# Bridging Language-Based and Process Calculi Security\*

Riccardo Focardi<sup>1</sup>, Sabina Rossi<sup>1</sup>, and Andrei Sabelfeld<sup>2</sup>

<sup>1</sup>Dipartimento di Informatica, Università Ca' Foscari di Venezia, 30172 Venezia, Italy E-mail: {focardi,srossi}@dsi.unive.it

<sup>2</sup>Dept. of Computer Science, Chalmers University of Technology, 41296 Göteborg, Sweden E-mail: andrei@cs.chalmers.se

Abstract. Language-based and process calculi-based information security are well developed fields of computer security. Although these fields have much in common, it is somewhat surprising that the literature lacks a comprehensive account of a formal link between the two disciplines. This paper develops such a link between a language-based specification of security and a process-algebraic framework for security properties. Encoding imperative programs into a CCS-like process calculus, we show that timing-sensitive security for these programs exactly corresponds to the well understood process-algebraic security property of persistent bisimulation-based nondeducibility on compositions ( $P_BNDC$ ). This rigorous connection opens up possibilities for cross-fertilization, leading to both flexible policies when specifying the security of heterogeneous systems and to a synergy of techniques for enforcing security specifications.

## 1 Introduction

As computing systems are becoming increasingly complex, security challenges become increasingly versatile. In the presence of such challenges, we believe that practical security solutions are unlikely to emerge from a single theoretical framework, but rather need to be based on a combination of different specialized approaches. The goal of this paper is to develop a flexible way of specifying the security of heterogeneous systems— using a combination of programming language-based defi nitions and process-algebraic ones. The intention is to be able to specify security partly by language-based security models (e.g., for parts of the system that are implemented by code with no communication) and partly by process-algebraic models (e.g., communication-intensive parts of the system). This combined approach empowers us with a synergy of techniques for enforcing security properties (e.g., combining security type systems with process equivalence checking) to analyze parts of the system separately and yet establish the security of the entire system.

Language-based information security [26] and process calculus-based information security [7, 24] are well developed fields of computer security. Although process calculi are programming languages, there are different motivations and traditions in addressing information security by the two communities. While the former is concerned with preventing secret data from being leaked through the execution of programs, the latter

<sup>\*</sup> This work was supported by the EU-FET project MyThS (IST-2001-32617).

deals with preventing secret events from being revealed through the execution of communicating processes. Although these fi elds have much in common (e.g., both rely on *noninterference* [11] as a baseline security policy stating that secrets do not interfere with the attacker-observable behavior of the system), it is somewhat surprising that the literature lacks a comprehensive account of a formal link between the two disciplines (which in particular means that it has not been established whether the interpretations of noninterference by the two disciplines are compatible).

This paper develops a rigorous link between a language-based specifi cation of security for imperative programs and a process-algebraic framework of security properties. More specifically, we link two compositional security properties: a timing-sensitive security characterization for a simple imperative language and a persistent security characterization for a CCS-like process calculus. We achieve this connection through the following steps: (i) we uniform the semantics of the imperative language to the standard Labelled Transition System semantics of process calculi, by making read/write memory actions explicitly observable as labelled transitions; (ii) based on this semantics, we formalize low level observations in the imperative language in terms of a bisimulation relation; (*iii*) we encode the programming language into the process calculus, ensuring a lock-step semantic relation between the source and target languages; we prove that the new bisimulation notion for the imperative language is preserved by the encoding; (iv)this tight relation reveals some unexpected uniformities allowing us to precisely identify what the program security characterization corresponds to in the process-calculus world: it turns out to be the well understood property of persistent bisimulation-based nondeducibility on compositions (or *P\_BNDC*).

Such a link opens up various possibilities for cross-fertilization, leading to flexible policies when specifying the security of complex systems and to a rich combination of techniques for enforcing security specifications. Finding exactly what property from the family of process-algebraic properties [7, 9] corresponds to the language-based timing-sensitive security sheds valuable light on the nature of the language-based property. As a direct benefit, the results of this paper enable us to use security checkers based on process-equivalence checking (such as CoSeC [6] and CoPS [22], with the latter one based precisely on  $P\_BNDC$ ) for certifying language-based security.

For clarity, this paper uses a simple sequential language. However, it is a distributed setting that will enable us to fully capitalize on the formal connection. Indeed, the security specifications for both the source (imperative) and target (process algebraic) languages are compositional [27, 9]. Because the source-language security specification is suitable for both multithreaded [27] and distributed [25, 20] settings, we are confident that the formal link established in this paper can be generalized to a distributed scenario, where different components can be analyzed with specialized techniques. For example, communication-intensive parts of the system (where conservative language-based security mechanisms for the source language such as type systems are too restrictive) can be analyzed at the level of the target language, gaining on the precision of the analysis.

The rest of the paper is organized as follows. Section 2 presents the source imperative language Imp and the target process-algebraic language VSPA. Section 3 develops an encoding of the source language into the target language and demonstrates a semantic relation between Imp's programs and their VSPA's translations. Section 4 establishes a formal connection between the security properties of the two languages. The paper closes by discussing related work in Section 5 and conclusions and future work in Section 6.

# 2 The source language and target calculus

In this section, we present Imp, the source imperative language, and VSPA, the target process calculus, along with security definitions for the respective languages.

#### 2.1 The Imp programming language

We consider a simple sequential programming language, Imp [29], described by the following grammar:

$$B, Exp ::= F(Id, \dots, Id)$$
$$C ::= \text{stop} \mid Skip \mid Id := Exp \mid C; C \mid \text{if } B \text{ then } C \text{ else } C \mid \text{while } B \text{ do } C$$

Let  $C, D, \ldots$  range over commands (programs),  $Id, Id_1, \ldots$  range over identifiers (variables),  $B, B_1, \ldots, Exp, Exp_1, \ldots$  range over boolean and arithmetic expressions, respectively,  $F, F_1, \ldots$  range over function symbols, and, finally,  $v, v_1, \ldots$  range over the set of basic values *Val*. For simplicity, but without loss of generality, we assume that exactly one function symbol occurs in an expression.

A configuration is a pair  $\langle C, s \rangle$  of a command C and a state (memory) s. A state s is a finite mapping from variables to values. The small-step semantics are given by transitions between configurations, defined by standard transition rules (for reference, we display these rules in Figure 4 of the appendix). Arithmetic and boolean expressions are executed atomically by  $\downarrow$  transitions. The  $\stackrel{\text{tick}}{\rightarrow}$  transitions are deterministic. The general form of a deterministic transition is  $\langle C, s \rangle \stackrel{\text{tick}}{\rightarrow} \langle C', s' \rangle$ . Here, one step of computation starting with a command C in a state s gives a new command C' and a new state s'. There are no transitions from configurations that contain the terminal program stop. We write  $[Id \mapsto v]s$  for the state obtained from s by setting the image of Id to v. For example, the assignment rule

$$\frac{\langle Exp, s \rangle \downarrow v}{\langle Id := Exp, s \rangle \stackrel{\texttt{tick}}{\to} \langle \texttt{stop}, [Id \mapsto v] s \rangle}$$

describes one step of computation that leads to termination with the state updated according to the value of the expression on the right-hand side of the assignment.

**Security specification** We assume that the set of variables is partitioned into *high* and *low* security classes corresponding to high and low confi dentiality levels. Note that our results are not specific to this security structure (which is adopted for simplicity)—a generalization to an arbitrary security lattice is straightforward. Variables *h* and *l* will denote typical high and low variables respectively. Two states *s* and *t* are *low-equal*  $s =_L t$  if the low components of *s* and *t* are the same.

Confi dentiality is preserved by a computing system if low-level observations reveal nothing about high-level data. The notion of noninterference [11] is widely used for expressing such confi dentiality policies. Intuitively, noninterference means that low-observable behavior is unchanged as high inputs are varied. The indistinguishability of behavior for the attacker can be represented naturally by the notion of *bisimulation* (e.g., [7, 27]). The following definition is recalled from [27]:

**Definition 1.** Strong low-bisimulation  $\cong_L$  is the union of all symmetric relations R such that if  $C \ R \ D$  then for all states s and t such that  $s =_L t$  whenever  $\langle C, s \rangle \stackrel{\text{tick}}{\to} \langle C', s' \rangle$  then there exist D' and t' such that  $\langle D, t \rangle \stackrel{\text{tick}}{\to} \langle D', t' \rangle$ ,  $s' =_L t'$ , and  $C' \ R \ D'$ .

Intuitively, two programs C and D are strongly low-bisimilar if varying the high parts of memories at any point of computation does not introduce any difference between the low parts of the memories throughout the computation. Protecting variations at any point of computation results in a rather restrictive security condition. However, this restrictiveness is justified in a concurrent setting (which is the ultimate motivation of our work) when threads may introduce secrets into high memory at any computation step. Based on this notion of low-bisimulation, the following definition of security is given in [27]:

**Definition 2.** A program C is secure if and only if  $C \cong_L C$ .

**Examples** Because the underlying low-bisimulation is strong, or lock-step, it captures timing-sensitive security of programs. Below, we exemplify different kinds of information flow handled by the security definition:

- l := h This is an example of an *explicit flow*. To see that this program is insecure according to Definition 2, take some s and t that are the same except s(h) = 0 and t(h) = 1. Since  $\langle l := h, s \rangle \stackrel{\text{tick}}{\to} \langle \text{stop}, [l \mapsto 0] s \rangle$  and  $\langle l := h, t \rangle \stackrel{\text{tick}}{\to} \langle \text{stop}, [l \mapsto 1] t \rangle$  hold, the resulting memories are not low-equal. Because these are the only possible transitions for both configurations, we have  $l := h \not\cong_L l := h$ . Thus, the program is deemed insecure.
- if h > 0 then l := 1 else l := 0 This exemplifies an *implicit flow* [4] through branching on a high condition. If the computation starts with low-equal memories s and tthat are the same except s(h) = 0 and t(h) = 1, then, after one step of computation (the test of the condition), the memories are still low-equal. However, after another computation step they become different in l (0 or 1, depending on the initial value of h). Because these are the only possible transitions for confi gurations with both sand t, the program is not self-low-similar and thus is insecure.
- while h > 0 do h := h 1 Assuming the worst-case scenario, an attacker may observe the timing of program execution. The attacker may learn the value of h from the timing behavior of the program above. This is an instance of a *timing covert channel* [18]. The program is rightfully rejected by Definition 2. Indeed, take some s and t that are the same except s(h) = 1 and t(h) = 0. We have  $\langle \text{while } h > 0 \text{ do } h := h 1, s \rangle \stackrel{\text{tick}}{\rightarrow} \langle h := h 1; \text{while } h > 0 \text{ do } h := h 1, s \rangle \stackrel{\text{tick}}{\rightarrow} \langle \text{stop}, [h \mapsto 0]s \rangle$

but (while h > 0 do h := h - 1, t)  $\stackrel{\texttt{tick}}{\rightarrow}$  (stop, t)  $\stackrel{\texttt{tick}}{\not\rightarrow}$  with no transition from the latter configuration to match the transitions of the previous sequence.

The examples above are insecure. Here is an instance of a secure program:

if h = 1 then h := h + 1 else skip Indeed, neither the low part of the memory nor the timing behavior depends on the value of h. A suitable symmetric relation that makes this program low-bisimilar to itself is, e.g., the relation {(if h = 1 then h := h + 1 else skip, if h = 1 then h := h + 1 else skip), (h := h + 1, skip), (skip, h := h + 1), (h := h + 1, h := h + 1), (skip, skip), (stop, stop)}.

#### 2.2 The VSPA calculus

The *Value-passing Security Process Algebra* (VSPA, for short) is a variation of Milner's value-passing CCS [21], where the set of visible actions is partitioned into high-level actions and low-level ones in order to specify multilevel-security systems.

Let  $E, E_1, E_2, \ldots$  range over *processes*,  $x, x_1, x_2, \ldots$  range over *variables*, and c,  $c_1, c_2, \ldots$  range over *channels*. As for Imp, let  $B, B_1, \ldots, Exp, Exp_1, \ldots$  range over boolean and arithmetic expressions, respectively,  $F, F_1, \ldots$  range over function symbols, and, fi nally,  $v, v_1, \ldots$  range over the set of basic values *Val*. (The set of basic values *Val*, and boolean/arithmetic expressions are the same as in Imp.) The syntax of VSPA processes is defined as follows:

$$E ::= \mathbf{0} | c(x).E | \overline{c}(Exp).E | \tau.E | E_1 + E_2 | E_1|E_2 | E \setminus R | E[g] |$$
  

$$A(Exp_1, \dots, Exp_n) | \text{ if } B \text{ then } E_1 \text{ else } E_2$$
  

$$B, Exp ::= F(x_1, \dots, x_n)$$

Each constant A is associated with a definition  $A(x_1, \ldots, x_n) \stackrel{\text{def}}{=} E$ , where  $x_1, \ldots, x_n$  are distinct variables and E is a VSPA process whose only free variables are  $x_1, \ldots, x_n$ . R is a set of channels and g is a function relabeling channel names. Finally, the set of channels is partitioned into *high-level* channels H and *low-level* ones L.

Intuitively, **0** is the empty process that does nothing; c(x).E is a process that reads a value  $v \in Val$  from channel c assigning it to variable x;  $\overline{c}(Exp).E$  is a process that evaluates expression Exp and sends the resulting value as output over c;  $E_1 + E_2$  represents the nondeterministic choice between the two processes  $E_1$  and  $E_2$ ;  $E_1|E_2$  is the parallel composition of  $E_1$  and  $E_2$ , where executions are interleaved, possibly synchronized on complementary input/output actions, producing an internal action  $\tau$ ;  $E \setminus R$  is a process E prevented from performing inputs and outputs over channels in R; E[g] is the process E whose channels are renamed via the relabeling function g;  $A(Exp_1, ..., Exp_n)$  behaves like the respective definition where the variables  $x_1, \cdots, x_n$  are substituted with the results of expressions  $Exp_1, \cdots, Exp_n$ ; finally, if B then  $E_1$  else  $E_2$  behaves as  $E_1$  if B evaluates to True and as  $E_2$ , otherwise.

We denote by  $\mathcal{E}$  the set of all VSPA processes and by  $\mathcal{E}_H$  the set of all high-level processes, i.e., those constructed only using channels in H. The operational semantics of VSPA processes are majorly standard (and can be found in Figure 5 of the appendix). We implicitly equate processes whose expressions are substituted by the corresponding

values, e.g.,  $\overline{c}(F(v_1, \dots, v_n)) \cdot E$  is the same as  $\overline{c}(v) \cdot E$  if  $F(v_1, \dots, v_n) = v$ . This corresponds to the  $\downarrow$  expression evaluation of Imp.

The weak bisimulation relation [21] equates two processes if they are able to mutually simulate each other step by step. Weak bisimulation does not care about internal  $\tau$  actions. We will use the following auxiliary notations. We write  $E \stackrel{a}{\Longrightarrow} E'$  if  $E(\stackrel{\tau}{\rightarrow})^* \stackrel{a}{\to} (\stackrel{\tau}{\rightarrow})^* E'$ . Moreover, we let  $E \stackrel{a}{\Longrightarrow} E'$  stand for  $E \stackrel{a}{\Longrightarrow} E'$  in case  $a \neq \tau$ , and for  $E(\stackrel{\tau}{\rightarrow})^* E'$  in case  $a = \tau$  (note that  $\stackrel{\tau}{\Longrightarrow}$  requires at least one  $\tau$  labeled transition while  $\stackrel{\hat{\tau}}{\Longrightarrow}$  means zero or more  $\tau$  labeled transitions).

**Definition 3** (Weak bisimulation). A symmetric binary relation  $R \subseteq \mathcal{E} \times \mathcal{E}$  over processes is a weak bisimulation if whenever  $(E, F) \in R$  and  $E \xrightarrow{a} E'$ , then there exists F' such that  $F \xrightarrow{\hat{a}} F'$  and  $(E', F') \in R$ .

Two processes  $E, F \in \mathcal{E}$  are *weakly bisimilar*, denoted by  $E \approx F$ , if there exists a weak bisimulation R containing the pair (E, F). The relation  $\approx$  is the largest weak bisimulation and it is an equivalence relation [21].

**Persistent BNDC security** In [9] we give a notion of security for VSPA processes called *Persistent BNDC*, where *BNDC* stands for *Bisimulation-based Nondeducibility* on Compositions. BNDC [5] is a generalization to concurrent processes of noninterference [11], consisting of checking a process E against all high-level processes  $\Pi$ . Formally:

**Definition 4 (BNDC).** Let  $E \in \mathcal{E}$ .  $E \in BNDC$  iff  $\forall \Pi \in \mathcal{E}_H, E \setminus H \approx (E|\Pi) \setminus H$ .

Intuitively, BNDC requires that high-level processes  $\Pi$  have no effect at all on the (low-level) execution of E.

In order to introduce *Persistent BNDC* (*P\_BNDC*) we define a new observation equivalence where high-level actions *may* be ignored, i.e., they may be matched by zero or more  $\tau$  actions. An action *a* is high if *a* is either an input c(v) or an output  $\overline{c}(v)$ , over a high-level channel  $c \in H$ . Otherwise, *a* is low. We write  $\tilde{a}$  to denote  $\hat{a}$  if *a* is low, and *a* or  $\hat{\tau}$  if *a* is high. We can now define weak bisimulation up to high, by just using  $\tilde{a}$  in place of  $\hat{a}$ , thus allowing high-level actions to be simulated by (possibly empty) sequences of  $\tau$ 's.

**Definition 5** (Weak bisimulation up to high). A symmetric binary relation  $R \subseteq \mathcal{E} \times \mathcal{E}$ over processes is a weak bisimulation up to high if whenever  $(E, F) \in R$  and  $E \xrightarrow{a} E'$ , then there exists F' such that  $F \xrightarrow{\tilde{a}} F'$  and  $(E', F') \in R$ .

We say that two processes E, F are *weakly bisimilar up to high*, written  $E \approx_{\backslash H} F$ , if  $(E, F) \in R$  for some weak bisimulation up to high R.

**Definition 6** (**P\_BNDC**). Let  $E \in \mathcal{E}$ .  $E \in P\_BNDC$  iff  $E \setminus H \approx_{\setminus H} E$ .

Intuitively, *P\_BNDC* requires that forbidding any high-level activity (by restriction) is equivalent to ignoring it. For example, process  $E \stackrel{\text{def}}{=} h.\overline{l} + \overline{l}$  is *P\_BNDC* since the high level input h is simulated, in  $E \setminus H$ , by not moving. Indeed, the high level activity is

not visible to the low level users who can only observe the low level output  $\bar{l}$ . Notice that this secure process allows some low level actions to follow high actions.

It has been proved [9] that *P\_BNDC* corresponds to requiring *BNDC* over all the possible reachable states. This is why we call it *Persistent BNDC*.

### **Proposition 1** ([9]). $E \in P\_BNDC$ iff $\forall E'$ reachable from $E, E' \in BNDC$ .

Note that  $P\_BNDC$  is similarly spirited to Imp's security definition. In particular, the  $\Pi$  process in BNDC corresponds to the possibility for arbitrary changes in the high part of state over the computation. Further, persistence in  $P\_BNDC$  corresponds to requiring strong low-bisimulation on reachable Imp commands. There are also obvious differences, highlighting the specifi cs of the application domains of the two security specifi cations:  $P\_BNDC$  is concerned with protecting the occurrence of high events whereas program security protects high memories. Nevertheless, in Section 4 we will arrive at a result that formally links program security and  $P\_BNDC$ .

It is worth noticing that *P\_BNDC* satisfies a number of useful compositionality properties and is much easier to check than *BNDC*, since no quantification over all possible high-level processes is required.

**Example** To illustrate the above definitions, we give a very simple example of an insecure process. In particular, we show an indirect flow due to the possibility for a high-level user to lock and unlock a process:

# $E \stackrel{\text{def}}{=} \texttt{hlock.hunlock.}\overline{1} + \overline{1}$

where hlock and hunlock are high-level channels and 1 is a low-level one. (To simplify we are not even sending values over channels.) At a first glance, process E seems to be secure as it always performs  $\overline{1}$  before terminating, thus low-level users should deduce nothing of what is done at the high level. However, a high-level user might lock the process through hlock and never unlock it, thus leading to an unexpected behavior since  $\overline{1}$  would be locked too. This ability for a high-level user to synchronize with a low-level one constitutes an indirect information flow and is detected by  $P\_BNDC$  since  $E \stackrel{\text{hlock}}{\rightarrow}$  hunlock. $\overline{1}$  cannot be simulated by  $E \setminus H$ . In fact,  $E \setminus H$  can execute neither high-level actions nor  $\tau$  ones, thus the only possibility it has to simulate hlock is not moving. However, this simulation is fine as long as the reached states are bisimilar up to high, i.e., hunlock. $\overline{1} \approx_{\backslash H} E \setminus H$ , but this cannot be true since only the latter process can immediately execute the low-level action  $\overline{1}$ .

## 3 Mapping Imp into VSPA

With the source and target languages in place, this section develops an encoding of the former into the latter. The encoding is done in two steps: enriching Imp's semantics with process calculi-style environment interaction rules and encoding the extended version of Imp into VSPA. A lock-step relation of Imp's executions with their VSPA's translations guarantees that the encoding is semantically adequate.

$$\frac{s(Id) = v}{\langle C, s \rangle} \xrightarrow{\stackrel{\text{eput}_{Id}(v)}{\to} \langle C, s \rangle} \qquad \langle C, s \rangle \xrightarrow{\text{eput}_{Id}(v)} \langle C, [Id \mapsto v]s \rangle \qquad \frac{\langle C, s \rangle \xrightarrow{a} \langle C', s' \rangle \quad a \notin R}{\langle C, s \rangle \setminus R \xrightarrow{a} \langle C', s' \rangle \setminus R}$$

Fig. 1. Semantic rules for environment

#### 3.1 Extending Imp semantics

The original definition of strong low-bisimulation (Definition 1) implicitly takes into account an environment that is capable of both reading from and writing to the state at any point of computation. Alternatively, and rather naturally, we can represent this environment explicitly, by the semantic rules for reading and modifying the state, depicted in Figure 1. Reading the value v of a variable Id is observable by an action  $\overline{eget}_{Id}(v)$ ; writing the value v to Id is observable by an action  $eput_{Id}(v)$ . (We adopt the process calculi convention of using  $\overline{\cdot}$  to denote output actions.)

Assume  $a \in \{\texttt{tick}, \overline{\texttt{eget}}(\cdot), \texttt{eput}(\cdot)\}$ . Action a is  $high \ (a \in H)$  if for some high variable Id we have either  $a = \overline{\texttt{eget}}_{Id}(\cdot)$  or  $a = \texttt{eput}_{Id}(\cdot)$ . Otherwise, a is  $low \ (a \in L)$ . High and low actions represent high and low environments, respectively. Similarly to VSPA's restriction, we define a restriction on actions in the semantics for Imp, also shown in Figure 1. For a set of actions R, an R-restricted configuration  $\langle C, s \rangle \setminus R$  behaves as  $\langle C, s \rangle$  except that its communication on actions from R is prohibited. The restriction is helpful for relating the extended semantics to Imp's original semantics: configuration  $\langle C, s \rangle \setminus \{\texttt{eget}_{Id}(v), \texttt{eput}_{Id}(v) \mid Id \text{ is a variable and } v \in Val\}$  behaves under the extended semantics exactly as  $\langle C, s \rangle$  under the original semantics.

These extended semantics of Imp are useful for different reasons: (i) they make read/write actions on the state explicitly observable as labeled transitions. This is much in the style of *Labeled Transition System* semantics for process calculi, where all one can observe is the action related to the transition (i.e., the label). The uniform semantic style helps us proving a semantic correspondence in Section 3.2. (ii) Further, the extended semantics allow us to characterize the security of Imp programs using a notion of bisimulation up to high, similar to the one defined for VSPA. As a matter of fact, in Section 4, we show how security of Imp programs can be equivalently expressed in the style of *P\_BNDC*, facilitating the proof that the security of Imp programs is the same as *P\_BNDC* security of their translations into VSPA.

### 3.2 Translation

In this section we translate Imp into VSPA. This is based on the translation described by Milner in [21], with the following important modifications: (*i*) We make explicit the fact that the external (possibly hostile) environment can manipulate the shared memory but cannot directly interact with a program. This is achieved by equipping registers (i.e., processes implementing Imp variables) with read/write channels accessible by the environment. All the other channels are "internalized" through restriction operators. (*ii*) Also, we use a *lock* to guarantee the atomicity of expression evaluations. In fact, Imp expressions are evaluated in one atomic step. Since expression evaluation is translated into a process which sequentially accesses registers in order to read the actual variable values, to regain atomicity we need to guarantee that variables are not modified during this reading phase.

The language we want to translate contains program variables, to which values may be assigned, and the meaning of a program variable Id is a "storage location". We therefore begin by defining a storage register holding a value v as follows:

$$\begin{aligned} Reg(v) \stackrel{\text{def}}{=} \texttt{put}x.Reg(x) + \overline{\texttt{get}v}.Reg(v) \\ + \overline{\texttt{lock}}.(\texttt{eput}x.\overline{\texttt{unlock}}.Reg(x) + \overline{\texttt{unlock}}.Reg(v)) \\ + \overline{\texttt{lock}}.(\overline{\texttt{eget}v}.\overline{\texttt{unlock}}.Reg(v) + \overline{\texttt{unlock}}.Reg(v)) \end{aligned}$$

(We shall often write put(x) as putx etc.) Thus, via  $\overline{get}$  the stored value v may be read from the register, and via put a new value x may be written to the register. Actions  $\overline{eget}$  and eput are intended to model the interactions of an external observer with the register. Notice that before and after such actions, we require that  $\overline{lock}$  and  $\overline{unlock}$  are executed, respectively. These two additional actions are used to guarantee mutual exclusion on the memory between expression evaluations and the environment. This implements the atomic expression evaluation of Imp. We also have an (abstract) time-out mechanism, that nondeterministically unlocks the registers. This is necessary to avoid blocking the program by the environment via refusing to accept  $\overline{eget}$  or to execute eput after the lock has been grabbed. As a matter of fact, we want the environment to interact with the registers without interfering in any way with the program execution. The (global) lock is implemented by the process:

$$\textit{Lock} \stackrel{\mathrm{def}}{=} \texttt{lock.unlock}.\textit{Lock}$$

For each program variable Id, we introduce a register  $Reg_{Id}(y) \stackrel{\text{def}}{=} Reg(y)[g_{Id}]$ , where  $g_{Id}$  is the relabeling function {put}\_{Id}/put, get\_{Id}/get, eput\_{Id}/eput, eget\_{Id}/eget}.

This representation of registers—or program variables—as processes is fundamental to our translation; it indicates that resources like variables, as well as the programs which use them, can be thought of as processes, so that our calculus can get away with the single notion of process to represent different kinds of entity.

There is no basic notion of sequential composition of processes in our calculus, but we can define it. To do this, we introduce a convention that processes may indicate their termination by a distinguished channel done. More precisely, we say that a process is *well-terminating* if it cannot do any further move after performing done; as we will see, the processes which arise from translating Imp commands are all well-terminating ones, and this is achieved by terminating them with done.0 (written *Done*) instead of just 0. We are now in position to define a combinator *Before* for sequential composition:

$$P \ Before \ Q \stackrel{\text{def}}{=} (P[b/\texttt{done}]|b.Q) \setminus \{b\}$$

where b is a new name, so that no conflict arises with the done action performed by Q. It is easy to see that *Before* preserves well-termination, i.e., if P and Q are well-terminating then so is P *Before* Q.

Just as a command of the language will be a well-terminating process, so an expression of the language will "terminate" by yielding up its results via the special channel  $\overline{res}$ , not used by processes. If P represents such an expression, then we may wish another process Q to refer to the result by using the value variable x. To this end, we define another combinator, Into:

$$P Into(x) Q(x) \stackrel{\text{def}}{=} (P|\texttt{res}(x).Q(x)) \setminus \{\texttt{res}\}$$

Notice that Q(x) is parametric on x and *Into* binds this variable to the result of the expression P. Notice also that we do not need to relabel res to a new channel, as we did with the special channel done. As a matter of fact, Q(x) is a process and not an expression, thus it does not use channel res to communicate with sibling processes and no conflict is ever possible. Notice that Q(x) might use res into a nested *Into* combinator. In this case, however, res would be inside the scope of a restriction thus not be visible at this external *Into* level. (See below for an example.)

The translation function  $\mathcal T$  of Imp commands into VSPA processes is given in Figure 2. Intuitively, each expression  $F(Id_1, \ldots Id_n)$  is translated into a process which collects the values of registers  $Id_1, \ldots Id_n$  and returns  $F(x_1, \ldots, x_n)$  over channel res. A state s, i.e., a finite mapping associating each variable  $Id_1, \ldots, Id_m$  to values  $s(Id_1), \ldots, s(Id_m)$  is translated into the parallel composition of the relative registers. The translation of commands is then straightforward. Notice that before and after each expression evaluation we lock and release the global lock so that the environment cannot interact with the memory while expressions are evaluated. This achieves atomic expression evaluations as in Imp. Configurations  $\langle C, s \rangle$  are translated as the parallel composition of the global Lock and the translations of C and s.  $ACC_s =$  $\{\overline{\text{put}_{Id_1}}, \text{get}_{Id_1}, \dots, \overline{\text{put}_{Id_m}}, \text{get}_{Id_m}, \text{lock}, \text{unlock}\}\$  is the set of all channels used by commands to access registers, plus the lock commands. Thus, the restriction over  $ACC_s \cup \{ done \}$  aims both at internalizing all the communications between commands and registers and at removing the last done action. Notice that the environment channels  $eput_{Id}$  and  $eget_{Id}$  are not restricted and, together with tick, they are the only observable actions of  $\mathcal{T}[[\langle C, s \rangle]]$ . Finally, *R*-restricted configurations are translated by simply restricting the translation on R.

The interaction of the translation of a confi guration with the environment is reflected in the diagram in Figure 3. Channels as lock and  $put_{Id}$  are for internal interaction and so they are hidden from the environment. On the other hand, channels  $eget_{Id}$ ,  $eput_{Id}$ , and tick are observable from outside—they allow the environment to observe and change the low part of the state and observe the timing behavior of the execution via the channel tick. We assign security levels to observable actions as expected:  $eput_{Id}$ and  $eget_{Id}$  are high if and only if the corresponding Imp variable Id is high. All the other observable actions, including tick, are low. (The security level of unobservable actions makes no difference for the security definition.)

**Examples** As before, we assume that h is a high variable and l is a low one. These variables are represented by processes  $Reg_h(s(h))$  and  $Reg_l(s(l))$  for some state s.

$$\begin{split} \mathcal{T} \llbracket F(Id_1, \dots Id_n) \rrbracket &= \mathsf{get}_{Id_1} x_1 \cdots .\mathsf{get}_{Id_n} x_n.\overline{\mathsf{res}}(F(x_1, \dots, x_n)).\mathbf{0} \\ \mathcal{T} \llbracket s \rrbracket &= \operatorname{Reg}_{Id_1}(s(Id_1)) | \dots | \operatorname{Reg}_{Id_m}(s(Id_m)) \\ \mathcal{T} \llbracket \mathsf{stop} \rrbracket &= \mathbf{0} \\ \mathcal{T} \llbracket \mathsf{stop} \rrbracket &= \mathbf{0} \\ \mathcal{T} \llbracket \mathsf{stip} \rrbracket &= \overline{\mathsf{lock}}.\mathsf{tick}.\overline{\mathsf{unlock}}.Done \\ \mathcal{T} \llbracket Id := Exp \rrbracket &= \overline{\mathsf{lock}}.\mathcal{T} \llbracket Exp \rrbracket \operatorname{Into}(x) \ (\overline{\mathsf{put}}_{Id}x.\mathsf{tick}.\overline{\mathsf{unlock}}.Done) \\ \mathcal{T} \llbracket C_1; C_2 \rrbracket &= \mathcal{T} \llbracket C_1 \rrbracket \operatorname{Before} \mathcal{T} \llbracket C_2 \rrbracket \\ \mathcal{T} \llbracket \mathsf{if} \ B \ \mathsf{then} \ C_1 \ \mathsf{else} \ C_2 \rrbracket &= \overline{\mathsf{lock}}.\mathcal{T} \llbracket B \rrbracket \ \operatorname{Into}(x) \ (\mathbf{if} \ x \ \mathbf{then} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C_1 \rrbracket \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C_2 \rrbracket ) \\ \mathcal{T} \llbracket \mathsf{while} \ B \ \mathsf{do} \ C \rrbracket &= Z \\ &\quad \mathsf{where} \ Z \ \overset{\mathrm{def}}{=} \ \overline{\mathsf{lock}}.\mathcal{T} \llbracket B \rrbracket \ \operatorname{Into}(x) \ (\mathbf{if} \ x \ \mathbf{then} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket C \rrbracket \ Before \ Z \\ &\quad \mathsf{else} \ \mathsf{tick}.\overline{\mathsf{unlock}}.\mathcal{T} \llbracket S \lor \ S \lor \mathsf{unlock} \ S \lor \mathsf{unlock} \ S \lor \mathsf{ullock} \ S \lor$$

Fig. 2. Translation of commands



Fig. 3. Translation of an Imp configuration

Consider the program l := h. This program is translated into:

$$\begin{split} \mathcal{T}[\![l:=h]\!] =& \overline{\texttt{lock}}.\mathcal{T}[\![h]\!] \ Into(x) \ (\overline{\texttt{put}}_l x.\texttt{tick}.\overline{\texttt{unlock}}.Done) \\ =& (\overline{\texttt{lock}}.\texttt{get}_h x.\overline{\texttt{res}} x.\mathbf{0} \mid \texttt{res}(x).(\overline{\texttt{put}}_l x.\texttt{tick}.\overline{\texttt{unlock}}.\overline{\texttt{done}}.\mathbf{0})) \setminus \{\texttt{res}\} \end{split}$$

The process grabs the lock, fetches the value of h into x, passes it on the res channel to the process that puts the value into the register for l, performs a tick action, and releases the lock. (Notice that expression h can be seen as ID(h) where ID is the identity function over Val.)

Suppose  $s' = [l \mapsto s(h)]s$ . It is helpful to track the execution of the translation of the configuration  $\langle C, s \rangle$  in a step-by-step fashion:

$$\begin{split} \mathcal{T}[\![\{l:=h,s\}]\!] &= (\mathcal{T}[\![s]\!] \mid \mathcal{T}[\![l:=h]\!] \mid Lock) \setminus ACC_s \cup \{\texttt{done}\} \\ &= (\mathcal{T}[\![s]\!] \mid (\overline{\texttt{lock}}, \texttt{get}_h x. \overline{\texttt{res}} x. \mathbf{0} \mid \texttt{res}(x). (\overline{\texttt{put}}_l x. \texttt{tick}. \overline{\texttt{unlock}}. \texttt{done}.\mathbf{0})) \setminus \{\texttt{res}\} \\ &\mid Lock) \setminus ACC_s \cup \{\texttt{done}\} \\ & (\texttt{by definition of } \mathcal{T}[\![l:=h]\!]) \\ \xrightarrow{\tau} (\mathcal{T}[\![s]\!] \mid (\texttt{get}_h x. \overline{\texttt{res}} x. \mathbf{0} \mid \texttt{res}(x). (\overline{\texttt{put}}_l x. \texttt{tick}. \overline{\texttt{unlock}}. \texttt{done}.\mathbf{0})) \setminus \{\texttt{res}\} \\ &\mid \texttt{unlock}. Lock) \setminus ACC_s \cup \{\texttt{done}\} \\ & (\texttt{by synchronization on lock}) \\ \xrightarrow{\tau} (\mathcal{T}[\![s]\!] \mid (\overline{\texttt{res}} s(h).\mathbf{0} \mid \texttt{res}(x). (\overline{\texttt{put}}_l x. \texttt{tick}. \overline{\texttt{unlock}}. \texttt{done}.\mathbf{0})) \setminus \{\texttt{res}\} \\ &\mid \texttt{unlock}. Lock) \setminus ACC_s \cup \{\texttt{done}\} \\ & (\texttt{fetching the value } s(h) \text{ of } h \text{ from } Reg_h) \\ \xrightarrow{\tau} (\mathcal{T}[\![s]\!] \mid (\mathbf{0} \mid (\overline{\texttt{put}}_l s(h). \texttt{tick}. \overline{\texttt{unlock}}. \overline{\texttt{done}}.\mathbf{0})) \setminus \{\texttt{res}\} \\ &\mid \texttt{unlock}. Lock) \setminus ACC_s \cup \{\texttt{done}\} \\ & (\texttt{passing } s(h) \text{ on } res) \\ \xrightarrow{\tau} (\mathcal{T}[\![s']\!] \mid (\mathbf{0} \mid (\texttt{tick}. \overline{\texttt{unlock}}. \overline{\texttt{done}}.\mathbf{0})) \setminus \{\texttt{res}\} \\ &\mid \texttt{unlock}. Lock) \setminus ACC_s \cup \{\texttt{done}\} \\ & (\texttt{updating } Reg_l \text{ with } s(h); \texttt{new state is } s') \\ \xrightarrow{\tau} (\mathcal{T}[\![s']\!] \mid (\mathbf{0} \mid \overline{\texttt{unlock}}. \overline{\texttt{done}}.\mathbf{0})) \setminus \{\texttt{res}\} \\ &\mid \texttt{unlock}. Lock) \setminus ACC_{s'} \cup \{\texttt{done}\} \\ & (\texttt{updating } Reg_l \text{ with } s(h); \texttt{new state is } s') \\ \xrightarrow{\tau} (\mathcal{T}[\![s']\!] \mid (\mathbf{0} \mid \overline{\texttt{unlock}}. \overline{\texttt{done}}.\mathbf{0})) \setminus \{\texttt{res}\} \\ &\mid \texttt{unlock}. Lock) \setminus ACC_{s'} \cup \{\texttt{done}\} \\ & (\texttt{unlock}. fork) \setminus ACC_{s'} \cup \{\texttt{done}\} \\ \xrightarrow{\tau} (\mathcal{T}[\![s']\!] \mid (\mathbf{0} \mid \overline{\texttt{done}}.\mathbf{0})) \setminus \{\texttt{res}\} \mid Lock) \setminus ACC_{s'} \cup \{\texttt{done}\} \\ & (\texttt{unlocking}) \\ \approx (\mathcal{T}[\![s']\!] \mid \mathbf{0} \mid Lock) \setminus ACC_{s'} \cup \{\texttt{done}\} \\ & (\texttt{bisimilarity} \\ = \mathcal{T}[\![\texttt{stop}, s']\!] \\ \end{aligned}{}$$

Note that we have demonstrated that  $\mathcal{T}[\![\langle l := h, s \rangle ]\!] \stackrel{\text{tick}}{\Longrightarrow} P$  for such P that  $P \approx \mathcal{T}[\![\langle \text{stop}, s' \rangle ]\!]$ . We will prove a general result on the semantic correspondence between Imp programs and their VSPA translations later in this section.

Another example is the program if h > 0 then l := 1 else l := 0. This program is translated into:

$$\begin{split} \mathcal{T}[\![\text{if } h > 0 \text{ then } l &:= 1 \text{ else } l := 0]\!] \\ &= \overline{\texttt{lock}}.\mathcal{T}[\![h > 0]\!] \ \textit{Into}(x) \\ &(\text{if } x \text{ then tick.unlock}.\mathcal{T}[\![l := 1]\!] \text{ else tick.unlock}.\mathcal{T}[\![l := 0]\!]) \\ &= (\overline{\texttt{lock.get}}_h x.\overline{\texttt{res}}(x > 0).\mathbf{0} \mid \texttt{res}(x). \\ &(\text{if } x \text{ then tick.unlock}.\mathcal{T}[\![l := 1]\!] \text{ else tick.unlock}.\mathcal{T}[\![l := 0]\!])) \setminus \{\texttt{res}\} \\ &= (\overline{\texttt{lock.get}}_h x.\overline{\texttt{res}}(x > 0).\mathbf{0} \mid \texttt{res}(x). \\ &(\text{if } x \text{ then tick.unlock}. \\ &(\overline{\texttt{lock.res}}1.\mathbf{0} \mid \texttt{res}(x).(\overline{\texttt{put}}_l x.\texttt{tick.unlock}.\overline{\texttt{done.0}})) \setminus \{\texttt{res}\} \\ &\text{else tick.unlock}. \\ &(\overline{\texttt{lock.res}}0.\mathbf{0} \mid \texttt{res}(x).(\overline{\texttt{put}}_l x.\texttt{tick.unlock}.\overline{\texttt{done.0}})) \setminus \{\texttt{res}\})) \setminus \{\texttt{res}\} \end{split}$$

In Section 4 we revisit both example translations and discuss their VSPA security.

**Semantic correspondence** The following propositions state the semantic correspondence between any *R*-restricted configuration  $\langle C, s \rangle \setminus R$  and its translation  $\mathcal{T}[\![\langle C, s \rangle \setminus R]]$ 

R]. Let  $Env = \{ \overline{eget}_{\cdot}(\cdot), eput_{\cdot}(\cdot) \}$  denote the set of all the possible environment actions.

**Proposition 2.** Given an *R*-restricted configuration  $cfg = \langle C, s \rangle \setminus R$ , with  $R \subseteq Env$ , if  $cfg \xrightarrow{a} cfg'$  then there exists a process P' such that  $\mathcal{T}[\![cfg]\!] \xrightarrow{\hat{a}} P'$  and  $P' \approx \mathcal{T}[\![cfg']\!]$ . Moreover, when a = tick we have that  $\mathcal{T}[\![cfg]\!] \xrightarrow{\hat{\tau}} \tilde{P} \xrightarrow{\texttt{tick}} P'$  and  $\tilde{P} \approx \texttt{tick}.\mathcal{T}[\![cfg']\!]$ .

Intuitively, every (possibly restricted) Imp configuration move is coherently simulated by its VSPA translation, in a way that the reached process is weakly bisimilar to the translation of the reached configuration. Moreover, for tick moves, the translation  $\mathcal{T}[[cfg]]$  always reaches a state equivalent to tick. $\mathcal{T}[[cfg']]$  before actually performing the tick. Intuitively, this is due to the fact that the lock is released only after tick is performed. Notice that if  $R = \emptyset$  there is no restriction at all. Thus, Proposition 2 is applicable to unrestricted configurations, too.

Next proposition is about the other way around: each process which is weakly bisimilar to the translation of a (restricted) Imp configuration cfg always moves to processes weakly bisimilar to either  $\mathcal{T}[cfg']$  or tick. $\mathcal{T}[cfg'']$ , where cfg' and cfg'' are reached from cfg by performing the expected corresponding actions. As for previous proposition, tick. $\mathcal{T}[cfg'']$  represents an intermediate state reached before performing the actual tick action.

**Proposition 3.** Given an *R*-restricted configuration  $cfg = \langle C, s \rangle \setminus R$ , with  $R \subseteq Env$ , and a process *P* 

- if  $P \approx \mathcal{T}\llbracket cfg \rrbracket$  and  $P \xrightarrow{\tau} P'$  then either  $P' \approx P$  or  $P' \approx \text{tick}.\mathcal{T}\llbracket cfg' \rrbracket$  and  $cfg \xrightarrow{\text{tick}} cfg';$
- if  $P \approx \mathcal{T}[[cfg]]$  and  $P \xrightarrow{a} P'$  with  $a \neq \tau$ , tick, then either  $P' \approx \mathcal{T}[[cfg']]$  and  $cfg \xrightarrow{a} cfg'$  or  $P' \approx \text{tick}.\mathcal{T}[[cfg'']]$  and  $cfg \xrightarrow{a} cfg' \xrightarrow{\text{tick}} cfg''$ .

Proofs of the above propositions are by structural induction on Imp commands and by case analysis. We omit them for lack of space but we sketch the proof of the most interesting case (expression evaluation and assignment) in Lemma 1 (Appendix).

# 4 Security correspondence

In this section we study how the security of Imp programs relates to the security of VSPA processes. First, we give a notion of weak bisimulation up to high in the Imp setting, which allows us to characterize the security of Imp programs in a form which is very close to  $P\_BNDC$ . Then, we show that this new characterization of Imp program security exactly corresponds to requiring  $P\_BNDC$  of program translations into VSPA. More specifically, we prove that a program C is secure if and only if its translation  $\mathcal{T}[[\langle C, s \rangle]]$  is  $P\_BNDC$  for all states s. Finally, we give some examples of  $P\_BNDC$  applied to translations of Imp programs.

*P\_BNDC***-like security characterization for Imp** In order to define weak bisimulation up to high, similarly to what we have done for VSPA, we define the operation  $\tilde{a}$  to be a in case a is low; and a or null (which means no action) in case a is high. This naturally leads to a notion of bisimulation up to high for Imp programs:

**Definition 7.** A symmetric binary relation R on (possibly restricted) configurations is a bisimulation up to high if whenever  $cfg_1 R cfg_2$  and  $cfg_1 \xrightarrow{a} cfg'_1$ , there exists  $cfg'_2$  such that  $cfg_2 \xrightarrow{\tilde{a}} cfg'_2$  and  $cfg'_1 R cfg'_2$ .

We write  $\cong_{\backslash H}$  for the union of all bisimulation up to high. This definition brings us close to the nature of the process-algebraic security specification from Section 2.2. Using bisimulation up to high and restriction we can faithfully represent the original definition of strong low-bisimulation. The following proposition states the correspondence between strong low-bisimulation (defined on the tick actions of the original semantics) and bisimulation up to high (defined on the extended semantics) with restriction:

**Proposition 4.** We have  $C \cong_L D$  if and only if for all s we have  $\langle C, s \rangle \cong_{\backslash H} \langle D, s \rangle \backslash H$ and  $\langle C, s \rangle \setminus H \cong_{\backslash H} \langle D, s \rangle$ .

*Proof.* A straightforward proof (relying on no assumptions about Imp's syntax) is given in the appendix.  $\Box$ 

As a direct consequence, the security of Imp programs can be expressed in a "*P\_BNDC* style" as follows:

**Corollary 1.** A program C is secure if and only if  $(C, s) \cong_{\backslash H} (C, s) \land H$  for all s.

**Program security is** *P\_BNDC* The following theorem shows that weak bisimulation up to high is preserved in the translation from Imp to VSPA. This is the core result that allows us to prove that security of Imp programs exactly corresponds to *P\_BNDC* of their translations in VSPA.

**Theorem 1.** Let  $cfg_1 = \langle C, s \rangle \setminus R$  and  $cfg_2 = \langle D, t \rangle \setminus R'$ , with  $R, R' \subseteq H$ , be two configurations (possibly) restricted over high level actions. It holds that  $cfg_1 \cong_{\backslash H} cfg_2$  if and only if  $\mathcal{T}[\![cfg_1]\!] \approx_{\backslash H} \mathcal{T}[\![cfg_2]\!]$ .

*Proof.* The proof is given in the appendix.

This theorem has the flavor of a full-abstraction result (cf. [1]) for the indistinguishability relation  $\approx_{\backslash H}$ . As a corollary of the theorem, we receive a direct link between program security and *P\_BNDC* security:

**Corollary 2.** Program C is secure if and only if its translation  $\mathcal{T}[[\langle C, s \rangle]]$  is P\_BNDC for all states s.

*Proof.* By Corollary 1, C is secure if and only if  $\langle C, s \rangle \cong_{\backslash H} \langle C, s \rangle \setminus H$  for all s. By Theorem 1,  $\langle C, s \rangle \cong_{\backslash H} \langle C, s \rangle \setminus H$  if and only if  $\mathcal{T}[\![\langle C, s \rangle]\!] \approx_{\backslash H} \mathcal{T}[\![\langle C, s \rangle \setminus H]\!]$ . Since, by definition,  $\mathcal{T}[\![\langle C, s \rangle \setminus H]\!] = \mathcal{T}[\![\langle C, s \rangle]\!] \setminus H$ , we have  $\mathcal{T}[\![\langle C, s \rangle]\!] \approx_{\backslash H} \mathcal{T}[\![\langle C, s \rangle]\!] \setminus H$ , and thus  $\mathcal{T}[\![\langle C, s \rangle]\!]$  is *P\_BNDC* for all *s*.  $\Box$  **Examples** Recall from Section 2.1 that the program l := h is rejected by the security definition for Imp. Recall from Section 3.2 that

$$\mathcal{T}[\![l:=h]\!] = (\overline{\texttt{lock}.\texttt{get}_h x}.\overline{\texttt{res}}x.\mathbf{0} \mid \texttt{res}(x).(\overline{\texttt{put}_l x}.\texttt{tick}.\overline{\texttt{unlock}.\texttt{done}}.\mathbf{0})) \setminus \{\texttt{res}\}$$

To see that this translation is rejected by *P\_BNDC*, take a state *s* that, for example, maps all its variables to 0. We want to demonstrate that  $\mathcal{T}[\![\langle l := h, s \rangle]\!] \setminus H \not\approx_{\backslash H} \mathcal{T}[\![\langle l := h, s \rangle]\!]$ . Varying the high variable from 0 to 1 on the right-hand side can be done by the transition  $\mathcal{T}[\![\langle l := h, s \rangle]\!] \xrightarrow{\text{eput}_h(1)} F$  for some process *F*. If the translation were secure then this transition would have to be simulated up to *H* by  $\mathcal{T}[\![\langle l := h, s \rangle]\!] \setminus H$ . Such a transition would have to be a  $\hat{\tau}$  transition because  $\text{eput}_h(1)$  is a high transition, but  $\mathcal{T}[\![\langle l := h, s \rangle]\!] \setminus H$  is restricted from high actions. Therefore,  $\mathcal{T}[\![\langle l := h, s \rangle]\!] \setminus H$  would reduce to some process *E*, whose register for *h* remains 0.

By the definition of weak bisimulation up to H, we would have  $E \setminus H \approx_{\backslash H} F$ . Let subsequent actions correspond to traversing the two processes passing  $\overline{put}_l(0)$  and  $\overline{put}_l(1)$ , respectively, and reaching  $\overline{unlock}$ . Note that actions on internal channels lock,  $get_h$ , res,  $put_l$  are hidden from the environment. However, as an effect of the latter action, the register for l will store different values. Even though the tick actions can still be simulated, this breaks bisimulation because the externally visible action  $get_l(0)$  by the successor of E (after  $\overline{unlock}$ ) cannot be simulated by the successor of F (after  $\overline{unlock}$ ).

Further, recall from Section 2.1 that the program if h > 0 then l := 1 else l := 0 is rejected by Imp's security definition. In Section 3.2 we saw that

$$\begin{split} & \mathcal{T}\llbracket \text{if } h > 0 \text{ then } l := 1 \text{ else } l := 0 \rrbracket = \\ & (\overline{\texttt{lock.get}}_h x.\overline{\texttt{res}}(x > 0).\mathbf{0} \mid \texttt{res}(x). \\ & (\text{if } x \text{ then tick.unlock.} \\ & (\overline{\texttt{lock.res}}1.\mathbf{0} \mid \texttt{res}(x).(\overline{\texttt{put}}_l x.\texttt{tick.unlock.done.0})) \setminus \{\texttt{res}\} \\ & \text{else tick.unlock.} \\ & (\overline{\texttt{lock.res}}0.\mathbf{0} \mid \texttt{res}(x).(\overline{\texttt{put}}_l x.\texttt{tick.unlock.done.0})) \setminus \{\texttt{res}\})) \setminus \{\texttt{res}\} \end{split}$$

The information flow from h > 0 to l is evident in the translation. The result of inspecting the expression h > 0 is sent on the channel res. When this result is received and checked, either it triggers the process that puts 1 in the register for l or a similar process that puts 0 to that register.

As above, the VSPA translation fails to satisfy *P\_BNDC*. Varying the high state by a high environment action  $eput_h(\cdot)$  in the beginning leads to different values in the register for *l*. This difference can be observed by low environment actions  $eget_l(\cdot)$ .

### 5 Related work

A large body of work on information-flow security has been developed in the area of programming languages (see a recent survey [26]) and process calculus (e.g., [7, 24, 23, 12, 17]). While both language-based and process calculus-based security are relatively established fields, only little has been done for understanding the connection between the two.

A line of work initiated by Honda et al. [13] and pursued by Honda and Yoshida [14, 15] develops security type systems for the  $\pi$ -calculus. The use of linear and affi ne types gives the power for these systems to soundly embed type systems for imperative multi-threaded languages [28] into the typed  $\pi$ -calculus. This direction is appealing as it leads to automatic security enforcement mechanisms by security type checking. Nevertheless, automatic enforcement comes at the price of lower precision. Our approach opens up possibilities for combining high-precision security verification (such as equivalence checking in process calculi [22]) with type-based verification. Steps in this direction have been made in other settings (e.g., [16, 2, 30], however, not treating timing-sensitive security.

Giambiagi and Dam's work on *admissible flows* [3, 10] illustrates a useful synergy of an imperative language and a CCS-like process calculus. The assurance provided by admissible flows is that a security protocol implementation (written in the imperative language) leaks no more information than prescribed in the specification (written in the process calculus).

Mantel and Sabelfeld [20] have suggested an embedding of a multithreaded and distributed language into MAKS [19], an abstract framework for modeling the security of event-based systems. The translation of a program is secure (as an event system) if and only the program itself is secure (in the sense that the program satisfies self-low-similarity). While this work offers a useful connection between language-based and event-based security, it is inherently restricted to expressing event systems as trace models. In the present work, the security of both the source and target languages is defined in terms of bisimulation. This enables us to capture additional covert channels, that exhibit information leaks, e.g., through deadlock behavior [7], which trace-based models generally fail to detect.

Our inspiration for handling timing-sensitive security stems from the work by Focardi et al. [8], where explicit tick events are used to keep track of timing in a scenario of a discrete-time process calculus.

# 6 Conclusion and future work

We have established a formal connection between a language-based and a process calculus security definition of information security. Concretely, we have shown that a timingsensitive security definition corresponds to  $P_-BNDC$ , persistent bisimulation-based nondeducibility on compositions. Thereby, we have identified a point in the space of process calculus-based definitions [7] that exactly corresponds to compositional timingsensitive language-based security.

Drawing on Milner's work [21], we have developed a generally useful encoding of an imperative language into a CCS-like calculus. We expect that this encoding will be helpful for both future work on information security topics as well as other topics that necessitate representation of programming languages in process calculus.

This paper sets solid ground for future work in the following directions:

*Security policies* We have used as a starting point a timing-sensitive language-based security specification. This choice has allowed us to establish a tight, timing-sensitive,

correspondence between computation steps in the imperative language and the actions of processes. However, it is important to consider a full spectrum of attackers, including the attacker that may not observe (non)termination. Future work includes weakening security policies and investigating the relation between the two kinds of security for a termination-insensitive attacker.

Concurrency and distribution Concurrency and distribution are out of scope for this paper for lack of space. However, the technical machinery is already in place to add multithreading and distribution to the imperative language (for example, the program security characterization is known to be compositional for Imp with dynamic thread creation [27]). We conjecture that in presence of concurrency,  $P\_BNDC$  will remain to correspond to the language-based security definition. We expect parallel compositions of Imp threads to be encoded by parallel compositions of VSPA processes. In this case, the security correspondence result would be a consequence of the compositionality of the two properties. We anticipate the security correspondence to hold without major changes in the encoding. The effect of distribution features in both source and target language with channel-based communication [25] is a natural point for investigating the connection to process calculi security. As a matter of fact,  $P\_BNDC$  has been specifi cally developed for communication and for manipulating memories.

*Modular security* According to the vision we stated in the introduction, for the security analysis of heterogeneous systems we need heterogeneous, scalable techniques. The key to scalability is modular analysis that allows analyzing parts of a systems in isolation and plug together secure components together. That the resulting system is secure is guaranteed by compositionality results. While compositionality properties for Imp and VSPA have been studied separately, we intend to explore the interplay between the two. In particular, we expect to obtain stronger compositionality results for the image of secure imperative programs in VSPA than for regular VSPA processes.

### References

- M. Abadi. Protection in programming-language translations. In *Proc. International Colloquium on Automata, Languages, and Programming*, volume 1443 of *LNCS*, pages 868–883. Springer-Verlag, July 1998.
- D. Clark, C. Hankin, and S. Hunt. Information flow for Algol-like languages. *Journal of Computer Languages*, 28(1):3–28, April 2002.
- 3. M. Dam and P. Giambiagi. Confidentiality for mobile code: The case of a simple payment protocol. In *Proc. IEEE Computer Security Foundations Workshop*, pages 233–244, July 2000.
- 4. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. *Comm. of the ACM*, 20(7):504–513, July 1977.
- R. Focardi and R. Gorrieri. A Classification of Security Properties for Process Algebras. Journal of Computer Security, 3(1):5–33, 1994/1995.

- R. Focardi and R. Gorrieri. The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties. *IEEE Transactions on Software Engineering*, 23(9):550–571, 1997.
- R. Focardi and R. Gorrieri. Classification of Security Properties (Part I: Information Flow). In R. Focardi and R. Gorrieri, editors, *Foundations of Security Analysis and Design*, volume 2171 of *LNCS*, pages 331–396. Springer-Verlag, 2001.
- R. Focardi, R. Gorrieri, and F. Martinelli. Information flow analysis in a discrete-time process algebra. In *Proc. IEEE Computer Security Foundations Workshop*, pages 170–184, July 2000.
- 9. R. Focardi and S. Rossi. Information Flow Security in Dynamic Contexts. In *Proc. of the IEEE Computer Security Foundations Workshop*, pages 307–319. IEEE Computer Society Press, 2002.
- P. Giambiagi and M.Dam. On the secure implementation of security protocols. In *Proc. European Symp. on Programming*, volume 2618 of *LNCS*, pages 144–158. Springer-Verlag, April 2003.
- 11. J. A. Goguen and J. Meseguer. Security policies and security models. In *Proc. IEEE Symp.* on Security and Privacy, pages 11–20, April 1982.
- M. Hennessy and J. Riely. Information flow vs. resource access in the asynchronous picalculus. ACM TOPLAS, 24(5):566–591, 2002.
- K. Honda, V. Vasconcelos, and N. Yoshida. Secure information flow as typed process behaviour. In *Proc. European Symp. on Programming*, volume 1782 of *LNCS*, pages 180–199. Springer-Verlag, 2000.
- 14. K. Honda and N. Yoshida. A uniform type structure for secure information flow. In *Proc. ACM Symp. on Principles of Programming Languages*, pages 81–92, January 2002.
- 15. K. Honda and N. Yoshida. Noninterference through flow analysis. *Journal of Functional Programming*, 2005. To appear.
- R. Joshi and K. R. M. Leino. A semantic approach to secure information flow. Science of Computer Programming, 37(1–3):113–138, 2000.
- 17. N. Kobayashi. Type-based information flow analysis for the pi-calculus. Technical Report TR03-0007, Tokyo Institute of Technology, October 2003.
- 18. B. W. Lampson. A note on the confinement problem. *Comm. of the ACM*, 16(10):613–615, October 1973.
- H. Mantel. Possibilistic definitions of security An assembly kit –. In Proc. IEEE Computer Security Foundations Workshop, pages 185–199, July 2000.
- H. Mantel and A. Sabelfeld. A unifying approach to the security of distributed and multithreaded programs. J. Computer Security, 11(4):615–676, September 2003.
- 21. R. Milner. Communication and Concurrency. Prentice-Hall, 1989.
- C. Piazza, E. Pivato, and S. Rossi. CoPS Checker of Persistent Security. In Proc. International Conference on Tools and Algorithms for the Construction and Analysis of Systems, volume 2988 of LNCS, pages 144–152. Springer-Verlag, March 2004.
- 23. F. Pottier. A simple view of type-secure information flow in the pi-calculus. In *Proc. IEEE Computer Security Foundations Workshop*, pages 320–330, June 2002.
- P. Ryan. Mathematical models of computer security—tutorial lectures. In R. Focardi and R. Gorrieri, editors, *Foundations of Security Analysis and Design*, volume 2171 of *LNCS*, pages 1–62. Springer-Verlag, 2001.
- A. Sabelfeld and H. Mantel. Static confidentiality enforcement for distributed programs. In *Proc. Symp. on Static Analysis*, volume 2477 of *LNCS*, pages 376–394. Springer-Verlag, September 2002.
- 26. A. Sabelfeld and A. C. Myers. Language-based information-flow security. *IEEE J. Selected Areas in Communications*, 21(1):5–19, January 2003.

- 27. A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In Proc. IEEE Computer Security Foundations Workshop, pages 200–214, July 2000.
- 28. G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. In Proc. ACM Symp. on Principles of Programming Languages, pages 355-364, January 1998
- 29. G. Winskel. The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge, MA, 1993.
- 30. N. Yoshida, K. Honda, and M. Berger. Linearity and bisimulation. In Proc. Foundations of Software Science and Computation Structure, volume 2303 of LNCS, pages 417-433. Springer-Verlag, April 2002.

### Appendix

This appendix reports the semantic rules for Imp and VSPA, as well as the proofs of the main results presented in the paper.

Semantics of the source and target languages Figures 4 and 5 depict the semantics rules for the source language Imp and the target language VSPA.

Semantic correspondence The following lemma shows that the translation of expressions and assignment is correct in the sense that every evaluation in Imp is simulated in the VSPA translation and vice-versa.

Lemma 1. Given a state s,

- 1. if  $\langle Id := Exp, s \rangle \xrightarrow{\text{tick}} \langle \text{stop}, s' \rangle$  then there exists a process P such that  $\mathcal{T}[\![\langle Id :=$  $Exp, s \mid \mathbb{I} \Longrightarrow \stackrel{\hat{\tau}}{\longrightarrow} P \text{ where } P \approx \mathcal{T} \llbracket \{ stop, s' \} \rrbracket;$
- 2. if  $\langle Id := Exp, s \rangle \xrightarrow{a} \langle Id := Exp, s' \rangle$ , with  $a \neq \text{tick}$ , then there exists a process  $P \text{ such that } \mathcal{T}\llbracket \langle Id := Exp, s \rangle \rrbracket \stackrel{\hat{a}}{\Longrightarrow} P \text{ where } P \approx \mathcal{T}\llbracket \langle Id := Exp, s' \rangle \rrbracket;$
- - - $\mathcal{T}[\![\langle \mathsf{stop}, s'' \rangle ]\!].$

*Proof.* To prove 1, observe that  $\langle Id := Exp, s \rangle \xrightarrow{\text{tick}} \langle \text{stop}, s' \rangle$  if and only if  $s' = [Id \mapsto$ v]s and  $\langle Exp, s \rangle \downarrow v$ . Now,

$$\begin{split} \mathcal{T} \llbracket \langle Id &:= Exp, s \rangle \rrbracket \\ &= (\mathcal{T} \llbracket s \rrbracket \mid \overline{\texttt{lock}}. \mathcal{T} \llbracket Exp \rrbracket Into(x) \; (\overline{\texttt{put}}_{Id} x.\texttt{tick}. \overline{\texttt{unlock}}. Done) \\ &\quad | Lock \rangle \setminus ACC_s \cup \{\texttt{done}\} \\ \xrightarrow{\tau} \; (\mathcal{T} \llbracket s \rrbracket \mid \mathcal{T} \llbracket Exp \rrbracket Into(x) \; (\overline{\texttt{put}}_{Id} x.\texttt{tick}. \overline{\texttt{unlock}}. Done) \\ &\quad | \texttt{unlock}. Lock \rangle \setminus ACC_s \cup \{\texttt{done}\} \\ &= (\mathcal{T} \llbracket s \rrbracket \mid (\mathcal{T} \llbracket Exp \rrbracket \mid \texttt{res}(x). \overline{\texttt{put}}_{Id} x.\texttt{tick}. \overline{\texttt{unlock}}. Done) \setminus \{\texttt{res}\} \\ &\quad | \texttt{unlock}. Lock \rangle \setminus ACC_s \cup \{\texttt{done}\} \end{split}$$

| $\langle skip, s \rangle \stackrel{\texttt{tick}}{\to} \langle stop, s \rangle$                                                                                                                                           |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| $\langle Exp,s\rangle \downarrow v$                                                                                                                                                                                       |
| $\langle Id := Exp, s \rangle \stackrel{	ext{tick}}{ ightarrow} \langle stop, [Id \mapsto v]s  angle$                                                                                                                     |
| $\langle C_1, s \rangle \xrightarrow{\text{tick}} \langle \text{stop}, s' \rangle \qquad \langle C_1, s \rangle \xrightarrow{\text{tick}} \langle C'_1, s' \rangle$                                                       |
| $\langle\!\langle C_1;C_2,s\rangle\!\rangle\overset{\mathrm{tick}}{\to}\langle\!\langle C_2,s'\rangle \langle\!\langle C_1;C_2,s\rangle\!\rangle\overset{\mathrm{tick}}{\to}\langle\!\langle C_1';C_2,s'\rangle\!\rangle$ |
| $\langle\!\langle B,s angle\downarrow$ True                                                                                                                                                                               |
| (if B then $C_1$ else $C_2, s$ ) $\stackrel{\text{tick}}{\rightarrow} \langle C_1, s \rangle$                                                                                                                             |
| $\langle B, s \rangle \downarrow False$                                                                                                                                                                                   |
| $\langle \text{if } B \text{ then } C_1 \text{ else } C_2, s \rangle \stackrel{\text{tick}}{\to} \langle C_2, s \rangle$                                                                                                  |
| $\langle B, s \rangle \downarrow$ True                                                                                                                                                                                    |
| $\langle while \ B \ do \ C, s \rangle \stackrel{\mathtt{tick}}{\to} \langle C; while \ B \ do \ C, s \rangle$                                                                                                            |
| $\langle B, s \rangle \downarrow False$                                                                                                                                                                                   |
| $\overline{\langle while  B  do  C, s \rangle} \stackrel{tick}{\to} \langle stop, s \rangle$                                                                                                                              |

Fig. 4. Small-step deterministic semantics of Imp commands

$$\begin{split} c(x).E \xrightarrow{c(v)} E[v/x] \quad \overline{c}(v).E \xrightarrow{\overline{c}(v)} E \quad \tau.E \xrightarrow{\tau} E \\ & \underbrace{E_1 \xrightarrow{a} E'_1}_{\overline{E_1} + E_2 \xrightarrow{a} E'_1} \quad \underbrace{E_2 \xrightarrow{a} E'_2}_{\overline{E_1} + E_2 \xrightarrow{a} E'_2} \\ \hline \underbrace{E_1 \xrightarrow{a} E'_1}_{\overline{E_1} | E_2} \quad \underbrace{E_2 \xrightarrow{a} E'_2}_{\overline{E_1} | E_2 \xrightarrow{a} E_1 | E'_2} \quad \underbrace{E_1 \xrightarrow{c(v)} E'_1 \quad E_2 \xrightarrow{\overline{c}(v)} E'_2}_{\overline{E_1} | E_2 \xrightarrow{\tau} E'_1 | E'_2} \\ & \underbrace{E \xrightarrow{a} E'_1 | E_2}_{\overline{E_1} | E_2 \xrightarrow{a} E_1 | E'_2} \quad \underbrace{E \xrightarrow{a} E' \quad a \notin R}_{\overline{E[g] \xrightarrow{g(a)} E'_1[g]}} \quad \underbrace{E \xrightarrow{a} E' \quad A(x_1, \dots, x_n) \xrightarrow{def} E}_{\overline{A}(v_1, \dots, v_n) \xrightarrow{a} E'} \\ \hline \underbrace{E_1 \xrightarrow{a} E'_1}_{\overline{E_1} \xrightarrow{e_2} \xrightarrow{a} E'_1} \quad \underbrace{E_2 \xrightarrow{a} E'_2}_{\overline{E_2} \xrightarrow{a} E'_2} \\ \hline \end{array}$$

Fig. 5. VSPA operational semantics

First, notice that registers  $\mathcal{T}[\![s]\!]$  are *locked* by the program, since there is no possibility of executing the lock action. Thus,  $\mathcal{T}[\![s]\!]$  can only interact with the other parallel processes (via synchronizations) and not with the environment. Moreover, the process  $res(x).\overline{put}_{Id}x.tick.unlock.Done$  can only move after  $\mathcal{T}[\![Exp]\!]$  computes the expression and returns the result via channel res. By definition of  $\mathcal{T}[\![Exp]\!]$ , we know that this happens only as the last action performed by  $\mathcal{T}[\![Exp]\!]$ . So, the whole execution of  $\mathcal{T}[\![Exp]\!]$  is performed in parallel with *locked* registers and  $\mathcal{T}[\![Exp]\!]$  and  $\mathcal{T}[\![s]\!]$  are the only processes that can synchronize (all the other processes are blocked until the value is returned on channel res). By induction on expression structure it is now easy to prove that  $\mathcal{T}[\![Exp]\!]$  will return value v such that  $\langle Exp, s \rangle \downarrow v$ . Formally,  $\exists Q$  such that:

$$\begin{array}{l} (\mathcal{T}\llbracket s \rrbracket \mid (\mathcal{T}\llbracket Exp \rrbracket \mid \operatorname{res}(x).\overline{\operatorname{put}}_{Id}x.\operatorname{tick}.\overline{\operatorname{unlock}}.Done) \setminus \{\operatorname{res}\} \\ \mid \operatorname{unlock}.Lock) \setminus ACC_s \cup \{\operatorname{done}\} \\ \stackrel{\hat{\tau}}{\Longrightarrow} \quad Q \approx (\mathcal{T}\llbracket s \rrbracket \mid (\overline{\operatorname{res}}v.\mathbf{0} \mid \operatorname{res}(x).\overline{\operatorname{put}}_{Id}x.\operatorname{tick}.\overline{\operatorname{unlock}}.Done) \setminus \{\operatorname{res}\} \\ \mid \operatorname{unlock}.Lock) \setminus ACC_s \cup \{\operatorname{done}\} \\ \stackrel{\hat{\tau}}{\Longrightarrow} \stackrel{\operatorname{tick}}{\longrightarrow} (\mathcal{T}\llbracket s' \rrbracket \mid (\mathbf{0} \mid \overline{\operatorname{unlock}}.Done) \setminus \{\operatorname{res}\} \mid \operatorname{unlock}.Lock) \setminus ACC_s \cup \{\operatorname{done}\} \\ \approx \quad (\mathcal{T}\llbracket s' \rrbracket \mid \mathbf{0} \mid Lock) \setminus ACC_s \cup \{\operatorname{done}\} \\ = \quad \mathcal{T}\llbracket \{\operatorname{stop}, s'\} \rrbracket \end{array}$$

The other cases of this lemma are analogously proved, by observing that the execution sequence above is the only one possible for  $\mathcal{T}[\![\langle Id := Exp, s \rangle]\!]$  to perform  $\stackrel{\hat{\tau}}{\Longrightarrow} \stackrel{\text{tick}}{\rightarrow}$ .  $\Box$ 

**Security correspondence** In order to prove the faithfulness result for the two bisimulations for Imp (Proposition 4) we will need a few straightforward lemmas:

**Lemma 2.** For all low variables l and values v whenever  $\langle C, s \rangle \cong_{\backslash H} \langle D, t \rangle \setminus H$  then  $\langle C, [l \mapsto v]s \rangle \cong_{\backslash H} \langle D, [l \mapsto v]t \rangle \setminus H$ .

**Lemma 3.** For all high variables h and values v whenever  $\langle C, s \rangle \cong_{\backslash H} \langle D, t \rangle \backslash H$  then  $\langle C, [h \mapsto v]s \rangle \cong_{\backslash H} \langle D, t \rangle \backslash H$ .

**Lemma 4.** If  $\langle C, s \rangle \cong_{\backslash H} \langle D, t \rangle \setminus H$  then  $\langle C, s \rangle \setminus H \cong_{\backslash H} \langle D, t \rangle \setminus H$ .

**Proposition 4.** We have  $C \cong_L D$  if and only if for all s we have  $\langle C, s \rangle \cong_{\backslash H} \langle D, s \rangle \backslash H$ and  $\langle C, s \rangle \setminus H \cong_{\backslash H} \langle D, s \rangle$ .

*Proof.*  $\Rightarrow$ : Let us first show that  $C \cong_L D$  for some C and D implies  $\langle C, s \rangle \cong_{\backslash H} \langle D, s \rangle \setminus H$  and  $\langle C, s \rangle \setminus H \cong_{\backslash H} \langle D, s \rangle$  for all s. Assume  $C \cong_L D$ . Define the relation R as follows:

$$\{(\langle E, v \rangle, \langle F, w \rangle \setminus H) \mid E \cong_L F \& v =_L w\} \cup \\\{(\langle E, v \rangle \setminus H, \langle F, w \rangle) \mid E \cong_L F \& v =_L w\}$$

Clearly,  $\langle C, s \rangle \ R \ \langle D, s \rangle \setminus H$  and  $\langle C, s \rangle \setminus H \ R \ \langle D, s \rangle$  for all s (taking s = v = w, C = E, and D = F in the definition above). In order to show  $\langle C, s \rangle \cong_{\backslash H} \langle D, s \rangle \setminus H$ 

and  $\langle C, s \rangle \setminus H \cong_{\backslash H} \langle D, s \rangle$  for all s, we need to show R is a bisimulation up to high. First, R is symmetric by definition. Second, suppose  $\langle E, v \rangle R \langle F, w \rangle \setminus H$  (entailing  $E \cong_L F$  and  $v =_L w$ ) and  $\langle E, v \rangle \xrightarrow{a} \langle E', v' \rangle$ . We need to show that there exist F' and w' such that  $\langle F, w \rangle \setminus H \xrightarrow{\tilde{a}} \langle F', w' \rangle \setminus H$  and  $\langle E, v \rangle R \langle F', w' \rangle \setminus H$ .

If a = tick then by the definition of strong low-bisimulation there exist F' and w' such that  $\langle F, w \rangle \stackrel{\texttt{tick}}{\to} \langle F', w' \rangle$ ,  $E' \cong_L F'$ , and  $v' =_L w'$ . This implies  $\langle F, w \rangle \setminus H \stackrel{\texttt{tick}}{\to} \langle F', w' \rangle \setminus H$  because tick is a low action. We receive  $\langle E', v' \rangle R \langle F', w' \rangle \setminus H$ .

If  $a = \overline{\operatorname{eget}}_l(n)$  for some low variable l and value n, we have  $\langle E, v \rangle \xrightarrow{\operatorname{eget}_l(n)} \langle E, v \rangle$ . Because  $v =_L w$ , we have v(l) = w(l) = n and  $\langle F, w \rangle \setminus H \xrightarrow{\operatorname{eget}_l(n)} \langle F, w \rangle \setminus H$ , which means that the low labels are matched and the configurations are unchanged (and still related by R). The case of  $a = \operatorname{eput}_l(n)$  for some low variable l and value n is treated similarly.

The two remaining cases for a are high actions  $\overline{\mathtt{eget}}_h(n)$  and  $\mathtt{eput}_h(n)$  for some high variable h. Recalling the definition of  $\tilde{a}$ , it is sufficient to show that  $\langle E, v' \rangle R$  $\langle F, w \rangle \setminus H$ , i.e., a high action is simulated by a null action. The case  $a = \overline{\mathtt{eget}}_h(n)$ , is straightforward as E = E' and v = v'. In case  $a = \mathtt{eput}_h(n)$ , E = E' and  $v' = [h \mapsto n]v$ . So,  $v' =_L w$ , and therefore  $\langle E, v' \rangle R \langle F, w \rangle \setminus H$ .

Note that we have so far assumed a particular form of the starting configurations related by R, namely  $\langle E, v \rangle R \langle F, w \rangle \backslash H$ . The other possible form  $\langle E, v \rangle \backslash H R \langle F, w \rangle$  is resolved analogously.

 $\Leftarrow$ : Let us now show that  $\langle C, s \rangle \cong_{\backslash H} \langle D, s \rangle \setminus H$  and  $\langle C, s \rangle \setminus H \cong_{\backslash H} \langle D, s \rangle$  for all s implies  $C \cong_L D$ . Define the relation R as follows:

$$\left\{ (E,F) \mid \forall t. \langle E,t \rangle \cong_{\backslash H} \langle F,t \rangle \setminus H \& \langle E,t \rangle \setminus H \cong_{\backslash H} \langle F,t \rangle \right\}$$

Note that  $C \ R \ D$  and R is symmetric. It remains to show that R is a strong lowbisimulation. Suppose  $E \ R \ F$  and  $v =_L w$  so that  $\langle E, v \rangle \xrightarrow{\text{tick}} \langle E', v' \rangle$ . We need to show that there exist F' and w' such that  $\langle F, w \rangle \xrightarrow{\text{tick}} \langle F', w' \rangle$ ,  $v' =_L w'$ , and  $E' \ R \ F'$ .

By Lemma 3, we have  $\langle E, v \rangle \cong_{\backslash H} \langle F, w \rangle \setminus H$  and  $\langle E, v \rangle \setminus H \cong_{\backslash H} \langle F, w \rangle$ . Thus, there exist F' and w' such that  $\langle F, w \rangle \setminus H \stackrel{\text{tick}}{\to} \langle F', w' \rangle \setminus H$  and  $\langle F, w \rangle \stackrel{\text{tick}}{\to} \langle F', w' \rangle$  so that  $\langle E', v' \rangle \cong_{\backslash H} \langle F', w' \rangle \setminus H$  and  $\langle E', v' \rangle \setminus H \cong_{\backslash H} \langle F', w' \rangle$ . Note that this implies that  $v' =_L w'$ , because the environment's reading operations for low variables must be the same for both v' and w'. It remains to show that E' R F', i.e.,  $\forall u. \langle E', u \rangle \cong_{\backslash H} \langle F', w' \rangle \setminus H \ll \langle E', u \rangle \setminus H \cong_{\backslash H} \langle F', u \rangle$ . By Lemma 4, we have  $\langle E', v' \rangle \setminus H \cong_{\backslash H} \langle F', w' \rangle \setminus H$ , which, by the transitivity of the relation  $\cong_{\backslash H}$ , implies  $\langle E', v' \rangle \cong_{\backslash H} \langle F', w' \rangle \setminus H \cong_{\backslash H} \langle E', v' \rangle \setminus H \cong_{\backslash H} \langle F', w' \rangle$ . Subsequent application of Lemma 2 (to reset the low parts of v' and w' to the low part of u), and Lemma 4 (to reset the high part of v' in  $\langle E', v' \rangle \setminus H \cong_{\backslash H} \langle E', u' \rangle \setminus H \cong_{\backslash H} \langle E', w' \rangle$ , which completes the proof. **Theorem 1.** Let  $cfg_1 = \langle C, s \rangle \setminus R$  and  $cfg_2 = \langle D, t \rangle \setminus R'$ , with  $R, R' \subseteq H$ , be two configurations (possibly) restricted over high level actions. It holds that  $cfg_1 \cong_{\backslash H} cfg_2$  if and only if  $\mathcal{T}[\![cfg_1]\!] \approx_{\backslash H} \mathcal{T}[\![cfg_2]\!]$ .

*Proof.*  $\Rightarrow$ ) Let  $cfg_1$  and  $cfg_2$  be two restricted confi gurations such that  $cfg_1 \cong_{\backslash H} cfg_2$ . In order to prove that  $\mathcal{T}[[cfg_1]] \approx_{\backslash H} \mathcal{T}[[cfg_2]]$  it is sufficient to show that

$$\begin{split} \mathcal{S} &= \{ (E,F) \mid E \approx \mathcal{T}\llbracket cfg_1 \rrbracket, \ F \approx \mathcal{T}\llbracket cfg_2 \rrbracket \text{ and } cfg_1 \cong_{\backslash H} cfg_2 \} \cup \\ &\{ (E,F) \mid E \approx \texttt{tick}.\mathcal{T}\llbracket cfg_1 \rrbracket, \ F \approx \texttt{tick}.\mathcal{T}\llbracket cfg_2 \rrbracket \text{ and } cfg_1 \cong_{\backslash H} cfg_2 \} \end{split}$$

is a weak bisimulation up to high  $\approx_{\backslash H}$ . We first consider the case  $E \approx \mathcal{T}[[cfg_1]], F \approx \mathcal{T}[[cfg_2]]$ .

- Suppose that  $E \xrightarrow{\tau} E'$ . By the hypothesis that  $E \approx \mathcal{T}[[cfg_1]]$ , there exists E'' such that  $\mathcal{T}[[cfg_1]] \xrightarrow{\hat{\tau}} E''$  and  $E' \approx E''$ . By repeatedly applying Proposition 3, either  $E'' \approx \mathcal{T}[[cfg_1]]$  or there exists a configuration  $cfg'_1$  such that  $cfg_1 \xrightarrow{\text{tick}} cfg'_1$  and  $E'' \approx \text{tick}.\mathcal{T}[[cfg'_1]]$ .
  - if  $E'' \approx \mathcal{T}\llbracket cfg_1 \rrbracket$  we are done since  $E' \approx E''$  and thus  $(E', F) \in \mathcal{S}$ ;
  - if  $cfg_1 \xrightarrow{\text{tick}} cfg'_1$  and  $E'' \approx \text{tick.} \mathcal{T}\llbracket cfg'_1 \rrbracket$ , by the hypothesis that  $cfg_1 \cong_{\backslash H} cfg_2$ , there exists a configuration  $cfg'_2$  such that  $cfg_2 \xrightarrow{\text{tick}} cfg'_2$  and  $cfg'_1 \cong_{\backslash H} cfg'_2$ . By Proposition 2, there exists a process F'' such that  $\mathcal{T}\llbracket cfg_2 \rrbracket \xrightarrow{\hat{\tau}} F''$  and  $\text{tick.} \mathcal{T}\llbracket cfg'_2 \rrbracket \approx F''$ . By the hypothesis that  $F \approx \mathcal{T}\llbracket cfg_2 \rrbracket$ , there exists F' such that  $F \xrightarrow{\hat{\tau}} F'$  and  $F' \approx F''$ . Hence, by definition of  $\mathcal{S}$ ,  $(E', F') \in \mathcal{S}$ .
- Suppose now that  $E \xrightarrow{a} E'$  with  $a \neq \tau$ , tick. By the hypothesis that  $E \approx \mathcal{T}[[cfg_1]]$ , there exists E'' such that  $\mathcal{T}[[cfg_1]] \xrightarrow{\hat{a}} E''$  and  $E' \approx E''$ . By repeatedly applying Proposition 3, either  $E'' \approx \mathcal{T}[[cfg'_1]]$ , with  $cfg_1 \xrightarrow{a} cfg'_1$  or  $E'' \approx \texttt{tick}.\mathcal{T}[[cfg''_1]]$ with  $cfg_1 \xrightarrow{a} cfg'_1 \xrightarrow{\texttt{tick}} cfg''_1$ .
  - if E'' ≈ T [[cfg'<sub>1</sub>]], with cfg<sub>1</sub> → cfg'<sub>1</sub> by the hypothesis that cfg<sub>1</sub> ≈<sub>\H</sub> cfg<sub>2</sub>, there exists a configuration cfg'<sub>2</sub> such that cfg<sub>2</sub> → cfg'<sub>2</sub> and cfg'<sub>1</sub> ≈<sub>\H</sub> cfg'<sub>2</sub>. By Proposition 2, there exists a process F'' such that T [[cfg<sub>2</sub>]] → F'' and T [[cfg'<sub>2</sub>]] ≈ F''. By the hypothesis that F ≈ T [[cfg<sub>2</sub>]], there exists F' such that F ⇒ F' and F' ≈ F''. Hence, by definition of S, (E', F') ∈ S.
  - if  $E'' \approx \text{tick.} \mathcal{T}\llbracket cfg_1'' \rrbracket$  with  $cfg_1 \xrightarrow{a} cfg_1' \xrightarrow{\text{tick}} cfg_1''$ , by the hypothesis that  $cfg_1 \cong_{\backslash H} cfg_2$ , there exist two configurations  $cfg_2'$  and  $cfg_2''$  such that  $cfg_2 \xrightarrow{\tilde{a}} cfg_2' \xrightarrow{\text{tick}} cfg_2''$  and  $cfg_1'' \cong_{\backslash H} cfg_2''$ . By repeatedly applying Proposition 2, there exists a process F'' such that  $\mathcal{T}\llbracket cfg_2 \rrbracket \xrightarrow{\tilde{a}} F''$  and  $\text{tick.} \mathcal{T}\llbracket cfg_2'' \rrbracket \approx F''$ . By the hypothesis that  $F \approx \mathcal{T}\llbracket cfg_2 \rrbracket$ , there exists F' such that  $F \xrightarrow{\tilde{a}} F'$  and  $F' \approx F''$ . Hence, by definition of  $\mathcal{S}, (E', F') \in \mathcal{S}.$

The case  $E \approx \text{tick.} \mathcal{T}\llbracket cfg_1 \rrbracket$ ,  $F \approx \text{tick.} \mathcal{T}\llbracket cfg_2 \rrbracket$  is straightforward, since  $\tau$  transitions leave E equivalent to itself and tick transitions just move E and F to  $E' \approx \mathcal{T}\llbracket cfg_1 \rrbracket$  and  $F' \approx \mathcal{T}\llbracket cfg_2 \rrbracket$ , respectively.

 $\Leftarrow$ ) Let  $cfg_1$  and  $cfg_2$  be two configurations such that  $\mathcal{T}[\![cfg_1]\!] \approx_{\backslash H} \mathcal{T}[\![cfg_2]\!]$ . In order to prove that  $cfg_1 \cong_{\backslash H} cfg_2$  it is sufficient to show that

$$\mathcal{S} = \{(\mathit{cfg}_1, \mathit{cfg}_2) \mid \mathcal{T}[\![\mathit{cfg}_1]\!] \approx_{\backslash H} \mathcal{T}[\![\mathit{cfg}_2]\!]\}$$

is a bisimulation up to high  $\cong_{\backslash H}$ . In fact, suppose that  $cfg_1 \stackrel{a}{\to} cfg'_1$ . By Proposition 2, there exists a process E' such that  $\mathcal{T}[\![cfg]\!] \stackrel{a}{\Longrightarrow} E'$  and  $E' \approx \mathcal{T}[\![cfg'_1]\!]$ . By the hypothesis that  $\mathcal{T}[\![cfg_1]\!] \approx_{\backslash H} \mathcal{T}[\![cfg_2]\!]$ , there exists a process F' such that  $\mathcal{T}[\![cfg_2]\!] \stackrel{a}{\Longrightarrow} F'$  and  $E' \approx_{\backslash H} F'$ . By repeatedly applying Proposition 3 we have that either there exists a configuration  $cfg'_2$  such that  $cfg_2 \stackrel{a}{\longrightarrow} cfg'_2$  and  $F' \approx \mathcal{T}[\![cfg'_2]\!]$ , or there exist two configurations  $cfg'_2$  such that  $cfg_2 \stackrel{a}{\longrightarrow} cfg'_2$  and  $F' \approx \mathcal{T}[\![cfg'_2]\!]$ , or there exist two configurations  $cfg'_2$  such that  $cfg_2 \stackrel{a}{\longrightarrow} cfg'_2 \stackrel{\text{tick}}{\longrightarrow} cfg''_2$  and  $F' \approx \texttt{tick}.\mathcal{T}[\![cfg'_2]\!]$ . We show that the latter case is impossible since  $\mathcal{T}[\![cfg'_1]\!] \approx E' \approx_{\backslash H} F' \approx \texttt{tick}.\mathcal{T}[\![cfg'_2]\!]$ , but  $\texttt{tick}.\mathcal{T}[\![cfg'_2]\!]$  cannot simulate any low level environment actions performed by  $\mathcal{T}[\![cfg'_1]\!] \approx_{\backslash H} \mathcal{T}[\![cfg'_2]\!]$ . Hence  $(cfg'_1, cfg'_2) \in \mathcal{S}$ .