This implies that also R[C3;C4]
has type 〈Wr H,Trm H〉. Hence, for all memories N such that M =L N , either
〈R[C3;C4], N〉
τ
−→ 〈R[C;C3;C4], N〉 and (R[C4], R[C;C3;C4]) is in H2, or we have
that 〈R[C3;C4], N〉
τ
−→ 〈R[C4], N〉 and (R[C4], R[C4]) is in H2. Assume that λ = L.
Then for all memories N such that M =L N 〈R[C3;C4], N〉
l
−→ 〈R[C4], N〉. By
Proposition 4 R[C4] is typable, hence the pair (R[C4], R[C4]) is in A.
Part 2.
Let C ∈ H such that C 6= r. Lemma 9 ensures that, for any memoryM , C does not
produce an action different than τ or alter the low part of M . Proposition 4 ensures that
the reduced command remains in H . Also, recall that 〈 r,M〉 τ−→∞ 〈 r,M〉. This suffices
to show that, according to the termination transparent semantics of while, all pairs in
H2 perform transitions that correspond to low equivalent actions, in which low equality
of memories is preserved and such that reduced pairs of commands are still in H2.
Part 3.
We complete the proof by showing that pairs in X perform transitions that corre-
spond to low equivalent actions and preserve low equality of memories. Also, we show
that transitions are performed towards pairs of commands that are either in X or in
A. Let (R[C1], R[C2]) ∈ X . By definition there must exist Φ1 and Φ2 such that the
following derivation are correct:
Φ1 ⊢
Reg
Var C1 →֒ {. . . }, 〈Wr H,Trm (m,n1)〉, Φ
′
1
Φ2 ⊢
Reg
Var C2 →֒ {. . . }, 〈Wr H,Trm (m,n2)〉, Φ
′
2
Φ′1 ⊓ Φ
′
2 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈w, t〉, Φ3
ConsiderM =L N such that 〈C1,M〉
l1−→ 〈C′1,M
′〉 and 〈C2, N〉
l2−→ 〈C′2, N
′〉. Lemma
9 ensures that low (l1) = low(l2) = τ and M ′ =L N ′. If m = 1 then both C′1 and C′2
are r and Φ′1 ⊓ Φ′2 ⊢
Reg
Var R[
r] →֒ {. . . }, 〈w, t〉, Φ3 ensures that (R[ r], R[ r]) ∈ R. If
m > 1 then Lemma 10 ensures that there exists Φα and Φβ for which the following
derivations are correct
Φα ⊢
Reg
Var C
′
1 →֒ {. . . }, 〈Wr H,Trm (m− 1, n
′
1)〉, Φ
′
α
Φβ ⊢
Reg
Var C
′
2 →֒ {. . . }, 〈Wr H,Trm (m− 1, n
′
2)〉, Φ
′
β
for Φ′α ⊒ Φ′1 and Φ′β ⊒ Φ′2. Hence it is true that (R[C′1], R[C′2]) ∈ X because
Φα ⊢
Reg
Var R[C
′
1] →֒ {. . . }, 〈wa, ta〉, Φa (Lemmas 8 and 6), Φβ ⊢RegVar R[C′2] →֒
{. . . }, 〈wb, tb〉, Φb (Lemmas 8 and 6) and Φ′α ⊓ Φ′β ⊢RegVar R[ r] →֒ {. . . }, 〈wc, tc〉, Φc
(Lemma 6).
We have shown that a type-correctwhile program is strongly secure. We now have
to show that the type system in Figures 17 and 18 translates a secure while program
into a secure i-while program. Since i-while programs form a subclass of while
programs, this can be shown by retyping a translated program and showing it is indeed
type-correct.
In order to state this result formally, we consider that now programs have vari-
ables in the set Var ′ = Var ∪ Reg. Moreover, from the set of register variables
Reg = {r1, . . . , rn} we define a new set of register variables, Reg ′ = {s1, . . . , sn} ∪
{s′1, . . . , s
′
n}, such that for a (former) register variable ri there are a corresponding reg-
ister variable corr(ri) = si and a corresponding shadow variable shw(ri) = s′i. We
assume that level(ri) = level(si) = level(s′i).
In order to show that the code D obtained from the compilation of a while pro-
gram C is retypable, we proceed via a stronger property. In particular we show that
the recompilation of D (i) maps two related input register records into two related out-
put register records and (ii) computes a security annotation which is equivalent (up-to
slowdown) to the one corresponding to D. We formalize the first aspect as follows.
Definition 19 (Register Correspondence). Let Φ and Φ′ be two register records de-
fined over Reg and Reg ′ respectively. We say that they are corresponding, written as
Φ
→
≡ Φ′, if:
– [ri
W
→ x] ∈ Φ⇒ [si
W
→ x] ∈ Φ′
– [ri
R
← x] ∈ Φ⇒ [si
W
→ r] ∈ Φ′
Notice that for any register variable ri associated in Φ we explicitly require the corre-
sponding register variable si (not the shadow register variable s′i) to be associated in
Φ′.
In order to state and prove the result about recompilation of compiled programs,
we begin by stating an auxiliary result that formalize the type correctness of the code
corresponding to the evaluation of a while expression.
Proposition 5 (Retyping of expressions). Let E be a while expression such that
there exists Φ for which Φ,A RegVar E →֒ {D}, 〈λ, n〉, r, Φα holds. Then for all Φ′ such
that Φ →≡ Φ′ we have that there exists a derivation Φ′ ⊢Reg
′
Var ′
D →֒ {D′}, 〈w, t〉, Φ′α
such that Φα
→
≡ Φ′α and:
– if λ = H or n = 0, then w = Wr H and t = (n, p);
– if λ = L and n > 0, then w = Wr L and t = Trm L.
Proof. We prove the proposition by induction on the structure of E and by cases on the
last rule applied in the type derivation.
Base case
Case E = k. Assume the following derivation exists
r ∈ Reg r 6∈ A level(r) = H
Φ,A 
Reg
Var k →֒ {r := k}, 〈H, 1〉, r, Φ[r 6→]
and consider Φ′, such that Φ →≡ Φ′, together with s = corr(r). Then the following
derivation exists.
s ∈ Reg ′ level(s) = H
Φ′, {} Reg
′
Var ′ k →֒ {s := k}, 〈H, 1〉, s, Φ
′[s 6→]
Φ′ ⊢Reg
′
Var ′
r := k →֒ {s := k; r := s}, 〈Wr H,Trm (1, 2)〉, Φ′[s
W
→ r]
We have that Φ[r 6→] →≡ Φ′[s W→ r] because:
– for any r′ 6= r, if [r′ W→ x] ∈ Φ[r 6→] then [s′ W→ x] ∈ Φ′[s W→ r] because
s′ 6= corr(r);
– for any r′ 6= r, if [r′ R← x] ∈ Φ[r 6→] then [s′ W→ r′] ∈ Φ′[s W→ r] because
s′ 6= corr(r);
– r is unassociated in Φ[r 6→].
Assume the following derivation exists
r ∈ Reg r 6∈ A level(r) = L
Φ,A 
Reg
Var k →֒ {r := k}, 〈L, 1〉, r, Φ[r 6→]
instead and consider Φ′, such that Φ →≡ Φ′, together with s = corr(r). Then the follow-
ing derivation exists
s ∈ Reg ′ level(s) = L
Φ′, {} Reg
′
Var ′ k →֒ {s := k}, 〈L, 1〉, s, Φ
′[s 6→]
Φ′ ⊢Reg
′
Var ′ r := k →֒ {s := k; r := s}, 〈Wr L,Trm L〉, Φ
′[s
W
→ r]
We have that Φ[r 6→] →≡ Φ′[s W→ r] because:
– for any r′ 6= r, if [r′ W→ x] ∈ Φ[r 6→] then [s′ W→ x] ∈ Φ′[s W→ r] because
s′ 6= corr(r);
– for any r′ 6= r, if [r′ R← x] ∈ Φ[r 6→] then [s′ W→ r′] ∈ Φ′[s W→ r] because
s′ 6= corr(r);
– r is unassociated in Φ[r 6→].
Case E = x. Assume the following derivation exists
x ∈ Var r ∈ Reg [r ↔ x] ∈ Φ
Φ,A 
Reg
Var x →֒ {
r}, 〈level(r), 0〉, r, Φ
and consider Φ′ such that Φ →≡ Φ′. Then the following derivation exists
Φ′ ⊢Reg
′
Var ′
r→֒ { r}, 〈Wr H,Trm (0, 0)〉, Φ′
Assume the following derivation exists instead
x ∈ Var r ∈ Reg r 6∈ A level(r) = H ⊒ level(x)
Φ,A 
Reg
Var x →֒ {r := x}, 〈H, 1〉, r, Φ[r
R
← x]
Then for Φ′, such that Φ →≡ Φ′ and s = corr(r) the following derivation exists
s ∈ Reg ′ level(s) = H
Φ′, {} Reg
′
Var ′
x →֒ {s := x}, 〈H, 1〉, s, Φ′[s
R
← x]
Φ′ ⊢Reg
′
Var ′
r := x →֒ {s := x; r := s}, 〈Wr H,Trm (1, 2)〉, Φ′[s
W
→ r]
We have that Φ[r R← x] →≡ Φ′[s W→ r]:
– for any r′ 6= r and y 6= x, if [r′ W→ y] ∈ Φ[r R← x] then [s′ W→ y] ∈ Φ′[s W→ r]
because s′ 6= corr(r);
– for any r′ 6= r and y 6= x, if [r′ R← y] ∈ Φ[r R← x] then [s′ W→ r′] ∈ Φ′[s W→ r]
because s′ 6= corr(r);
– [r
R
← x] ∈ Φ[r
R
← x] and [s W→ r] ∈ Φ′[s W→ r].
If
x ∈ Var r ∈ Reg r 6∈ A level(r) = L ⊒ level(x)
Φ,A 
Reg
Var x →֒ {r := x}, 〈L, 1〉, r, Φ[r
R
← x]
then for s = corr(r) and Φ′ such that Φ →≡ Φ′ the following derivation exists
s ∈ Reg ′ level(s) = L
Φ′, {} Reg
′
Var ′
x →֒ {s := x}, 〈L, 1〉, s, Φ′[s
R
← x]
Φ′ ⊢Reg
′
Var ′
r := x →֒ {s := x; r := s}, 〈Wr L,Trm L〉, Φ′[s
W
→ r]
We have that Φ[r R← x] →≡ Φ′[s W→ r]:
– for any r′ 6= r and y 6= x, if [r′ W→ y] ∈ Φ[r R← x] then [s′ W→ y] ∈ Φ′[s W→ r]
because s′ 6= corr(r);
– for any r′ 6= r and y 6= x, if [r′ R← y] ∈ Φ[r R← x] then [s′ W→ r′] ∈ Φ′[s W→ r]
because s′ 6= corr(r);
– [r
R
← x] ∈ Φ[r
R
← x] and [s W→ r] ∈ Φ′[s W→ r].
Inductive step
Case E = E1 op E2.
Consider that the following derivation exists
r, ra ∈ Reg
Φ,A 
Reg
Var E1 →֒ {D1}, 〈H,n1〉, r, Φ1
Φ1, A ∪ {r} 
Reg
Var E2 →֒ {D2}, 〈H,n2〉, ra, Φ2
H = level(r) = level(ra)
Φ,A 
Reg
Var E1 op E2 →֒


D1;
D2;
r := r op ra

 , 〈H,n1 + n2 + 1〉, r, Φ2[r 6→]
and consider Φ′ such that Φ →≡ Φ′. Then the following derivations exist by inductive
hypothesis
Φ′ ⊢Reg
′
Var ′
D1 →֒ {D
′
1}, 〈Wr H,Trm (n1, p1)〉, Φ
′
1
Φ′1 ⊢
Reg′
Var ′ D2 →֒ {D
′
2}, 〈Wr H,Trm (n2, p2)〉, Φ
′
2
such that Φ2
→
≡ Φ′2. In order for completing the case, we have to show that Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒ {D
′}, 〈WrH,Trm (1, p)〉, Φ3 such that Φ2[r 6→]
→
≡ Φ3. We distinguish
four cases.
Case 1: there exist [r R← x], [ra
R
← y] ∈ Φ2. Since Φ2
→
≡ Φ′2, then we know [s
W
→
r], [sa
W
→ ra] ∈ Φ
′
2 and the following type derivation exists
s, sa ∈ Reg
′ level(s) = H
Φ′2, {} 
Reg′
Var ′ r op ra →֒ {s := s op sa}, 〈H, 1〉, s, Φ
′
2[s 6→]
Φ′2 ⊢
Reg′
Var ′ r := r op ra →֒ {s := s op sa; r := s}, 〈Wr H,Trm (1, 2)〉, Φ
′
2[s
W
→ r]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r]:
– for any r′′ 6= r, if [r′′ W→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈ Φ′2[s
W
→ r] because
s′′ 6= corr(r);
– for any r′′ 6= r, if [r′′ R← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈ Φ′2[s
W
→ r] because
s′′ 6= corr(r);
– r is unassociated in Φ2[r 6→].
Case 2: there exists [r R← x] ∈ Φ2 but there is not [ra
R
← y] ∈ Φ2. We therefore
distinguish two further subcases.
Case 2a: ra is unassociated in Φ2. Since Φ2
→
≡ Φ′2 we know [s
W
→ r] ∈ Φ′2 and the
following type derivation for sa = corr(ra) exists
s, sa ∈ Reg
′ level(s) = H
Φ′2, {s} 
Reg′
Var ′ ra →֒ {sa := ra}, 〈H, 1〉, sa, Φ
′
2[sa
R
← ra]
Φ′2, {} 
Reg′
Var ′
r op ra →֒
{
sa := ra;
s := s op sa
}
, 〈H, 2〉, s, Φ′2[s 6→][sa
R
← ra]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒


sa := r;
s := s op sa;
r := s

 , 〈Wr H,Trm (1, 3)〉, Φ′2[s W→ r][sa R← ra]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r][sa
R
← ra]:
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
W
→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈
Φ′2[s
W
→ r][sa
R
← ra] because s′′ 6= corr(r) and s′′ 6= corr(ra);
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
R
← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈
Φ′2[s
W
→ r][sa
R
← ra] because s′′ 6= corr(r) and s′′ 6= corr(ra);
– r and ra are unassociated in Φ2[r 6→].
Case 2b: there exists [ra
W
→ y] ∈ Φ2. Since Φ2
→
≡ Φ′2 we know [s
W
→ r] ∈ Φ′2 and
[sa
W
→ y] ∈ Φ′2 and the following type derivation exists for s′a = shw(ra)
s, s′a ∈ Reg
′ level(s) = H
Φ′2, {s} 
Reg′
Var ′ ra →֒ {s
′
a := ra}, 〈H, 1〉, s
′
a, Φ
′
2[s
′
a
R
← ra]
Φ′2, {} 
Reg′
Var ′
r op ra →֒
{
s′a := ra;
s := s op s′a
}
, 〈H, 2〉, s, Φ′2[s 6→][s
′
a
R
← ra]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒


s′a := ra;
s := s op s′a;
r := s

 , 〈Wr H,Trm (1, 3)〉, Φ′2[s W→ r][s′a R← ra]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r][s′a
R
← ra]:
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
W
→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈
Φ′2[s
W
→ r][s′a
R
← ra] because s′′ 6= corr(r) and s′′ 6= shw(ra);
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
R
← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈
Φ′2[s
W
→ r][s′a
R
← ra] because s′′ 6= corr(r) and s′′ 6= shw(ra);
– [ra
W
→ y] ∈ Φ2[r 6→] and [sa
W
→ y] ∈ Φ′2[s
W
→ r][s′a
R
← ra] because s′a = shw(ra);
– r is unassociated in Φ2[r 6→].
Case 3: there exists [ra
R
← y] ∈ Φ2 but there is not [r
R
← x] ∈ Φ2. We therefore
distinguish two further subcases.
Case 3a: r is unassociated in Φ2. Since Φ2
→
≡ Φ′2 we know [sa
W
→ ra] ∈ Φ
′
2 and the
following type derivation for s = corr(r) exists
s, sa ∈ Reg
′ level(s) = H
Φ′2, {} 
Reg′
Var ′
r →֒ {s := r}, 〈H, 1〉, s, Φ′2[s
R
← r]
Φ′2, {} 
Reg′
Var ′
r op ra →֒ {s := r; s := s op sa}, 〈H, 2〉, s, Φ
′
2[s 6→]
Φ′2 ⊢
Reg′
Var ′ r := r op ra →֒


s := r;
s := s op sa;
r := s

 , 〈Wr H,Trm (1, 3)〉, Φ′2[s W→ r]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r]:
– for any r′′ such that r′′ 6= r, if [r′′ W→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈ Φ′2[s
W
→ r]
because s′′ 6= corr(r);
– for any r′′ such that r′′ 6= r, if [r′′ R← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈ Φ′2[s
W
→ r]
because s′′ 6= corr(r);
– r is unassociated in Φ2[r 6→].
Case 3b: there exists [r W→ x] ∈ Φ2. Since Φ2
→
≡ Φ′2 we know [sa
W
→ ra] ∈ Φ
′
2 and
[s
W
→ x] ∈ Φ′2 so the following type derivation exists for s′ = shw(r)
s′, sa ∈ Reg
′ level(s′) = H
Φ′2, {} 
Reg′
Var ′ r →֒ {s
′ := r}, 〈H, 1〉, s′, Φ′2[s
′ R← r]
Φ′2, {} 
Reg′
Var ′
r op ra →֒ {s
′ := r; s′ := s′ op sa}, 〈H, 2〉, s
′, Φ′2[s 6→]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒


s′ := r;
s′ := s′ op sa;
r := s′

 , 〈Wr H,Trm (1, 3)〉, Φ′2[s′ W→ r]
We have that Φ2[r 6→]
→
≡ Φ′2[s
′ W→ r]:
– for any r′′ such that r′′ 6= r, if [r′′ W→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈ Φ′2[s
′ W→ r]
because s′′ 6= shw(r);
– for any r′′ such that r′′ 6= r, if [r′′ R← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈ Φ′2[s
′ W→ r]
because s′′ 6= shw(r);
– r is unassociated in Φ2[r 6→].
Case 4: neither [r R← x] nor [ra
R
← y] are in Φ2. This case is provable by considering
the combined cases 2 and 3.
Consider that the following derivation exists instead
r, ra ∈ Reg
Φ,A 
Reg
Var E1 →֒ {D1}, 〈L, n1〉, r, Φ1
Φ1, A ∪ {r} 
Reg
Var E2 →֒ {D2}, 〈L, n2〉, ra, Φ2
L = level(r) = level(ra)
Φ,A 
Reg
Var E1 op E2 →֒


D1;
D2;
r := r op ra

 , 〈L, n1 + n2 + 1〉, r, Φ2[r 6→]
and consider Φ′ such that Φ →≡ Φ′. Then the following derivations exist by inductive
hypothesis
Φ′ ⊢Reg
′
Var ′
D1 →֒ {D
′
1}, 〈w1, t1〉, Φ
′
1 Φ
′
1 ⊢
Reg′
Var ′
D2 →֒ {D
′
2}, 〈w2, t2〉, Φ
′
2
such that:
– if ni > 0 then wi = Wr L and ti = Trm L;
– if ni = 0 then wi = Wr H and ti = Trm (0, 0);
– Φ2
→
≡ Φ′2.
In order for completing the case, we have to show that Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒
{D′}, 〈Wr L,Trm L〉, Φ3 such that Φ2[r 6→]
→
≡ Φ3. In fact, recall that for all w it holds
that w ⊔Wr L = Wr L and for any t ⊑ Trm L it holds that t ⊎ Trm L = Trm L. We
distinguish four cases.
Case 1: there exist [r R← x], [ra
R
← y] ∈ Φ2. Since Φ2
→
≡ Φ′2, then we know [s
W
→
r], [sa
W
→ ra] ∈ Φ
′
2 and the following type derivation exists
s, sa ∈ Reg
′ level(s) = L
Φ′2, {} 
Reg′
Var ′
r op ra →֒ {s := s op sa}, 〈L, 1〉, s, Φ
′
2[s 6→]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒ {s := s op sa; r := s}, 〈Wr L,Trm L〉, Φ
′
2[s
W
→ r]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r]:
– for any r′′ 6= r, if [r′′ W→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈ Φ′2[s
W
→ r] because
s′′ 6= corr(r);
– for any r′′ 6= r, if [r′′ R← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈ Φ′2[s
W
→ r] because
s′′ 6= corr(r);
– r is unassociated in Φ2[r 6→].
Case 2: there exists [r R← x] ∈ Φ2 but there is not [ra
R
← y] ∈ Φ2. We therefore
distinguish two further subcases.
Case 2a: ra is unassociated in Φ2. Since Φ2
→
≡ Φ′2 we know [s
W
→ r] ∈ Φ′2 and the
following type derivation for sa = corr(ra) exists
s, sa ∈ Reg
′ level(s) = L
Φ′2, {s} 
Reg′
Var ′ ra →֒ {sa := ra}, 〈L, 1〉, sa, Φ
′
2[sa
R
← ra]
Φ′2, {} 
Reg′
Var ′
r op ra →֒
{
sa := ra;
s := s op sa
}
, 〈L, 2〉, s, Φ′2[s 6→][sa
R
← ra]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒


sa := r;
s := s op sa;
r := s

 , 〈Wr L,Trm L〉, Φ′2[s W→ r][sa R← ra]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r][sa
R
← ra]:
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
W
→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈
Φ′2[s
W
→ r][sa
R
← ra] because s′′ 6= corr(r) and s′′ 6= corr(ra);
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
R
← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈
Φ′2[s
W
→ r][sa
R
← ra] because s′′ 6= corr(r) and s′′ 6= corr(ra);
– r and ra are unassociated in Φ2[r 6→].
Case 2b: there exists [ra
W
→ y] ∈ Φ2. Since Φ2
→
≡ Φ′2 we know [s
W
→ r] ∈ Φ′2 and
[sa
W
→ y] ∈ Φ′2 and the following type derivation exists for s′a = shw(ra)
s, s′a ∈ Reg
′ level(s) = L
Φ′2, {s} 
Reg′
Var ′
ra →֒ {s
′
a := ra}, 〈L, 1〉, s
′
a, Φ
′
2[s
′
a
R
← ra]
Φ′2, {} 
Reg′
Var ′ r op ra →֒
{
s′a := ra;
s := s op s′a
}
, 〈L, 2〉, s, Φ′2[s 6→][s
′
a
R
← ra]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒


s′a := ra;
s := s op s′a;
r := s

 , 〈Wr L,Trm L〉, Φ′2[s W→ r][s′a R← ra]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r][s′a
R
← ra]:
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
W
→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈
Φ′2[s
W
→ r][s′a
R
← ra] because s′′ 6= corr(r) and s′′ 6= shw(ra);
– for any r′′ such that r′′ 6= r and r′′ 6= ra, if [r′′
R
← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈
Φ′2[s
W
→ r][s′a
R
← ra] because s′′ 6= corr(r) and s′′ 6= shw(ra);
– [ra
W
→ y] ∈ Φ2[r 6→] and [sa
W
→ y] ∈ Φ′2[s
W
→ r][s′a
R
← ra] because s′a = shw(ra);
– r is unassociated in Φ2[r 6→].
Case 3: there exists [ra
R
← y] ∈ Φ2 but there is not [r
R
← x] ∈ Φ2. We therefore
distinguish two further subcases.
Case 3a: r is unassociated in Φ2. Since Φ2
→
≡ Φ′2 we know [sa
W
→ ra] ∈ Φ
′
2 and the
following type derivation for s = corr(r) exists
s, sa ∈ Reg
′ level(s) = L
Φ′2, {} 
Reg′
Var ′ r →֒ {s := r}, 〈L, 1〉, s, Φ
′
2[s
R
← r]
Φ′2, {} 
Reg′
Var ′
r op ra →֒ {s := r; s := s op sa}, 〈L, 2〉, s, Φ
′
2[s 6→]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒


s := r;
s := s op sa;
r := s

 , 〈Wr L,Trm L〉, Φ′2[s W→ r]
We have that Φ2[r 6→]
→
≡ Φ′2[s
W
→ r]:
– for any r′′ such that r′′ 6= r, if [r′′ W→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈ Φ′2[s
W
→ r]
because s′′ 6= corr(r);
– for any r′′ such that r′′ 6= r, if [r′′ R← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈ Φ′2[s
W
→ r]
because s′′ 6= corr(r);
– r is unassociated in Φ2[r 6→].
Case 3b: there exists [r W→ x] ∈ Φ2. Since Φ2
→
≡ Φ′2 we know [sa
W
→ ra] ∈ Φ
′
2 and
[s
W
→ x] ∈ Φ′2 so the following type derivation exists for s′ = shw(r)
s′, sa ∈ Reg
′ level(s′) = L
Φ′2, {} 
Reg′
Var ′ r →֒ {s
′ := r}, 〈L, 1〉, s′, Φ′2[s
′ R← r]
Φ′2, {} 
Reg′
Var ′
r op ra →֒ {s
′ := r; s′ := s′ op sa}, 〈L, 2〉, s
′, Φ′2[s 6→]
Φ′2 ⊢
Reg′
Var ′
r := r op ra →֒


s′ := r;
s′ := s′ op sa;
r := s′

 , 〈Wr L,Trm L〉, Φ′2[s′ W→ r]
We have that Φ2[r 6→]
→
≡ Φ′2[s
′ W→ r]:
– for any r′′ such that r′′ 6= r, if [r′′ W→ z] ∈ Φ2[r 6→] then [s′′
W
→ z] ∈ Φ′2[s
′ W→ r]
because s′′ 6= shw(r);
– for any r′′ such that r′′ 6= r, if [r′′ R← z] ∈ Φ2[r 6→] then [s′′
W
→ r′′] ∈ Φ′2[s
′ W→ r]
because s′′ 6= shw(r);
– r is unassociated in Φ2[r 6→].
Case 4: neither [r R← x] nor [ra
R
← y] are in Φ2. This case is provable by considering
the combined cases 2 and 3.
We can now present the details for the recompilation of i-while programs. In
order to relate the type annotations produced in the two compilations, we consider a
relation≫⊆ Lt×Lt such that TrmH ≫ TrmH , Trm L≫ Trm L and Trm (m,n)≫
Trm (n, p).
Proposition 6 (Type prediction). Let C be a while program. If Φ ⊢RegVar C →֒
{D}, 〈w, t〉, Φ′, then for any Φ1 such that Φ →≡ Φ1 there exists a derivation Φ1 ⊢Reg
′
Var ′
D →֒ D′, 〈w, t′〉, Φ′1 such that t≫ t′ and Φ′
→
≡ Φ′1.
Proof. We prove the proposition by induction on the structure of C and by cases on the
last rule applied in the type derivation.
Base case
Case C = skip. Assume
−
Φ ⊢RegVar skip →֒ {skip}, 〈Wr H,Trm (1, 1)〉, Φ
and let Φ1 be a register record such that Φ
→
≡ Φ1. Then the following derivation holds
−
Φ1 ⊢
Reg′
Var ′ skip →֒ {skip}, 〈Wr H,Trm (1, 1)〉, Φ1
Case C = x := E. Assume
x ∈ Var r ∈ Reg level(r) = H Φ, {} RegVar E →֒ {D}, 〈H,n〉, r, Φ
′
Φ ⊢RegVar x := E →֒ {D;x := r}, 〈Wr H,Trm (1, n+ 1)〉, Φ
′[r
W
→ x]
and let Φ1 be a register record such that Φ
→
≡ Φ1. By applying Proposition 5 on E we
have that Φ1 ⊢Reg
′
Var ′
D →֒ {D′}, 〈Wr H,Trm (n, p)〉, Φ′1 such that Φ′
→
≡ Φ′1.We now
distinguish two cases.
Case 1: there exists [r R← z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ r] ∈ Φ′1 and
the following derivation is correct
Φ1 ⊢
Reg′
Var ′
D →֒ {D′}, 〈Wr H,Trm (n, p)〉, Φ′1
Φ′1 ⊢
Reg′
Var ′
x := r →֒ {x := s}, 〈Wr H,Trm (1, 1)〉, Φ′1[s
W
→ x]
Φ1 ⊢
Reg′
Var ′ D;x := r →֒ {D
′;x := s}, 〈Wr H,Trm (n+ 1, p+ 1)〉, Φ′1[s
W
→ x]
and Φ′[r W→ x] →≡ Φ′1[s
W
→ x].
Case 2: There is not [r R← z] ∈ Φ′. We distinguish two further cases.
Case 2a: r is unassociated in Φ′. Then
Φ1 ⊢
Reg′
Var ′ D →֒ {D
′}, 〈Wr H,Trm (n, p)〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′
D;x := r →֒


D′
s := r;
x := s

 , 〈Wr H,Trm (n+ 1, p+ 2)〉, Φ′1[s W→ x]
where
(ii) =
s ∈ Reg ′ s = corr(r)
Φ′1, {} 
Reg′
Var ′
r →֒ {s := r}, 〈1,Wr H〉, s, Φ′1[s
R
← r]
Φ′1 ⊢
Reg′
Var ′
x := r →֒ {s := r;x := s}, 〈Wr H,Trm (1, 2)〉, Φ′1[s
W
→ x]
and Φ′[r W→ x] →≡ Φ′1[s
W
→ x].
Case 2b: [r W→ z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ z] ∈ Φ′1. Then the
following derivation is correct
Φ1 ⊢
Reg′
Var ′ D →֒ {D
′}, 〈Wr H,Trm (n, p)〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′
D;x := r →֒


D′;
s := r;
x := s

 〈Wr H,Trm (n+ 1, p+ 2)〉, Φ′1[s W→ x]
where
(ii) =
s ∈ Reg ′ s = corr(r)
Φ′1, {} 
Reg′
Var ′
r →֒ {s := r}, 〈1,Wr H〉, s, Φ′1[s
R
← r]
Φ′1 ⊢
Reg′
Var ′
x := r →֒ {s := r;x := s}, 〈Wr H,Trm (1, 2)〉, Φ′1[s
W
→ x]
and Φ′[r W→ x] →≡ Φ′1[s
W
→ x].
Assume
x ∈ Var r ∈ Reg level(r) = L Φ, {} RegVar E →֒ {D}, 〈L, n〉, r, Φ
′
Φ ⊢RegVar x := E →֒ {D;x := r}, 〈Wr L,Trm L〉, Φ
′[r
W
→ x]
instead, and let Φ1 be a register record such that Φ
→
≡ Φ1. By applying Proposition 5 on
E we have that Φ1 ⊢Reg
′
Var ′
D →֒ {D′}, 〈w, t〉, Φ′1 such that:
– if n > 0 then w = Wr L and t = Trm L;
– if n = 0 then w = Wr H and t = Trm (0, 0);
– Φ2
→
≡ Φ′2.
We now distinguish two cases.
Case 1: there exists [r R← z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ r] ∈ Φ′1 and
the following derivation is correct
Φ1 ⊢
Reg′
Var ′
D →֒ {D′}, 〈w, t〉, Φ′1
Φ′1 ⊢
Reg′
Var ′
x := r →֒ {x := s}, 〈Wr L,Trm L〉, Φ′1[s
W
→ x]
Φ1 ⊢
Reg′
Var ′
D;x := r →֒ {D′;x := s}, 〈Wr L,Trm L〉, Φ′1[s
W
→ x]
and Φ′[r W→ x] →≡ Φ′1[s
W
→ x].
Case 2: There is not [r R← z] ∈ Φ′. We distinguish two further cases.
Case 2a: r is unassociated in Φ′. Then
Φ1 ⊢
Reg′
Var ′ D →֒ {D
′}, 〈w, t〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′
D;x := r →֒ {D′; s := r;x := s}, 〈Wr L,Trm L〉, Φ′1[s
W
→ x]
where
(ii) =
s ∈ Reg ′ s = corr(r)
Φ′1, {} 
Reg′
Var ′
r →֒ {s := r}, 〈1, L〉, s, Φ′1[s
R
← r]
Φ′1 ⊢
Reg′
Var ′ x := r →֒ {s := r;x := s}, 〈Wr L,Trm L〉, Φ
′
1[s
W
→ x]
and Φ′[r W→ x] →≡ Φ′1[s
W
→ x].
Case 2b: [r W→ z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ z] ∈ Φ′1. Then the
following derivation is correct
Φ1 ⊢
Reg′
Var ′ D →֒ {D
′}, 〈w, t〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′
D;x := r →֒ {D′; s := r;x := s}, 〈Wr L,Trm L〉, Φ′1[s
W
→ x]
where
(ii) =
s ∈ Reg ′ s = corr(r)
Φ′1, {} 
Reg′
Var ′ r →֒ {s := r}, 〈1, L〉, s, Φ
′
1[s
R
← r]
Φ′1 ⊢
Reg′
Var ′
x := r →֒ {s := r;x := s}, 〈Wr L,Trm L〉, Φ′1[s
W
→ x]
and Φ′[r W→ x] →≡ Φ′1[s
W
→ x].
Case C = out ch E. Assume
r ∈ Reg Φ, {} RegVar E →֒ {D}, 〈H,n〉, r, Φ
′
Φ ⊢RegVar out ch E →֒ {D; out ch r}, 〈Wr H,Trm (1, n+ 1)〉, Φ
′
and let Φ1 be a register record such that Φ
→
≡ Φ1. By applying Proposition 5 on E we
have that Φ1 ⊢Reg
′
Var ′ D →֒ {D
′}, 〈Wr H,Trm (n, p)〉, Φ′1 such that Φ′
→
≡ Φ′1.We now
distinguish two cases.
Case 1: there exists [r R← z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ r] ∈ Φ′1 and
the following derivation is correct
Φ1 ⊢
Reg′
Var ′ D →֒ {D
′}, 〈Wr H,Trm (n, p)〉, Φ′1
Φ′1 ⊢
Reg′
Var ′
out ch r →֒ {out ch s}, 〈Wr H,Trm (1, 1)〉, Φ′1
Φ1 ⊢
Reg′
Var ′ D; out x r →֒ {D
′; out ch s}, 〈Wr H,Trm (n+ 1, p+ 1)〉, Φ′1
Case 2: There is not [r R← z] ∈ Φ′. We distinguish two further cases.
Case 2a: r is unassociated in Φ′. Then
Φ1 ⊢
Reg′
Var ′ D →֒ {D
′}, 〈Wr H,Trm (n, p)〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′
D; out ch r →֒


D′;
s := r;
out ch s

 , 〈Wr H,Trm (n+ 1, p+ 2)〉, Φ′1[s R← r]
where
(ii) =
s ∈ Reg ′ s = corr(r)
Φ′1, {} 
Reg′
Var ′
r →֒ {s := r}, 〈1,Wr H〉, s, Φ′1[s
R
← r]
Φ′1 ⊢
Reg′
Var ′ out ch r →֒ {s := r; out ch s}, 〈Wr H,Trm (1, 2)〉, Φ
′
1[s
R
← r]
and Φ′ →≡ Φ′1[s
R
← r] because r is unassociated in Φ′.
Case 2b: [r W→ z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ z] ∈ Φ′1. Consider
s′ = shw(r), then the following derivation is correct
Φ1 ⊢
Reg′
Var ′
D →֒ {D′}, 〈Wr H,Trm (n, p)〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′ D;x := r →֒


D′;
s′ := r;
out ch s′

 , 〈Wr H,Trm (n+ 1, p+ 2)〉, Φ′1[s′ R← r]
where
(ii) =
s′ ∈ Reg ′ s′ = shw(r)
Φ′1, {} 
Reg′
Var ′
r →֒ {s′ := r}, 〈1,Wr H〉, s′, Φ′1[s
′ R← r]
Φ′1 ⊢
Reg′
Var ′
x := r →֒ {s′ := r; out ch s′}, 〈Wr H,Trm (1, 2)〉, Φ′1[s
′ R← r]
and Φ′ →≡ Φ′1[s′
R
← r].
Assume
r ∈ Reg Φ, {} RegVar E →֒ {D}, 〈L, n〉, r, Φ
′
Φ ⊢RegVar out ch E →֒ {D; out ch r}, 〈Wr L,Trm L〉, Φ
′
instead, and let Φ1 be a register record such that Φ
→
≡ Φ1. By applying Proposition 5 on
E we have that Φ1 ⊢Reg
′
Var ′
D →֒ {D′}, 〈w, t〉, Φ′1 such that:
– if n > 0 then w = Wr L and t = Trm L;
– if n = 0 then w = Wr H and t = Trm (0, 0);
– Φ2
→
≡ Φ′2.
We now distinguish two cases.
Case 1: there exists [r R← z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ r] ∈ Φ′1 and
the following derivation is correct
Φ1 ⊢
Reg′
Var ′ D →֒ {D
′}, 〈w, t〉, Φ′1
Φ′1 ⊢
Reg′
Var ′ out ch r →֒ {out ch s}, 〈Wr L,Trm L〉, Φ
′
1
Φ1 ⊢
Reg′
Var ′ D; out ch r →֒ {D
′; out ch s}, 〈Wr L,Trm L〉, Φ′1
and Φ′ →≡ Φ′1.
Case 2: There is not [r R← z] ∈ Φ′. We distinguish two further cases.
Case 2a: r is unassociated in Φ′. Then
Φ1 ⊢
Reg′
Var ′
D →֒ {D′}, 〈w, t〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′ D; out x r →֒ {D
′; s := r; out x s}, 〈Wr L,Trm L〉, Φ′1[s
R
← r]
where
(ii) =
s ∈ Reg ′ s = corr(r)
Φ′1, {} 
Reg′
Var ′
r →֒ {s := r}, 〈1, L〉, s, Φ′1[s
R
← r]
Φ′1 ⊢
Reg′
Var ′ out ch r →֒ {s := r; out ch s}, 〈Wr L,Trm L〉, Φ
′
1[s
R
← r]
and Φ′ →≡ Φ′1[s
R
← r] because r is unassociated in Φ′.
Case 2b: [r W→ z] ∈ Φ′. Then since Φ′ →≡ Φ′1 there exists [s
W
→ z] ∈ Φ′1. Consider
s′ = shw(r), then the following derivation is correct
Φ1 ⊢
Reg′
Var ′
D →֒ {D′}, 〈w, t〉, Φ′1
(ii)
Φ1 ⊢
Reg′
Var ′
D; out ch r →֒ {D′; s′ := r; out ch s′}, 〈Wr L,Trm L〉, Φ′1[s
′ R← r]
where
(ii) =
s′ ∈ Reg ′ s′ = shw(r)
Φ′1, {} 
Reg′
Var ′ r →֒ {s
′ := r}, 〈1, L〉, s′, Φ′1[s
′ R← r]
Φ′1 ⊢
Reg′
Var ′ out ch r →֒ {s
′ := r; out ch s′}, 〈Wr L,Trm L〉, Φ′1[s
′ R← r]
and Φ′ →≡ Φ′1[s′
R
← r].
Inductive Step
Case C = C1;C2. Assume
Φ ⊢RegVar C1 →֒ {D1}, 〈w1, t1〉, Φα
Φα ⊢
Reg
Var C2 →֒ {D2}, 〈w2, t2〉, Φβ
Φ ⊢RegVar C1;C2 →֒ {D1;D2}, 〈w1 ⊔w2, t1 ⊎ t2〉, Φβ
and let Φ1 be a register record such that Φ
→
≡ Φ1. Then the following type derivation
exists
Φ1 ⊢
Reg′
Var ′
D1 →֒ {D
′
1}, 〈w1, t
′
1〉, Φ
′
α
Φ′α ⊢
Reg′
Var ′
D2 →֒ {D
′
2}, 〈w2, t
′
2〉, Φ
′
β
Φ1 ⊢
Reg′
Var ′ D1;D2 →֒ {D;D
′}, 〈w1 ⊔w2, t1 ⊎ t2〉, Φ
′
β
and Φβ
→
≡ Φ′β by applying the inductive hypothesis on derivations for D1 and D2.
Case C = if E then Ct else Ce. Assume
r ∈ Reg
Φ, {} RegVar E →֒ {Dg}, 〈H,ng〉, r, Φα
Φα ⊢
Reg
Var Ct →֒ {Dt}, 〈Wr H, t1〉, Φβ Φα ⊢
Reg
Var Ce →֒ {De}, 〈Wr H, t2〉, Φγ
Φ ⊢RegVar if E then Ct else Ce →֒


Dg;
if r
thenDt; skip
elseDe; skip

 , 〈Wr H,TrmH〉 , Φβ ⊓ Φγ
and let Φ1 be a register record such that Φ
→
≡ Φ1. By applying the Proposition 5 on E
we have that Φ1 ⊢Reg
′
Var ′
Dg →֒ {D
′
g}, 〈Wr H,Trm (ng, pg)〉, Φ
′
α such that Φα
→
≡ Φ′α.
We distinguish two cases.
Case 1: there exists [r R← z] ∈ Φα. Then since Φα
→
≡ Φ′α there exists [s
W
→ r] ∈ Φ′α and
the following derivation is correct
Φ1 ⊢
Reg′
Var ′
Dg →֒ {D
′
g}, 〈Wr H,Trm (ng, pg)〉, Φ
′
α
s ∈ Reg ′ s = corr(r)
Φ′α ⊢
Reg′
Var ′ Dt →֒ {Rt}, 〈Wr H, t
′
1〉, Φ
′
β Φ
′
α ⊢
Reg′
Var ′ De →֒ {Re}, 〈Wr H, t
′
2〉, Φ
′
γ
R′t = Rt; skip; skip R
′
e = Re; skip; skip
Φ′ ⊢Reg
′
Var ′


Dg;
if r
thenDt; skip
elseDe; skip

 →֒


D′g;
if s
then R′t
else R′e

 , 〈Wr H,Trm H〉 , Φ
′
β ⊓ Φ
′
γ
and Φβ ⊓ Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between records is preserved by
record intersection.
Case 2: There is not [r R← z] ∈ Φα. We distinguish two further cases.
Case 2a: r is unassociated in Φα. Then the following derivation is correct
Φ1 ⊢
Reg′
Var ′
Dg →֒ {D
′
g}, 〈Wr H,Trm (ng, pg)〉, Φ
′
α
s ∈ Reg ′ s = corr(r)
Da = s := r
Φ′α[s
R
← r] ⊢Reg
′
Var ′
Dt →֒ {Rt}, 〈Wr H, t
′
1〉, Φ
′
β
Φ′α[s
R
← r] ⊢Reg
′
Var ′ De →֒ {Re}, 〈Wr H, t
′
2〉, Φ
′
γ
R′t = Rt; skip; skip R
′
e = Re; skip; skip
Φ′ ⊢Reg
′
Var ′


Dg;
if r
thenDt; skip
elseDe; skip

 →֒


D′g;
Da;
if s
then R′t
else R′e


, 〈Wr H,Trm H〉 , Φ′β ⊓ Φ
′
γ
In particular notice that Φα
→
≡ Φ′α[s
R
← r], since r is unassociated in Φα and Φβ ⊓
Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between records is preserved by record
intersection.
Case 2b: [r W→ z] ∈ Φα. Then the following derivation is correct
Φ1 ⊢
Reg′
Var ′
Dg →֒ {D
′
g}, 〈Wr H,Trm (ng, pg)〉, Φ
′
α
s′ ∈ Reg ′ s′ = shw(r)
Da = s
′ := r
Φ′α[s
′ R← r] ⊢Reg
′
Var ′ Dt →֒ {Rt}, 〈Wr H, t
′
1〉, Φ
′
β
Φ′α[s
′ R← r] ⊢Reg
′
Var ′ De →֒ {Re}, 〈Wr H, t
′
2〉, Φ
′
γ
R′t = Rt; skip; skip R
′
e = Re; skip; skip
Φ′ ⊢Reg
′
Var ′


Dg;
if r
thenDt; skip
elseDe; skip

 →֒


D′g;
Da;
if s′
then R′t
else R′e


, 〈Wr H,Trm H〉 , Φ′β ⊓ Φ
′
γ
In particular notice that Φα
→
≡ Φ′α[s
′ R← r], since Φα
→
≡ Φ′α and [r
W
→ z] ∈ Φα implies
[s
W
→ z] ∈ Φ′α[s
′ R← r] and Φβ ⊓ Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between
records is preserved by record intersection.
Assume
r ∈ Reg
Φ, {} RegVar E →֒ {Dg}, 〈L, ng〉, r, Φα
Φα ⊢
Reg
Var Ct →֒ {Dt}, 〈w1, t1〉, Φβ Φα ⊢
Reg
Var Ce →֒ {De}, 〈w2, t2〉, Φγ
Φ ⊢RegVar


if E
then Ct
else Ce

 →֒


Dg;
if r
thenDt; skip
elseDe; skip

 , 〈Wr L,Trm L ⊔− t1 ⊔− t2〉 , Φβ ⊓ Φγ
and let Φ1 be a register record such that Φ
→
≡ Φ1. By applying the Proposition 5 on E
we have that Φ1 ⊢Reg
′
Var ′
Dg →֒ {D
′
g}, 〈w, t〉, Φ
′
α such that:
– if n > 0 then w = Wr L and t = Trm L;
– if n = 0 then w = Wr H and t = Trm (0, 0);
– Φα
→
≡ Φ′α.
We distinguish two cases.
Case 1: there exists [r R← z] ∈ Φα. Then since Φα
→
≡ Φ′α there exists [s
W
→ r] ∈ Φ′α and
the following derivation is correct
Φ1 ⊢
Reg′
Var ′ Dg →֒ {D
′
g}, 〈w, t〉, Φ
′
α
s ∈ Reg ′ s = corr(r)
Φ′α ⊢
Reg′
Var ′
Dt →֒ {Rt}, 〈w1, t
′
1〉, Φ
′
β Φ
′
α ⊢
Reg′
Var ′
De →֒ {Re}, 〈w2, t
′
2〉, Φ
′
γ
R′t = Rt; skip; skip R
′
e = Re; skip; skip
Φ′ ⊢Reg
′
Var ′


Dg;
if r
then Dt; skip
else De; skip

 →֒


D′g;
if s
then R′t
else R′e

 , 〈Wr L,Trm L ⊔− t
′
1 ⊔− t
′
2〉 , Φ
′
β ⊓ Φ
′
γ
and Φβ ⊓ Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between records is preserved by
record intersection.
Case 2: There is not [r R← z] ∈ Φα. We distinguish two further cases.
Case 2a: r is unassociated in Φα. Then the following derivation is correct
Φ1 ⊢
Reg′
Var ′ Dg →֒ {D
′
g}, 〈w, t〉, Φ
′
α
s ∈ Reg ′ s = corr(r)
Da = s := r
Φ′α[s
R
← r] ⊢Reg
′
Var ′
Dt →֒ {Rt}, 〈w1, t
′
1〉, Φ
′
β
Φ′α[s
R
← r] ⊢Reg
′
Var ′
De →֒ {Re}, 〈w2, t
′
2〉, Φ
′
γ
R′t = Rt; skip; skip R
′
e = Re; skip; skip
Φ′ ⊢Reg
′
Var ′


Dg;
if r
then Dt; skip
else De; skip

 →֒


D′g;
Da;
if s
then R′t
else R′e


, 〈Wr L,Trm L ⊔− t′1 ⊔− t
′
2〉 , Φ
′
β ⊓ Φ
′
γ
In particular notice that Φα
→
≡ Φ′α[s
R
← r], since r is unassociated in Φα and Φβ ⊓
Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between records is preserved by record
intersection.
Case 2b: [r W→ z] ∈ Φα. Then the following derivation is correct
Φ1 ⊢
Reg′
Var ′ Dg →֒ {D
′
g}, 〈w, t〉, Φ
′
α
s′ ∈ Reg ′ s′ = shw(r)
Da = s
′ := r
Φ′α[s
′ R← r] ⊢Reg
′
Var ′ Dt →֒ {Rt}, 〈w1, t
′
1〉, Φ
′
β
Φ′α[s
′ R← r] ⊢Reg
′
Var ′
De →֒ {Re}, 〈w2, t
′
2〉, Φ
′
γ
R′t = Rt; skip; skip R
′
e = Re; skip; skip
Φ′ ⊢Reg
′
Var ′


Dg;
if r
then Dt; skip
else De; skip

 →֒


D′g;
Da;
if s′
then R′t
else R′e


, 〈Wr L,Trm L ⊔− t1 ⊔− t2〉 , Φ
′
β ⊓ Φ
′
γ
In particular notice that Φα
→
≡ Φ′α[s
′ R← r], since Φα
→
≡ Φ′α and [r
W
→ z] ∈ Φα implies
[s
W
→ z] ∈ Φ′α[s
′ R← r] and Φβ ⊓ Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between
records is preserved by record intersection.
Assume
r ∈ Reg
Φ, {} RegVar E →֒ {Dg}, 〈H,ng〉, r, Φα
Φα ⊢
Reg
Var Ct →֒ {Dt}, 〈Wr H,Trm (m,nt)〉, Φβ
Φα ⊢
Reg
Var Ce →֒ {De}, 〈Wr H,Trm (m,ne)〉, Φγ
D′t = Dt; skip
ne−nt ; skip D′e = De; skip
nt−ne ; skip
n = max(nt, ne)
Φ ⊢RegVar if E then Ct else Ce →֒


Dg;
if r
then D′t
elseD′e

 , 〈Wr H, τ〉 , Φβ ⊓ Φγ
for τ = Trm (m+1, ng+n+2) and let Φ1 be a register record such thatΦ
→
≡ Φ1. By ap-
plying the Proposition 5 onE we have thatΦ1 ⊢Reg
′
Var ′
Dg →֒ {D
′
g}, 〈WrH,Trm (ng, pg)〉, Φ
′
α
such that Φα
→
≡ Φ′α. We distinguish two cases.
Case 1: there exists [r R← z] ∈ Φα. Then since Φα
→
≡ Φ′α there exists [s
W
→ r] ∈ Φ′α and
the following derivation is correct
Φ1 ⊢
Reg′
Var ′
Dg →֒ {D
′
g}, 〈Wr H,Trm (ng, pg)〉, Φ
′
α
s ∈ Reg ′ s = corr(r)
Φ′α ⊢
Reg′
Var ′ D
′
t →֒ {Rt}, 〈Wr H,Trm (n+ 1, pt)〉, Φ
′
β
Φ′α ⊢
Reg′
Var ′ D
′
e →֒ {Re}, 〈Wr H,Trm (n+ 1, pe)〉, Φ
′
γ
R′t = Rt; skip
pe−pt ; skip R′e = Re; skip
pt−pe ; skip
p = max(pt, pe)
Φ′ ⊢Reg
′
Var ′


Dg;
if r
then D′t
else D′e

 →֒


D′g;
if s
then R′t
else R′e

 , 〈Wr H, τ
′〉 , Φ′β ⊓ Φ
′
γ
Notice that τ ′ = Trm (ng, pg) ⊎ Trm (n+ 2, p+ 2) = Trm (ng + n+ 2, pg + p+ 2)
and Φβ ⊓ Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between records is preserved by
record intersection.
Case 2: There is not [r R← z] ∈ Φα. We distinguish two further cases.
Case 2a: r is unassociated in Φα. Then the following derivation is correct
Φ1 ⊢
Reg′
Var ′
Dg →֒ {D
′
g}, 〈Wr H,Trm (ng, pg)〉, Φ
′
α
s ∈ Reg ′ s = corr(r)
Da = s := r
Φ′α[s
R
← r] ⊢Reg
′
Var ′
Dt →֒ {Rt}, 〈Wr H,Trm (n+ 1, pt)〉, Φ
′
β
Φ′α[s
R
← r] ⊢Reg
′
Var ′ De →֒ {Re}, 〈Wr H,Trm (n+ 1, pe)〉, Φ
′
γ
R′t = Rt; skip
pe−pt ; skip R′e = Re; skip
pt−pe ; skip
p = max(pt, pe)
Φ′ ⊢Reg
′
Var ′


Dg;
if r
then D′t
else D′e

 →֒


D′g;
Da;
if s
then R′t
else R′e


, 〈Wr H, τ ′〉 , Φ′β ⊓ Φ
′
γ
for τ ′ = Trm (ng, pg)⊎Trm (n+2, 1+p+2). In particular notice that Trm (ng, pg)⊎
Trm (n+2, 1+p+2) = Trm (ng+n+2, 1+pg+p+2) and Φα
→
≡ Φ′α[s
R
← r], since
r is unassociated in Φα and Φβ ⊓ Φγ
→
≡ Φ′β ⊓ Φ
′
γ because the correspondence between
records is preserved by record intersection.
Case 2b: [r W→ z] ∈ Φα. Then the following derivation is correct
Φ1 ⊢
Reg′
Var ′ Dg →֒ {D
′
g}, 〈Wr H,Trm (ng, pg)〉, Φ
′
α
s′ ∈ Reg ′ s′ = shw(r)
Da = s
′ := r
Φ′α[s
′ R← r] ⊢Reg
′
Var ′ Dt →֒ {Rt}, 〈Wr H,Trm (n+ 1, pt)〉, Φ
′
β
Φ′α[s
′ R← r] ⊢Reg
′
Var ′
De →֒ {Re}, 〈Wr H,Trm (n+ 1, pe)〉, Φ
′
γ
R′t = Rt; skip
pe−pt ; skip R′e = Re; skip
pt−pe ; skip
p = max(pt, pe)
Φ′ ⊢Reg
′
Var ′


Dg;
if r
then D′t
else D′e

 →֒


D′g;
Da;
if s′
then R′t
else R′e


, 〈Wr H, τ ′〉 , Φ′β ⊓ Φ
′
γ
for τ ′ = Trm (ng, pg)⊎Trm (n+2, 1+p+2). In particular notice that Trm (ng, pg)⊎
Trm (n+2, 1+p+2) = Trm (ng+n+2, 1+pg+p+2) and Φα
→
≡ Φ′α[s
′ R← r], since
Φα
→
≡ Φ′α and [r
W
→ z] ∈ Φα implies [s
W
→ z] ∈ Φ′α[s
′ R← r] and Φβ ⊓ Φγ
→
≡ Φ′β ⊓ Φ
′
γ
because the correspondence between records is preserved by record intersection.
Case C = while x do C1. Assume H = level(x) = level(r) and
x ∈ Var r ∈ Reg
A = r := x;x := r;
Φα = Φ[r
W
→ x]
ΦB ⊑ Φα ΦB ⊑ ΦE [r
W
→ x]
ΦB ⊢
Reg
Var C →֒ {D}, 〈Wr H, t〉, ΦE
Φ ⊢RegVar while x do C →֒
{
A;
while r do {D;A; skip}
}
, 〈Wr H,Trm H〉 , ΦB
and let Φ1 be a register record such that Φ
→
≡ Φ1. We now have to show that
Φ1 ⊢
Reg
Var
{
A;
while r do {D;A; skip}
}
→֒ {. . . } , 〈Wr H,Trm H〉 , Φ′B
and ΦB
→
≡ Φ′B . We begin by constructing the derivation for A as follows
(i) (ii)
Φ1 ⊢
Reg′
Var ′ r := x;x := r; →֒


s := x;
r := s;
x := s;

 , 〈Wr H,Trm (2, 3)〉, Φ1[s W→ x]
where
(i) =
s ∈ Reg ′ s = corr(r)
Φ1, {} 
Reg′
Var x →֒ {s := x}, 〈H, 1〉, s, Φ1[s
R
← x]
Φ1 ⊢
Reg′
Var ′
r := x →֒
{
s := x;
r := s;
}
, 〈Wr H,Trm (1, 2)〉, Φ1[s
W
→ r]
(ii) =
Φ1[s
W
→ r], {} Reg
′
Var ′
r →֒ { r}, 〈H, 0〉, s, Φ1[s
W
→ r]
Φ1[s
W
→ r] ⊢Reg
′
Var ′
x := r →֒ {x := s}, 〈Wr H,Trm (1, 1)〉, Φ1[s
W
→ x]
Notice that Φ[r W→ x] →≡ Φ1[s
W
→ x]. We now need to show that
Φ1[s
W
→ x] ⊢Reg
′
Var ′
while r do {D;A; skip} →֒ {. . . }, 〈Wr H,Trm H〉, Φ′B
Consider the following derivation
r ∈ Var ′ s′ ∈ Reg ′ s′ = shw(r)
A′ = s′ := r; r := s′;
Φ′1 = Φ1[s
W
→ x][s′
W
→ r] Φ′B ⊑ Φ
′
1 Φ
′
B ⊑ Φ
′
E [s
W
→ x][s′
W
→ r]
(iii)
Φ1[s
W
→ x] ⊢Reg
′
Var ′


while r do {
D;
r := x;
x := r;
skip; }


→֒


A′;
while s′ do {
D′;
s := x;
r := s;
x := s;
skip;
A′;
skip; }


, 〈Wr H,TrmH〉, Φ′B
Notice that Φ[r W→ x] →≡ Φ1[s
W
→ x][s′
W
→ r] = Φ′1, since r is already in correspondence
with s. Consider the smallest Φ′B ⊑ Φ′1 such that ΦB
→
≡ Φ′B (the domain of Φ′B is
corr(dom(ΦB))). Then the following derivation
(iii) =
(iv) (v) (vi)
Φ′B ⊢
Reg′
Var ′


D;
r := x;
x := r;
skip;

 →֒


D′;
s := x;
r := s;
x := s;
skip;


,
〈
Wr H,
t′ ⊎ Trm (2, 3) ⊎ Trm (1, 1)
〉
, Φ′E
holds for
(iv) = Φ′B ⊢
Reg′
Var ′
D →֒ {D′}, 〈Wr H, t′〉, Φ′E
(v) = Φ′E ⊢
Reg′
Var ′
{
r := x;
x := r;
}
→֒


s := x;
r := s;
x := s;

 , 〈Wr H,Trm (1, 3)〉, Φ′E [s W→ x]
(vi) = Φ′E [s
W
→ x] ⊢Reg
′
Var ′
skip →֒ {skip}, 〈Wr H,Trm (1, 1)〉, Φ′E [s
W
→ x]
In particular:
– the type derivation (iv) follows from the inductive hypothesis on D, which also
guarantees that ΦE
→
≡ Φ′E ;
– type derivation (v) is identical, up to environment renaming, to the same derivation
calculated previously. It also holds that ΦE [s
W
→ x]
→
≡ Φ′E [s
W
→ x], since ΦE
→
≡ Φ′E ;
– type derivation (vi) is straightforward.
The case is concluded by observing that ΦB
→
≡ Φ′B and ΦB ⊑ ΦE [s
W
→ x] and ΦE [s
W
→
x]
→
≡ Φ′E [s
W
→ x] implies that Φ′B ⊑ Φ′E [s
W
→ x][s′
W
→ r].
Assume L = level(x) = level(r) and
x ∈ Var r ∈ Reg
A = r := x;x := r;
Φα = Φ[r
W
→ x]
ΦB ⊑ Φα ΦB ⊑ ΦE [r
W
→ x]
ΦB ⊢
Reg
Var C →֒ {D}, 〈w, t〉, ΦE
Φ ⊢RegVar while x do C →֒
{
A;
while r do {D;A; skip}
}
, 〈Wr L,Trm L〉 , ΦB
instead. Notice that for level(x) = level(r) = L we have that t must be t ❁ Trm H ,
hence term(λ) ⊔− t = Trm L. Let Φ1 be a register record such that Φ
→
≡ Φ1. We now
have to show that
Φ1 ⊢
Reg
Var
{
A;
while r do {D;A; skip}
}
→֒ {. . . } , 〈Wr L,Trm L〉 , Φ′B
and ΦB
→
≡ Φ′B . We begin by constructing the derivation for A as follows
(i) (ii)
Φ1 ⊢
Reg′
Var ′ r := x;x := r; →֒


s := x;
r := s;
x := s;

 , 〈Wr L,Trm L〉, Φ1[s W→ x]
where
(i) =
s ∈ Reg ′ s = corr(r)
Φ1, {} 
Reg′
Var x →֒ {s := x}, 〈L, 1〉, s, Φ1[s
R
← x]
Φ1 ⊢
Reg′
Var ′ r := x →֒
{
s := x;
r := s;
}
, 〈Wr L,Trm L〉, Φ1[s
W
→ r]
(ii) =
Φ1[s
W
→ r], {} Reg
′
Var ′
r →֒ { r}, 〈L, 0〉, s, Φ1[s
W
→ r]
Φ1[s
W
→ r] ⊢Reg
′
Var ′ x := r →֒ {x := s}, 〈Wr L,Trm L〉, Φ1[s
W
→ x]
Notice that Φ[r W→ x] →≡ Φ1[s
W
→ x]. We now need to show that
Φ1[s
W
→ x] ⊢Reg
′
Var ′
while r do {D;A; skip} →֒ {. . . }, 〈Wr L,Trm L〉, Φ′B
Consider the following derivation
r ∈ Var ′ s′ ∈ Reg ′ s′ = shw(r)
A′ = s′ := r; r := s′;
Φ′1 = Φ1[s
W
→ x][s′
W
→ r] Φ′B ⊑ Φ
′
1 Φ
′
B ⊑ Φ
′
E [s
W
→ x][s′
W
→ r]
(iii)
Φ1[s
W
→ x] ⊢Reg
′
Var ′


while r do {
D;
r := x;
x := r;
skip; }


→֒


A′;
while s′ do {
D′;
s := x;
r := s;
x := s;
skip;
A′;
skip; }


, 〈Wr L,Trm L〉, Φ′B
Notice that Φ[r W→ x] →≡ Φ1[s
W
→ x][s′
W
→ r] = Φ′1, since r is already in correspondence
with s. Consider the smallest Φ′B ⊑ Φ′1 such that ΦB
→
≡ Φ′B (the domain of Φ′B is
corr(dom(ΦB))). Then the following derivation
(iii) =
(iv) (v) (vi)
Φ′B ⊢
Reg′
Var ′


D;
r := x;
x := r;
skip;

 →֒


D′;
s := x;
r := s;
x := s;
skip;


,
〈
w ⊔Wr L ⊔Wr H
t′ ⊎ Trm L ⊎ Trm (1, 1)
〉
, Φ′E
holds for
(iv) = Φ′B ⊢
Reg′
Var ′ D →֒ {D
′}, 〈w, t′〉, Φ′E
(v) = Φ′E ⊢
Reg′
Var ′
{
r := x;
x := r;
}
→֒


s := x;
r := s;
x := s;

 , 〈Wr L,Trm L〉, Φ′E [s W→ x]
(vi) = Φ′E [s
W
→ x] ⊢Reg
′
Var ′
skip →֒ {skip}, 〈Wr H,Trm (1, 1)〉, Φ′E [s
W
→ x]
In particular:
– the type derivation (iv) follows from the inductive hypothesis on D, which also
guarantees that ΦE
→
≡ Φ′E ;
– type derivation (v) is identical, up to environment renaming, to the same derivation
calculated previously. It also holds that ΦE [s
W
→ x]
→
≡ Φ′E [s
W
→ x], since ΦE
→
≡ Φ′E ;
– type derivation (vi) is straightforward.
The case is concluded by observing that ΦB
→
≡ Φ′B and ΦB ⊑ ΦE [s
W
→ x] and ΦE [s
W
→
x]
→
≡ Φ′E [s
W
→ x] implies that Φ′B ⊑ Φ′E [s
W
→ x][s′
W
→ r]. Also, w ⊔Wr L ⊔Wr H =
Wr L and t′ ⊎ Trm L ⊎ Trm (1, 1) = Trm L (since t≫ t′ and t ❁ TrmH implies that
t′ ❁ Trm H).
Proposition 6 states that the an i-while program obtained from a type-correct
while program is also type-correct, and from Preposition 3 we have that any type-
correct program is strongly secure. We therefore conclude that the type system in Fig-
ures 17 and 18 compiles a while program C into an i-while program D which
enjoys Strong Security. Notice that the definition of Strong Security for i-while
programs is obtained by considering the semantics of i-while programs as a LTS
Si−w = {{〈D,M〉},−→, {ch!n|ch ∈ {low , high} and n ∈ N} ∪ {τ}}, where −→ is
defined by rules in Figure 20 for V = Var ∪ Reg .
I.2 From i-while programs to RISC programs
We now introduce the compilation function that translate i-while programs into
RISC programs. The syntax for RISC programs is defined in Figure 1. The transla-
tion α between i-while and RISC instructions is defined in Figure 21.
α(skip, l) = ([l : nop], ǫlab)
α(x := r, l) = ([l : store v2p(x) r], ǫlab)
α(r := n, l) = ([l : movek r n], ǫlab)
α(r := r′, l) = ([l : mover r r′], ǫlab)
α(r := x, l) = ([l : load v2p(x) r], ǫlab)
α(r := r op r′, l) = ([l : op r r′], ǫlab)
α(out ch r, l) = ([l : out ch r], ǫlab)
α


if r
then {D1; skip}
else {D2; skip}
, l

 =
([l : jz br r] ++ P1 ++ [l1 : jmp ex]
++P2 ++ [l2 : nop], ex)
where
α(D1, ǫlab) = (P1, l1)
α(D2, br) = (P2, l2)
for fresh labels br, ex
α(while r do {D; skip}, l) = ([l : jz ex r] ++ P ++ [l′ : jmp l], ex)
where
α(D, ǫlab) = (P, l
′)
for fresh label ex
α(D1;D2, l) = (P1 ++ P2, l
′)
where
α(D1, l) = (P1, l1)
α(D2, l1) = (P2, l
′)
Fig. 21. Translation between i-while and RISC programs
Beside the input i-while code and the output RISC program, the function α
requires a label as input and produces a label as output. The role of these labels is
clarified in the explanation of if and while instructions compilation.
All cases skip, x := r, r := F and out ch r correspond to a straightforward mapping
between i-while instructions and RISC instructions. The input label is used to label
the produced instruction, and the empty label ǫlab is given as output. The first instruction
in the compilation of the if statement is l : jz br r, that corresponds to the register
variable evaluation in the i-while language. Branches D1 and D2 are translated into
RISC programs P1 and P2 respectively. In particular, P2 requires the label br to be
used as argument for α in order to move the control flow from l : jz br r to P2 in case
the content of r is 0. The trailing skip statements are converted into a l1 : jmp ex and
a l2 : nop respectively, to guarantee that the first instruction to be executed after any
of the two branches is the one labeled with ex, if any. The compilation of the while
instruction produces a conditional jump on r as the first instruction, similarly to the if
case. The compilation of the loop body follows, and the skip statement is replaced by
the l′ : jmp l instruction, that moves back the control to the register evaluation when
the execution of the loop body is completed.
The relation between an i-while program D and its corresponding RISC pro-
gram α(D) is stated in terms of the RISC semantics. Recall from Section 3.1 that
the semantic of RISC programs is defined in terms of a labelled transition system
Sa = {{〈P, k,R,M〉}, {ch!k|ch ∈ {low , high} ∪ {τ}},−→} where the first two el-
ements of the state P and k ∈ W are the fault-tolerant component T , the elements R
and M are the faulty part F and transitions are defined in Figure 12.
In general, a RISC program behaves exactly as the corresponding i-while pro-
gram. However, this does not hold for i-while programs that manipulate constants
outside W. We therefore postulate the existence of a technique for approximating the
resource footprint for the source i-while program statically (cf. the approach to trans-
parency in [8]) and, from now onwards, we focus only on i-while programs that have
a resource footprint compatible with the capabilities of the RISC machine.
Before proceeding further, we need some notational conventions. We say an i-while
memory M is equivalent to the RISC storage (R,M), written as M ⇋ (R,M) if
M
∣∣
Reg
= R and Mw
∣∣
Var
= v2p ◦M.
Definition 20 (Strong Coupling). A relationR between i-while programs and (P, k)
pairs, where P is a RISC program and k ∈ W is an exact bisimulation if for any
(D, (P, n)) ∈ R, ∀M ⇋ (R,M), 〈D,M〉
l
−→ 〈D′,M ′〉 if and only if 〈P, n,R,M〉 l−→
〈P, n′,R′,M′〉 such that M ′ ⇋ (R′,M′) and (D′, (P, n′)) ∈ R. We say that an
i-while program D is strongly coupled with a RISC program P , written as D ≈ P ,
if there exists an exact bisimulation R such that (D, (P, 0)) ∈ R.
We can now characterize the existing relation between an i-while program D
and its translated version P in terms of strong coupling.
Proposition 7 (Strong coupling between i-while and RISC programs). Let D be
an i-while program and P be the first component of α(D, ǫlab). Then D ≈ P .
The result in this section can be combined with the ones in Section I.1 to show that
we can translate a type-correct while program into a strongly secure RISC program.
In particular, Let C be a while program such that {} ⊢RegVar C →֒ {D}, 〈t, w〉, Φ′ and
let α(D, ǫlab) = (P, l). Then P is strongly secure.
J Example of a Compilation
In this section we show an example of a simple hash calculation that we can imple-
ment6 within our language. Informally, the hashing algorithm works as follows:
– define two public integers i and j such that 1 < j ≪ i
– pick a public message m in the interval [0, , 2i− 1], while the public hash h will be
in [0, , 2j − 1]
– define a public value p, the smallest prime such that p > 2j
– pick two secret values q and r such that 1 ≤ q ≤ p− 1, 0 ≤ r ≤ p− 1
– calculate the hash as hq,r(m) = [(q ∗m+ r) mod p] mod 2i
In the while language a possible implementation of the hash program proceeds as
follows:
limit := 1;
while i do {limit := limit ∗ 2; i := i− 1; }
source := q ∗m;
source := source+ r;
guard := source− p;
while guard > 0 do {guard := guard− p; source := source − p; }
guard := source− limit;
while guard > 0 do do{guard := guard− limit; source := source − limit; }
6 Notice that this statement is not completely accurate. The inaccuracy arises from the fact that
guard > 0 is not a valid expression in the language. This is not a big issue, since RISC can
be smoothly extended by including a jlez instruction without breaking any of the results.
This correspond to the following RISC code
movek r lim1 %
store limit rlim [rlim
W
→ limit] store guard rg [rg
W
→ guard]
load ri i load rs source
store i ri [ri
W
→ i] sub rs rhlim
loop1 : jz exit loop1 ri store source rs [rs
W
→ source]
movek r2 2 load rg guard
mul rlim r2 store guard rg [rg
W
→ guard]
store limit rlim [rlim
W
→ limit] jmp loop3
movek r1 1
sub ri r1
store i ri [ri
W
→ i]
load ri i
store i ri [ri
W
→ i]
jmp loop1
exit loop1 : load rg q
load rm m [rm
R
← m]
mul rg rm
store source rg [rg
W
→ source]
load rr r [rr
R
← r]
add rg rr
store source rg [rg
W
→ source]
load rp p [rp
R
← p]
sub rg rp
store guard rg [rg
W
→ guard]
load rg guard
store guard rg [rg
W
→ guard]
loop2 : jlez exit loop2 rg
sub rg rp
store guard rg [rg
W
→ guard]
load rs source
sub rs rp
store source rs [rs
W
→ source]
load rg guard
store guard rg [rg
W
→ guard]
jmp loop2
exit loop2 : load rhlim limit [rhlim
W
→ limit]
load rg source
sub rg rhlim
store guard rg [rg
W
→ guard]
load rg guard
store guard rg [rg
W
→ guard]
loop3 : jlez exit loop3 rg
sub rg rhlim
%
The security levels of resources involved in this example are assigned as follows:
– level L variables: limit, i, m, p;
– level H variables: q, source, guard, r;
– level L registers: rlim, ri, r2, r1;
– level H registers: rg , rm, rp, rs, rhlim, rr.
