Proofs of Theorems from the Article “Flexible Scheduler-Independent Security”

Heiko Mantel and Henning Sudbrock

Computer Science, TU Darmstadt, Germany,
{mantel,sudbrock}@cs.tu-darmstadt.de

This document contains proofs for the theorems from the article “Flexible Scheduler-Independent Security” [MS10].

1 Proof of Theorem 1 (Low Matches)

Theorem 1. The low match of thr$_1$ and thr$_2$ is unique and given by the function

$$l\text{-match}_{thr_1, thr_2}(k_1) = \min \left\{ k_2 \in \mathbb{N}_0 \mid \{ l_1 \leq k_1 \mid thr_1(l_1) \in LCom \} = \{ l_2 \leq k_2 \mid thr_2(l_2) \in LCom \} \right\}.$$ 

Proof.

1. Assume thread pools thr$_1$ and thr$_2$ containing the same number of low threads.
2. As a low match is an order-preserving bijection on finite sets, it maps the $n$th value in its domain to the $n$th value in its range for each $0 < n \leq N$, where $N$ is the finite size of domain and range.
3. The number $k_1$ with $thr_1(k_1) \in LCom$ is the $n$th value of the domain $\{ j \mid thr_1(j) \in LCom \}$, if $n = \{ l_1 \leq k_1 \mid thr_1(l_1) \in LCom \}$. (For instance, the position $k_1$ is the 1st value in the domain, if there is only 1 low thread, namely $thr(k_1)$ itself, with a position less or equal than $k_1$ contained in $thr$.)
4. The $n$th value of the range $\{ j \mid thr_2(j) \in LCom \}$ is given by $\min \{ k_2 \in \mathbb{N}_0 \mid n = \{ l_2 \leq k_2 \mid thr_2(l_2) \in LCom \} \}$.
5. Thus we obtain

$$l\text{-match}_{thr_1, thr_2}(k_1) = \min \left\{ k_2 \in \mathbb{N}_0 \mid \{ l_1 \leq k_1 \mid thr_1(l_1) \in LCom \} = \{ l_2 \leq k_2 \mid thr_2(l_2) \in LCom \} \right\}.$$ 

2 Proof of Theorem 2 (Compositionality of FSI-Security)

Theorem 2. Let thr$_1$ and thr$_2$ be FSI-secure thread pools. Then their parallel composition $par(\text{thr}_1, \text{thr}_2)$ is also FSI-secure, where

$$par(\text{thr}_1, \text{thr}_2)(k) = \begin{cases} thr_1(k), & \text{if } k < \sharp(\text{thr}_1) \\ thr_2(k - \sharp(\text{thr}_1)), & \text{otherwise.} \end{cases}$$
Before proving the compositionality of FSI-security, we establish the following lemma:

**Lemma 1.** The relation $\sim$ is a low bisimulation modulo low matching.

**Proof.** Let $\text{thr}_1 \sim \text{thr}_2$. Then, by the definition of $\sim$, there exists a low bisimulation modulo low matching $R$ with $\text{thr}_1 R \text{thr}_2$. Execution steps of $\text{thr}_1$ can hence be simulated by $\text{thr}_2$ according to the requirements of low bisimulations modulo low matching, resulting in thread pools related by $R$, and, hence, also related by $\sim$. \qed

Now we prove Theorem 2:

**Proof.**

1. We define the symmetric relation $R$ on thread pools with equal numbers of low threads as follows: $\text{thr} \ R \ \text{thr}'$ if and only if there exist thread pools $\text{thr}_1, \text{thr}_2, \text{thr}'_1, \text{thr}'_2$ such that $\text{thr}_1 \sim \text{thr}'_1$, $\text{thr}_2 \sim \text{thr}'_2$, $\text{thr} = \text{par}(\text{thr}_1, \text{thr}_2)$, and $\text{thr}' = \text{par}(\text{thr}'_1, \text{thr}'_2)$.

2. We prove that $R$ is a low bisimulation modulo matching:

   (a) Let $\text{thr} \ R \ \text{thr}'$, and $\text{thr}_1, \text{thr}_2, \text{thr}'_1, \text{thr}'_2$ with the properties as defined in step 1 of this proof.

   (b) Assume $l\text{-match}_{\text{thr}, \text{thr}'}(j) = k$. If $j < \sharp(\text{thr}_1)$, then $l\text{-match}_{\text{thr}_1, \text{thr}'_1}(j) = k$. If $\sharp(\text{thr}_1) \leq j < \sharp(\text{thr}_1) + \sharp(\text{thr}_2)$, then $l\text{-match}_{\text{thr}_2, \text{thr}'_2}(j - \sharp(\text{thr}_1)) = k - \sharp(\text{thr}'_1)$. This is due to the fact that $\text{thr}_1$ and $\text{thr}'_1$ respectively $\text{thr}_2$ and $\text{thr}'_2$ are related by $\sim$ and hence contain the same number of low threads.

   (c) Let $\text{mem}, \text{mem}' \in \text{Mem}$ with $\text{mem} =_L \text{mem}'$.

   (d) Assume that $j < \sharp(\text{thr}_1)$ and that $\text{thr}(j) \in LCom$. Assume that $\text{thr}$ performs an execution step in $\text{mem}$ with the thread at position $j$, resulting in the thread pool $\text{thr}''$ and the memory $\text{mem}''$. Let $\text{thr}'_1$ be the thread pool resulting from performing an execution step in the $j$th thread of $\text{thr}_1$ in memory $\text{mem}$. Then $\text{thr}'' = \text{par}(\text{thr}'_1, \text{thr}_2)$.

   (e) As $\text{thr}_1 \sim \text{thr}'_1$, the execution step of $\text{thr}_1$ can be simulated by an execution step of the $k$th thread of $\text{thr}'_1$ in $\text{mem}'$ (where $k = l\text{-match}_{\text{thr}_1, \text{thr}'_1}(j)$), resulting in a thread pool $\text{thr}'''$ with $\text{thr}''' \sim \text{thr}'_1''$ and a memory $\text{mem}'''$ which is low-equal to $\text{mem}''$.

   (f) But then the execution step of the $j$th thread in $\text{thr}$ in the memory $\text{mem}$ can be simulated by an execution step of the $k$th thread $\text{thr}''$ in $\text{mem}'$ (where $l\text{-match}_{\text{thr}, \text{thr}''}(j) = k$ by (b)), resulting in the thread pool $\text{thr}'''' = \text{par}(\text{thr}'_1'', \text{thr}_2)$ and the memory $\text{mem}'''' =_L \text{mem}''$.

   (g) Moreover, $\text{thr}'' R \text{thr}''''$, as $\text{thr}'' = \text{par}(\text{thr}'_1'', \text{thr}_2), \text{thr}'''' = \text{par}(\text{thr}'_1'', \text{thr}_2)$, and $\text{thr}'''' \sim \text{thr}'_1''$. 

   (h) Now assume that $j < \sharp(\text{thr}_1)$ and $\text{thr}(j) \in HCom$, and that $\text{thr}$ performs an execution step in $\text{mem}$ with the thread at position $j$, resulting in the thread pool $\text{thr}''$. Then, as above, this corresponds to an execution step of $\text{thr}_1$, resulting in a thread pool $\text{thr}'_1 \sim \text{thr}'_1$, with $\text{thr}'' = \text{par}(\text{thr}'_1, \text{thr}_2)$.

   (i) In consequence, $\text{thr}'' R \text{thr}'''. $
(j) The case for $t(thr_1) \leq j < t(thr_2)$ is proved analogously.
(k) Hence, $R$ is a low bisimulation modulo low matching.

3. Now assume two FSI-secure thread pools $thr_1$ and $thr_2$. By definition, $thr_1 \sim thr_1$ and $thr_2 \sim thr_2$. Then $par(thr_1, thr_2) \sim R par(thr_1, thr_2)$ by the definition of $R$. Hence,

$$par(thr_1, thr_2) \sim par(thr_1, thr_2),$$

as $R$ is a low bisimulation modulo low matching. Thus, $par(thr_1, thr_2)$ is FSI-secure.

3 Proof of Theorem 3 (High threads are FSI-secure)

**Theorem 3.** Let $com \in HCom$. Then $com$ is FSI-secure.

**Proof.**

1. We define the relation $R$ on thread pools with equal numbers of low threads by $thr_1 R thr_2$ if and only if for all $0 \leq j < t(thr_1)$ and all $0 \leq k < t(thr_2)$ we have $thr_1(j) \in HCom$ and $thr_2(k) \in HCom$.

2. Then $R$ is a low bisimulation modulo low matching. (Assume $thr_1 R thr_2$. As all threads within $thr_1$ and $thr_2$ are high threads, only the case for transitions of high threads has to be considered. As an execution step of a high thread does not spawn low threads by definition, the thread pool resulting after a transition of $thr_1$ again consists only of high threads, and is, hence, also related to $thr_2$ by $R$.)

3. The thread pool consisting of a single high command is related to itself by $R$, and hence FSI-secure.

4 Proof of Theorem 4 (Thread Purge Function)

**Theorem 4.** For a thread pool $thr$, $th-$purge$(thr)$ contains no high threads and as many low threads as $thr$. Moreover, if $k \in \mathbb{N}_0$ with $thr(k) \in LCom$ then

$$thr(k) = th-$purge$(thr)(l-$match$thr, th-$purge$(thr)(k)).$$

**Proof.**

1. Let $thr$ be a thread pool. We firstly show that $th-$purge$(thr)$ does not contain any high threads.
   - Let $0 \leq j < t(thr)$. Assume that $l = \min\{k \in \mathbb{N}_0 \mid j = \lfloor \{k' < k \mid thr(k') \in LCom \cup \{stop\}\} \rfloor\}$ is the position of a high thread in $thr$ (i.e., $thr(l) \in HCom$). But then $l$ cannot be the minimal value for $k$ with $j = \lfloor \{k' < k \mid thr(k') \in LCom \cup \{stop\}\} \rfloor$, as $j = \lfloor \{k' < l - 1 \mid thr(k') \in LCom \cup \{stop\}\} \rfloor$ also holds. Hence $thr(l) \in HCom$ cannot hold.

2. We now show that $thr$ and $th-$purge$(thr)$ contain equally many low threads.
Let \( l \) be the position of the \( n \)th low thread in \( thr \). Then \( l = \min\{k \in \mathbb{N}_0 \mid n = \{|k' < k \mid thr(k') \in LCom \cup \{\text{stop}\}||\}\} \). In consequence, the low thread at position \( l \) is contained in \( \text{th-purge}(thr) \) at position \( n \) (i.e., \( thr(l) = \text{th-purge}(thr)(n) \)).

- Assume that \( \{|j \mid thr(j) \in LCom\|\} = n \), i.e., that \( thr \) contains \( n \) low threads. Then \( \text{th-purge}(thr)(n) = \text{stop} \), as \( \{|k' < k \mid thr(k') \in LCom \cup \{\text{stop}\}||\}\) only equals \( n \) for \( k \geq \sharp(thr) \).

3. We now show that \( thr(j) = \text{th-purge}(thr)(\text{l-match}_{\text{th-purge}}(thr)(j)) \).

- The low match maps the \( n \)th low thread in \( thr \) to the \( n \)th low thread in \( \text{th-purge}(thr) \) (compare Theorem 1).

- Assume that \( thr(j) \) is the \( n \)th low thread of \( thr \). Then \( j = \min\{k \in \mathbb{N}_0 \mid n = \{|k' < k \mid thr(k') \in LCom \cup \{\text{stop}\}||\}\} \). That is, the low match maps \( j \) to \( n \).

- But by definition, \( \text{th-purge}(thr)(n) \) equals the thread in \( thr \) at position \( \min\{k \in \mathbb{N}_0 \mid n = \{|k' < k \mid thr(k') \in LCom \cup \{\text{stop}\}||\}\} \), which is exactly the position \( j \).

\[ \square \]

5 Proof of Theorems 5 and 6 (Robustness of Uniform and Round-Robin Scheduler)

**Theorem 5.** The uniform scheduler (see Example 1 in [MS10]) is robust.

**Theorem 6.** The Round-Robin scheduler (see Example 2 in [MS10]) is robust.

Before proving the robustness of the uniform and the Round-Robin scheduler, we prove the following auxiliary lemmas:

**Lemma 2.** For each scheduler \( S \), the relation \( \prec_S \) is an \( S \)-simulation.

**Proof.** Let \( \text{conf}_1 \prec_S \text{conf}_2 \). Then, by the definition of \( \prec_S \), there exists a \( S \)-simulation \( \prec \) with \( \text{conf}_1 \prec \text{conf}_2 \). Execution steps of \( \text{conf}_1 \) can hence be simulated by \( \text{conf}_2 \) according to the requirements of \( S \)-simulations, resulting in configurations related by \( \prec \), and, hence, also related by \( \prec_S \).

**Lemma 3.** Let \( thr \) be an FSI-secure thread pool. Then \( thr \sim \text{th-purge}(thr) \).

**Proof.**

1. Define the relation \( R' \) by \( thr_1 R' thr_2 \) if and only if

\[ (thr_1 \sim thr_1) \land thr_2 = \text{th-purge}(thr_1), \]

and let \( R \) be the symmetric closure of \( R' \).

2. We prove that \( R \) is a low bisimulation modulo low matching:

- A transition of a low thread in the thread pool \( thr_1 \) resulting in the thread pool \( thr_1' \) can be simulated by a transition in the same thread pool where high threads have been removed (i.e., \( \text{th-purge}(thr_1) \)), resulting in the thread pool \( \text{th-purge}(thr_1') \). Moreover, as \( thr_1 \) is FSI-secure, \( thr_1' \) is also FSI-secure.
Proof.

Now we prove Theorems 5 and 6:

1. We define the relation $<$. Let us first show that the uniform scheduler from Example 1 is robust.
2. We will show that $<$. If $\text{thr}$ is FSI-secure, $\text{thr}'$ is also FSI-secure.
3. A transition of a low thread in the thread pool $\text{th-purge}(\text{thr}_1)$ results in the thread pool $\text{th-purge}(\text{thr}_1')$, where $\text{thr}_1'$ is the thread pool resulting when the same low thread performs a transition in the thread pool $\text{thr}_1$.

Now we prove Theorems 5 and 6:

Proof.

1. Let us first show that the uniform scheduler from Example 1 is robust.
2. We define the relation $<$ on system configurations by $\text{conf}_1 < \text{conf}_2$ if and only if

   - $\text{getT}(\text{conf}_1) \sim \text{getT}(\text{conf}_2)$,
   - $\text{getM}(\text{conf}_1) = \text{getM}(a\text{conf}_1)$, and
   - $\text{th-purge}(\text{conf}_1) = \text{conf}_2$.

3. We will show that $<$ is a uni-simulation.

   (a) Let $\text{conf}_1 < \text{conf}_2$ and $\text{conf}_1', \text{conf}_2'$ such that $\text{conf}_1 \Rightarrow_{j,p} \text{conf}_1'$.

   (b) Assume firstly that $\text{getT}(\text{conf}_1')(j) \in H\text{Com}$.

      i. As $\text{getT}(\text{conf}_1') \sim \text{getT}(\text{conf}_1)$, we have $\text{getT}(\text{conf}_1') \sim \text{getT}(\text{conf}_1')$ and hence $\text{getT}(\text{conf}_1') \sim \text{getT}(\text{conf}_1')$ and furthermore $\text{getM}(\text{conf}_1') = \text{getM}(\text{conf}_2)$.

      ii. As $\text{getT}(\text{conf}_1')(j) \in H\text{Com}$, the transition to $\text{conf}_1'$ does not spawn any low threads. Therefore $\text{th-purge}(\text{conf}_1') = \text{conf}_2$.

      iii. Hence, $\text{conf}_1' < \text{conf}_2$.

   (c) Assume now that $\text{getT}(\text{conf}_1')(j) \in L\text{Com}$.

      i. Denote with $\#(\text{high})$ the number of high threads in $\text{conf}_1$ and with $\#(\text{low})$ the number of low threads in $\text{conf}_1$.

      ii. Hence, $p = 1/(\#(\text{high}) + \#(\text{low}))$ by the definition of the uniform scheduler.

      iii. Furthermore, $p/l\text{-prob}_S(\text{conf}_1) = p/(\#(\text{low})/(\#(\text{high}) + \#(\text{low})))$, which equals $1/\#(\text{low})$.

      iv. As $\text{getT}(\text{conf}_1') \sim \text{getT}(\text{conf}_1)$, we have $\text{getT}(\text{conf}_1') \sim \text{getT}(\text{conf}_1')$.

      v. As $\text{getT}(\text{conf}_1') \sim \text{getT}(\text{conf}_1)$ and $\text{th-purge}(\text{conf}_1') = \text{conf}_2$, we have $\text{getT}(\text{conf}_1') \sim \text{getT}(\text{conf}_2)$ by Lemma 3.

      vi. In consequence, the transition in $\text{conf}_1$ can be matched by the thread $\text{getT}(\text{conf}_2)(k)$ with some probability $q$, where

      $$k = l\text{-match}_{\text{getT}(\text{conf}_1),\text{getT}(\text{conf}_2)}(j),$$

      resulting in a configuration $\text{conf}_2'$ and a low-equal state. Moreover, $\text{th-purge}(\text{conf}_2') = \text{th-purge}(\text{conf}_1')$, as $\text{conf}_2 = \text{th-purge}(\text{conf}_1)$. 

$\square$
vii. The probability of this transition equals \(1/\#(low)\) by the definition of the uniform scheduler, which according to (iii) equals \(p/l\-prob_S(conf_1)\).
viii. Furthermore, \(conf'_1 < \text{th-purge}(conf'_2)\), due to (iv) and (vi).

(d) Hence, \(<\) is a uni-simulation.
(e) As we have \(⟨\text{thr}, \text{mem}, s⟩ < \text{th-purge}(⟨\text{thr}, \text{mem}, s⟩)\) for each FSI-secure thread pool \(\text{thr}\) and each memory \(\text{mem}\), the uniform scheduler is robust.

(f) The proof for the Round-Robin scheduler goes along the same lines as the proof for the uniform scheduler, where we define an RR-simulation \(<\) as follows: \(conf_1 < conf_2\) if and only if
- \(\text{getT}(conf_1) \sim \text{getT}(conf_1)\),
- \(\text{getM}(conf_1) = L \text{getM}(conf_1)\),
- \(\text{th-purge}(conf_1) = conf_2\), and the following two requirements are satisfied:
  - Let \(\text{getS}(conf_1)(\text{size}) = n_1\) and \(\text{getS}(conf_2)(\text{size}) = n_2\). Then \(n_2\) equals \(n_1\) minus the number of high threads in \(conf_1\).
  - Let \(\text{getS}(conf_1)(\text{choice}) = c_1\) and \(\text{getS}(conf_2)(\text{choice}) = c_2\). Then \(c_2\) equals \(c_1\) minus the number of high threads in \(conf_1\) at a position below \(c_1\).

Note that the first three requirements are exactly the requirements that we also required for the uni-simulation. The fourth requirement expresses that the thread pool size stored by the scheduler in the execution with high threads differs from the thread pool size stored in the execution without high threads exactly by the current number of high threads. The fifth requirement expresses that the last position chosen by the scheduler in the execution with high threads differs from the position chosen in the execution without high threads exactly by the number of high threads below that position.

The last two requirements are guaranteed to remain invariant during two executions with and without high threads, and ensure that if the \(n\)th low thread is selected by the scheduler in the execution with high threads, than the \(n\)th low thread is also selected by the scheduler in the execution without high threads.

\[\square\]

6 Proof of Theorem 7 (Scheduler Independence)

**Theorem 7.** Let \(\text{thr}\) be a terminating thread pool that is FSI-secure and let \(S\) be a robust scheduler under a confined observation function. Then the thread pool \(\text{thr}\) is \(S\)-secure.

For the remainder of this section, let \(S = (sSt, sst_0, sLab, \rightarrow)\) be a scheduler under a confined observation function.

For proving Theorem 7, we establish the following more general proposition:
Proposition 1. Let $conf_1 = \{thr_1, mem_1, sst_1\}$ and $conf_2 = \{thr_2, mem_2, sst_2\}$ be terminating system configurations, $mem_{1,p}, mem_{2,p}$ memories, and $sst_p$ a scheduler state, such that

- $thr_1 \sim thr_2$,
- $mem_1 = \_L mem_2 = \_L mem_{1,p} = \_L mem_{2,p}$,
- $conf_1 <_S (th-purge(thr_1), mem_{1,p}, sst_p)$, and
- $conf_2 <_S (th-purge(thr_2), mem_{2,p}, sst_p)$.

Then the following equality holds for all $mem \in Mem$:

$$\sum_{mem' \in [mem] = _L} \rho_S(conf_1, mem') = \sum_{mem' \in [mem] = _L} \rho_S(conf_2, mem')$$

Proof. Let $\sharp(T) = \sum_{tr \in T} \sharp(tr)$ be the sum of the lengths of all traces in a set of traces $T$. We prove the proposition by induction on $n = \sharp(T_S(conf_1)) + \sharp(T_S(conf_2))$. Note that $n$ is finite as $thr_1$ as well as $thr_2$ are terminating. In the following, we abbreviate the sum $\sum_{mem' \in [mem] = _L} \rho_S(conf, mem')$ with $P(conf)$.

Induction basis ($n = 0$):
In this case, $thr_1$ and $thr_2$ have both terminated. Hence the equality is satisfied, as $mem_1 = \_L mem_2$.

Induction step ($n > 0$):
Let us at first briefly elaborate on the proof idea of the rather lengthy proof of the induction step: We consider transitions of low and high threads in $conf_1$ and $conf_2$ separately. If $conf_1$ makes a transition in a high thread to $conf_1'$, we prove that $conf_1'$ and $conf_2$ together with $mem_1, mem_2, mem_{1,p}, mem_{2,p},$ and $sst_p$ satisfy all the preconditions of this proposition, and apply the induction hypothesis to relate the probabilities to reach a final memory low-equal to $mem$ from $conf_1'$ and $conf_2$. We proceed likewise for transitions of low threads, showing that $P(conf_1') = P(conf_2')$, where $conf_1'$ and $conf_2'$ are reached from $conf_1$ and $conf_2$ by transitions of low threads linked by $l$-match$_{thr_1, thr_2}$. This yields a system of two linear equations with unknowns $P(conf_1')$ and $P(conf_2')$. We show that the probabilities $P(conf_1')$ and $P(conf_2')$ must be equal to solve the equation system, which concludes the proof. The last proof step crucially depends on the relation on probabilities required by $S$-simulations. We now prove the induction step:

1. For each system configuration $conf$, we denote with $enabledPos(conf) \subset \mathbb{N}_0$ the set of thread positions such that $j \in enabledPos(conf)$ if and only if there exist $conf' \in Conf$ and $p \in [0, 1]$ with $conf \Rightarrow_{j,p} conf'$.

   By the definition of schedulers and the semantics for system configurations, $conf'$ and $p$ are uniquely determined by $conf$ and $j$. We denote those values with $succ_j(conf)$ respectively $p_j(conf)$.

2. By the definition of trace probabilities, we have

$$P(conf_1) = \sum \{p_j(conf_1) \ast P(succ_j(conf_1)) \mid j \in enabledPos(conf_1)\}.$$
3. We rewrite this sum as $P(\text{conf}_1) = P(\text{conf}_{1, \text{high}}) + P(\text{conf}_{1, \text{low}})$, where

$$P(\text{conf}_{1, \text{high}}) = \sum \{ p_j(\text{conf}_1) \cdot P(\text{succ}_j(\text{conf}_1)) \mid j \in \text{enabledPos}(\text{conf}_1) \wedge \text{thr}_1(j) \in \text{HCom} \}$$

and

$$P(\text{conf}_{1, \text{low}}) = \sum \{ p_j(\text{conf}_1) \cdot P(\text{succ}_j(\text{conf}_1)) \mid j \in \text{enabledPos}(\text{conf}_1) \wedge \text{thr}_1(j) \in \text{LCom} \}.$$

4. Consider a position $j \in \text{enabledPos}(\text{conf}_1)$. Then there exist $\text{com}_1, \text{mem}_1$, and $\alpha$ such that $(\text{thr}_1(j), \text{mem}_1) \xrightarrow{\alpha} (\text{com}_1, \text{mem}_1')$. There furthermore exists $\text{sst}_1'$ with $(\text{sst}_1, \text{obs}(\text{thr}_1, \text{mem}_1)) \xrightarrow{\text{th-purge}} \text{sst}_1'$, where $p = p_j(\text{conf}_1)$. Note that $\text{getT}(\text{succ}_j(\text{conf}_1)) = \text{update}_j(\text{thr}_1, \text{com}_1, \alpha)$, $\text{getM}(\text{succ}_j(\text{conf}_1)) = \text{mem}_1'$, and $\text{getS}(\text{succ}_j(\text{conf}_1)) = \text{sst}_1'$. We now show that in this case $P(\text{succ}_j(\text{conf}_1)) = P(\text{conf}_2)$ holds.

(a) As $\text{thr}_1 \sim \text{thr}_2$, by the definition of low bisimulations modulo low matching we have $\text{getT}(\text{succ}_j(\text{conf}_1)) \sim \text{thr}_2$.

(b) As $\text{thr}_1(j) \in \text{HCom}$, we have $\text{getM}(\text{succ}_j(\text{conf}_1)) =_L \text{mem}_2$.

(c) As $\text{thr}_1(j) \in \text{HCom}$, $\alpha$ contains only high commands. Hence, $\text{th-purge}(\text{thr}_1) = \text{th-purge}(\text{getT}(\text{succ}_j(\text{conf}_1)))$.

(d) As $\text{conf}_1 <_S (\text{th-purge}(\text{thr}_1), \text{mem}_{1,p}, \text{sst}_{p})$, we have by the definition of $\mathcal{S}$-simulations that $\text{succ}_j(\text{conf}_1) <_S (\text{th-purge}(\text{thr}_1), \text{mem}_{1,p}, \text{sst}_{p})$, and hence (using (c)) that

$$\text{succ}_j(\text{conf}_1) <_S (\text{th-purge}(\text{getT}(\text{succ}_j(\text{conf}_1))), \text{mem}_{1,p}, \text{sst}_{p}).$$

(e) As $\text{conf}_1$ makes a transition to $\text{succ}_j(\text{conf}_1)$, we obtain that

$$\sharp(\text{Tr}_S(\text{succ}_j(\text{conf}_1))) + \sharp(\text{Tr}_S(\text{conf}_2)) < n,$$

and that $\text{succ}_j(\text{conf}_1)$ is terminating.

(f) Due to (a), (b), (d), and (e), we can apply the induction hypothesis for the configurations $\text{succ}_j(\text{conf}_1)$ and $\text{conf}_2$, the memories $\text{mem}_{1,p}$ and $\text{mem}_{2,p}$, and the scheduler state $\text{sst}_p$, and obtain

$$P(\text{succ}_j(\text{conf}_1)) = P(\text{conf}_2).$$

5. Firstly, we assume that $\text{thr}_1(j) \in \text{HCom}$. We now show that in this case $P(\text{succ}_j(\text{conf}_1)) = P(\text{conf}_2)$ holds.

(a) As $\text{thr}_1 \sim \text{thr}_2$, by the definition of low bisimulations modulo low matching we have $\text{getT}(\text{succ}_j(\text{conf}_1)) \sim \text{thr}_2$.

(b) As $\text{thr}_1(j) \in \text{HCom}$, we have $\text{getM}(\text{succ}_j(\text{conf}_1)) =_L \text{mem}_2$.

(c) As $\text{thr}_1(j) \in \text{HCom}$, $\alpha$ contains only high commands. Hence, $\text{th-purge}(\text{thr}_1) = \text{th-purge}(\text{getT}(\text{succ}_j(\text{conf}_1)))$.

(d) As $\text{conf}_1 <_S (\text{th-purge}(\text{thr}_1), \text{mem}_{1,p}, \text{sst}_{p})$, we have by the definition of $\mathcal{S}$-simulations that $\text{succ}_j(\text{conf}_1) <_S (\text{th-purge}(\text{thr}_1), \text{mem}_{1,p}, \text{sst}_{p})$, and hence (using (c)) that

$$\text{succ}_j(\text{conf}_1) <_S (\text{th-purge}(\text{getT}(\text{succ}_j(\text{conf}_1))), \text{mem}_{1,p}, \text{sst}_{p}).$$

(e) As $\text{conf}_1$ makes a transition to $\text{succ}_j(\text{conf}_1)$, we obtain that

$$\sharp(\text{Tr}_S(\text{succ}_j(\text{conf}_1))) + \sharp(\text{Tr}_S(\text{conf}_2)) < n,$$

and that $\text{succ}_j(\text{conf}_1)$ is terminating.

(f) Due to (a), (b), (d), and (e), we can apply the induction hypothesis for the configurations $\text{succ}_j(\text{conf}_1)$ and $\text{conf}_2$, the memories $\text{mem}_{1,p}$ and $\text{mem}_{2,p}$, and the scheduler state $\text{sst}_p$, and obtain

$$P(\text{succ}_j(\text{conf}_1)) = P(\text{conf}_2).$$

6. Using (5.), we rewrite $P(\text{conf}_{1, \text{high}})$ as:

$$P(\text{conf}_{1, \text{high}}) = P(\text{conf}_2) * \sum \{ p_j(\text{conf}_1) \mid j \in \text{enabledPos}(\text{conf}_1) \wedge \text{thr}_1(j) \in \text{HCom} \}.$$

Note that this equals $P(\text{conf}_2) * (1 - l \text{prob}_S(\text{conf}_1))$.

Analogously, we obtain $P(\text{conf}_{2, \text{high}}) = P(\text{conf}_1) * (1 - l \text{prob}_S(\text{conf}_2))$. 

8
7. Now, we assume that $thr_1(j) \in LCom$ and that $k = l\text{-match}_{thr_1, thr_2}(j)$.

8. We now show that

$$\rho_l(\text{conf}_1) / l\text{-prob}_S(\text{conf}_1) = \rho_k(\text{conf}_2) / l\text{-prob}_S(\text{conf}_2).$$

(a) As $\text{conf}_1 \lessdot_S (\text{th-purge}(thr_1), \text{mem}_{1,p}, \text{sst}_p)$, we obtain from the definition of $S$-simulations that

$$\rho_j(\text{conf}_1) / l\text{-prob}_S(\text{conf}_1) = \rho_{j'}(\langle \text{th-purge}(thr_1), \text{mem}_{1,p}, \text{sst}_p \rangle),$$

where $j' = l\text{-match}_{thr_1, \text{th-purge}(thr_1)}(j)$.

(b) Analogously, we have

$$\rho_k(\text{conf}_2) / l\text{-prob}_S(\text{conf}_2) = \rho_{k'}(\langle \text{th-purge}(thr_2), \text{mem}_{2,p}, \text{sst}_p \rangle),$$

where $k' = l\text{-match}_{thr_2, \text{th-purge}(thr_2)}(k)$.

(c) Let $m$ be such that $thr_1(j)$ is the $m$th low thread in $thr_1$. Then $thr_2(k)$ is the $m$th low thread in $thr_2$ (as $k$ is obtained by computing the low match between $thr_1$ and $thr_2$ for $j$).

By the definition of the purge function, we thus have $m = j' = k'$. (As $\text{mem}_{1,p} =_L \text{mem}_{2,p}$ and $\pi(\text{th-purge}(thr_1)) = \pi(\text{th-purge}(thr_2))$, we have $\text{obs}(\text{th-purge}(thr_1), \text{mem}_{1,p}) = \text{obs}(\text{th-purge}(thr_2), \text{mem}_{2,p})$ as $\text{obs}$ is confined. Hence,

$$\rho_m(\langle \text{th-purge}(thr_1), \text{mem}_{1,p}, \text{sst}_p \rangle) = \rho_m(\langle \text{th-purge}(thr_2), \text{mem}_{2,p}, \text{sst}_p \rangle).$$

(e) Combining the equalities from (a), (b), and (d), we obtain the equality that we want to prove.

9. As $j \in \text{enabledPos}(\text{conf}_1)$, we have $\rho_j(\text{conf}_1) > 0$. Then, by (8.), we also have $\rho_k(\text{conf}_2) > 0$, and hence $k \in \text{enabledPos}(\text{conf}_2)$.

10. We will now show that $P(\text{succ}_{j}(\text{conf}_1)) = P(\text{succ}_{k}(\text{conf}_2))$.

(a) As $thr_1 \sim thr_2$ and $\text{mem}_{1} =_L \text{mem}_{2}$, we have $\text{getT}(\text{succ}_{j}(\text{conf}_1)) \sim \text{getT}(\text{succ}_{k}(\text{conf}_2))$ as well as $\text{getM}(\text{succ}_{j}(\text{conf}_1)) =_L \text{getM}(\text{succ}_{k}(\text{conf}_2))$ by the definition of low bisimulations modulo low matching.

(b) As $\text{conf}_1 \lessdot_S (\text{th-purge}(thr_1), \text{mem}_{1,p}, \text{sst}_p)$, the execution step from $\text{conf}_1$ to $\text{succ}_{j}(\text{conf}_1)$ can be simulated by an execution step of the configuration $\langle \text{th-purge}(thr_1), \text{mem}_{1,p}, \text{sst}_p \rangle$ by the definition of $S$-simulations, resulting in the configuration

$$\langle \text{th-purge}(\text{getT}(\text{succ}_{j}(\text{conf}_1))), \text{mem}'_{1,p}, \text{sst}'_p \rangle$$

for some $\text{sst}'_p$. Moreover, we have

$$\text{succ}_{j}(\text{conf}_1) \lessdot_S \langle \text{th-purge}(\text{getT}(\text{succ}_{j}(\text{conf}_1))), \text{mem}'_{1,p}, \text{sst}'_p \rangle.$$  

Finally, $\text{getM}(\text{succ}_{j}(\text{conf}_1)) =_L \text{mem}'_{1,p}$, as $thr_1$ is FSI-secure.
(c) We repeat step (b) with $\text{conf}_2$ instead of $\text{conf}_1$. Note that as $\text{obs}$ is confined, we obtain the same scheduler state $\text{sst}'_p$, as $\text{th}$-$\text{purge}(\text{thr}_1)$ and $\text{th}$-$\text{purge}(\text{thr}_2)$ have the same number of threads, and $\text{mem}_{1,p} = L \text{mem}_{2,p}$.

(d) As $\text{conf}_1$ and $\text{conf}_2$ are both terminating, $\text{succ}_j(\text{conf}_1)$ and $\text{succ}_k(\text{conf}_2)$ are also terminating. Moreover, we obtain
\[ \sharp(\text{Tr}_S(\text{succ}_j(\text{conf}_1))) + \sharp(\text{Tr}_S(\text{succ}_k(\text{conf}_2))) < n. \]

(e) Using (a), (b), (c), and (d), we apply the induction hypothesis for the configurations $\text{succ}_j(\text{conf}_1)$ and $\text{succ}_k(\text{conf}_2)$, for the memories $\text{mem}_{1,p}'$ and $\text{mem}_{2,p}'$, and the scheduler state $\text{sst}'_p$, and obtain
\[ P(\text{succ}_j(\text{conf}_1)) = P(\text{succ}_k(\text{conf}_2)). \]

11. Expressing $P(\text{conf}_1)$ and $P(\text{conf}_2)$ by using the equations from (6.), we obtain an equation system in $X = P(\text{conf}_1)$ and $Y = P(\text{conf}_2)$:

\[
X = \sum \{ \rho_j(\text{conf}_1) \cdot P(\text{succ}_j(\text{conf}_1)) \mid j \in \text{enabledPos}(\text{conf}_1) \land \text{thr}_1(j) \in \text{LCom} \}
+ Y \cdot (1 - l \cdot \text{prob}_S(\text{conf}_1))
\]

\[
Y = \sum \{ \rho_k(\text{conf}_1) \cdot P(\text{succ}_k(\text{conf}_2)) \mid k \in \text{enabledPos}(\text{conf}_2) \land \text{thr}_2(k) \in \text{LCom} \}
+ X \cdot (1 - l \cdot \text{prob}_S(\text{conf}_2))
\]

To complete the induction step it remains to show that the solution $(x, y)$ of this equation system satisfies $x = y$.

12. For solving the equation system, we introduce some abbreviations to make the formulas more readable. We define $S_i = P(\text{conf}_i, \text{low})$ and $\rho_i = 1 - l \cdot \text{prob}_S(\text{conf}_i)$ for $i \in \{1, 2\}$. Using these notations, the equation system can be written as follows:

\[ X = S_1 + Y \cdot \rho_1 \]  
\[ Y = S_2 + X \cdot \rho_2 \]  

13. Solving the above equation system for $Y$ yields

\[ Y = \frac{\rho_2 \cdot S_1 + S_2}{1 - \rho_1 \cdot \rho_2}. \]

We need to show that $X = Y$. To show this we show that this solution for $Y$ equals $X$ as represented in (1), where we substitute $Y$ with the above solution for $Y$. This resolves to

\[ \frac{\rho_2 \cdot S_1 + S_2}{1 - \rho_1 \cdot \rho_2} = S_1 + \frac{\rho_2 \cdot S_1 + S_2}{1 - \rho_1 \cdot \rho_2} \cdot \rho_1. \]
Multiplying both sides by \((1 - \rho_1 \ast \rho_2)\) yields
\[
\rho_2 \ast S_1 + S_2 = \left[ 1 - \rho_1 \ast \rho_2 \right] \ast S_1 + \rho_1 \ast \left[ \rho_2 \ast S_1 + S_2 \right].
\]
The term \(\rho_1 \ast \rho_2 \ast S_1\) can be canceled on the right side of the equation, we obtain
\[
\rho_2 \ast S_1 + S_2 = S_1 + \rho_1 \ast S_2.
\]
Expanding \(\rho_1\) and \(\rho_2\) with their definitions we obtain
\[
S_1 - l\text{-}\text{prob}_{G}(\text{conf}_2) \ast S_1 + S_2 = S_1 + S_2 - l\text{-}\text{prob}_{G}(\text{conf}_1) \ast S_2,
\]
which simplifies to
\[
l\text{-}\text{prob}_{G}(\text{conf}_2) \ast S_1 = l\text{-}\text{prob}_{G}(\text{conf}_1) \ast S_2.
\]
We expand \(S_1\) and \(S_2\) and obtain
\[
l\text{-}\text{prob}_{G}(\text{conf}_2) \ast \sum_{j \in \text{enabledPos}(\text{conf}_1)} \rho_j(\text{conf}_1) \ast P(\text{succ}_j(\text{conf}_1)) | \text{ thr}_1(j) \in \text{LCom} \land \|
\]
\[
= l\text{-}\text{prob}_{G}(\text{conf}_1) \ast \sum_{k \in \text{enabledPos}(\text{conf}_2)} \rho_k(\text{conf}_1) \ast P(\text{succ}_k(\text{conf}_2)) | \text{ thr}_2(k) \in \text{LCom} \|
\]
Now, we use the equalities derived in (8.) and in (10.), viz
\[
\rho_j(\text{conf}_1) / l\text{-}\text{prob}_{G}(\text{conf}_1) = \rho_k(\text{conf}_2) / l\text{-}\text{prob}_{G}(\text{conf}_2),
\]
and
\[
P(\text{succ}_j(\text{conf}_1)) = P(\text{succ}_k(\text{conf}_2)),
\]
where \(k = l\text{-}\text{match}_{\text{thr}_1,\text{thr}_2}(j)\). These equalities directly show that the two sides of the above equation are indeed equal. This finishes the proof of the induction step.

\[\square\]

**Proof of Theorem 7.** Theorem 7 follows directly by applying Proposition 1 to the thread pools \(\text{thr}_1 = \text{thr}_2 = \text{thr}\), memories \(\text{mem}_1 = \text{mem}_{1,p}\) respectively \(\text{mem}_2 = \text{mem}_{2,p}\) with \(\text{mem}_1 = \text{L mem}_2\), and scheduler states \(\text{sst}_1, \text{sst}_2\), and \(\text{sst}_p\) that are all equal to \(\text{sst}_0\).

### 7 Proof of Theorem 8 (Soundness of Security Type System)

**Theorem 8.** If the judgment \(\vdash \text{com} : (\text{ass}, \text{stp})\) is derivable in the type system for some \(\text{com} \in \text{Com} \) and \(\text{ass}, \text{stp} \in \{\text{low}, \text{high}\}\) then \(\text{com}\) is FSI-secure.
We firstly prove three auxiliary lemmas:

**Lemma 4.** Let com ∈ Com be typable as (high, stp). Then com ∈ HCom.

*Proof.* The proof is by induction over the derivation of the judgment ⊢ com : (high, stp):
1. Assume that com = skip. Then com ∈ HCom is trivially satisfied.
2. Assume that com = var:=exp. Then dom(var) = high as com is typable with ass = high, and therefore com ∈ HCom.
3. Assume that com = if (exp) then com₁ else com₂ fi. As com is typable with ass = high, com₁ and com₂ are both typable with ass₁, ass₂ = high. Hence, by the induction hypothesis both com₁ and com₂ are contained in HCom.
4. Assume that com = while (exp) do com′ od. Then, as com is typable with ass = high, com′ is also typable with ass = high. By the induction hypothesis for all i we have comᵢ ∈ HCom.
5. Assume that com = com₁; com₂. Then, as in the previous cases, one obtains that com₁ and com₂ are contained in HCom. Thus, by the definition of the set HCom, com ∈ HCom.
6. Assume that com = spawn(com₀, . . . , comₖ). Then, as com is typable with ass = high, all the comᵢ are typable with assᵢ = high. Hence, by the induction hypothesis for all i we have comᵢ ∈ HCom. Hence, com ∈ HCom.

**Lemma 5.** Let com ∈ Com be typable with (ass, low). Let mem₁ =L mem₂ and com₁, com₂, α₁, α₂, mem₁', mem₂' with ⟨com, mem⟩ α −→ ⟨com₁, mem₁'⟩ and ⟨com, mem⟩ α −→ ⟨com₂, mem₂'⟩. Then com₁ = com₂, α₁ = α₂, and mem₁' =L mem₂'.

*Proof.* We prove the lemma by induction over the derivation of the judgment ⊢ com : (ass, low).
1. The cases for skip-statements, spawn-statements, and sequential composition are obvious.
2. Assume that com = var:=exp. The low memory is only changed by the assignment if dom(var) = low. In this case, by the typing rule for assignments, dom(exp) = low, and hence the new value of var is equal when executing the assignment in low-equal states.
3. Assume that com = if (exp) then com₁ else com₂ fi. By the typing rule for conditionals, we have dom(exp) = low. Hence, when executing com₁ in two low-equal states, one arrives either in com₁ with both execution steps, or in com₂ with both execution steps, where the memory remains unchanged.
4. Assume that com = while (exp) do com′ od. By the typing rule for loops, we have dom(exp) = low. Hence, when executing com₁ in two low-equal states, one arrives either in stop with both execution steps, or in com′; com with both execution steps, where the memory remains unchanged.
Lemma 6. Let com be a typable command, and assume that \( \langle \text{com}, \text{mem} \rangle \xrightarrow{\alpha} \langle \text{com}', \text{mem}' \rangle \) for memories mem, mem', com' ∈ Com, and a label \( \alpha \). Then com' is typable.

Proof. We prove the statement by induction over the derivation of the typing of com.

1. The interesting case is \( \text{com} = \text{while} (\text{exp}) \text{ do com}_1 \text{ od} \). By the typing rule for loops, com is typable as \((\text{ass}, \text{stp} \sqcup \text{dom(exp))} \) if \( \text{com}_1 \) is typable as \((\text{ass}, \text{stp})\) and \( \text{stp} \sqcup \text{dom(exp)} \sqsubseteq \text{ass} \).

2. If \( \text{com}' \in \text{Com} \), then \( \text{com}' = \text{com}_1 \text{ com} \). This is typable by the rule for sequential composition, if \( \text{com}' \) is typable as \((\text{ass}_1, \text{stp}_1)\), \text{com} is typable as \((\text{ass}_2, \text{stp}_2)\), and \( \text{stp}_1 \sqsubseteq \text{ass}_1 \).

3. Taking the types from (1.) for \( \text{com} \) and \( \text{com}_1 \), we hence need to show that \( \text{stp} \sqcup \text{dom(exp)} \sqsubseteq \text{ass} \), which holds according to (1.).

We now prove Theorem 8:

Proof.

1. Let \( \text{thr}_{\text{com}} \) be the thread pool consisting of the single command \( \text{com} \) (see Definition 8 in [MS10]). Assume without loss of generality that \( \text{com} \) is typable as \((\text{ass}, \text{stp})\) with \( \text{ass} = \text{low} \) (if \( \text{ass} = \text{high} \), then \( \text{thr} \) is FSI-secure by Lemma 4 and Theorem 3), and that \( \text{com} \in \text{LCom} \) (as otherwise \( \text{thr}_{\text{com}} \) is FSI-secure by Theorem 3). We prove the FSI-security of \( \text{thr}_{\text{com}} \) by induction over the derivation of the judgment \( \vdash \text{com} : (\text{ass}, \text{stp}) \).

2. Assume that \( \text{com} = \text{skip} \). Then \( \text{thr}_{\text{com}} \) is obviously FSI-secure.

3. Assume that \( \text{com} = \text{var}: = \text{exp} \). As \( \text{ass} = \text{low} \), by the typing rule for assignments we have \( \text{dom(var)} = \text{low} \) and, hence, \( \text{dom(exp)} = \text{low} \). Evaluating \( \text{exp} \) in two low-equal states yields the same value, and therefore executing \( \text{thr}_{\text{com}} \) in two low-equal states equally modifies the low memory and results in the empty thread pool. Hence, \( \text{thr}_{\text{com}} \) is FSI-secure.

4. Assume that \( \text{com} = \text{spawn}(\text{com}_1, \ldots, \text{com}_k) \). By the typing rule for the \( \text{spawn} \)-command, all \( \text{com}_i \) are typable, and, hence, FSI-secure by the induction hypothesis. Executing \( \text{com} \) in two low-equal memories results in low-equal memories and equal thread pools consisting of FSI-secure threads which are hence FSI-secure by Theorem 2. In consequence, \( \text{thr}_{\text{com}} \) is FSI-secure.

5. Assume that \( \text{com} = \text{if} (\text{exp}) \text{ then com}_1 \text{ else com}_2 \text{ fi} \).

(a) If \( \text{dom(exp)} = \text{low} \), then \( \text{thr}_{\text{com}} \) always performs either a transition to \( \text{thr}_{\text{com}_1} \) or a transition to \( \text{thr}_{\text{com}_2} \) in low-equal states (as \( \text{exp} \) evaluates to the same value in low-equal states). By the induction hypothesis, the thread pools \( \text{thr}_{\text{com}_1} \) and \( \text{thr}_{\text{com}_2} \) are FSI-secure (and hence related to themselves by the relation \( \sim \)).

(b) If \( \text{dom(exp)} = \text{high} \), then \( \text{stp} = \text{high} \) by the definition of the typing rule for conditionals. Furthermore, both \( \text{com}_1 \) and \( \text{com}_2 \) are typed with \((\text{high}, \text{stp}_1)\) and \((\text{high}, \text{stp}_2)\) for some \( \text{stp}_1, \text{stp}_2 \) due to the typing rule for conditionals. Hence, both \( \text{com}_1 \) and \( \text{com}_2 \) are high commands by
Lemma 4. Hence, \( \text{com} \) is already a high command, which is FSI-secure by Theorem 3.

6. Assume that \( \text{com} = \text{com}_1; \text{com}_2 \). As \( \text{com} \in L\text{Com} \), we have \( \text{com}_1 \in L\text{Com} \). Furthermore, by the definition of the typing rule for sequential composition and the induction hypothesis, we have that \( \text{com}_1 \) and \( \text{com}_2 \) are FSI-secure. We will exhibit a low bisimulation modulo low matching that relates \( \text{thr}_\text{com} \) to itself. We define a relation \( R \) on thread pools with equal numbers of low threads as follows: \( \text{thr}_1 \mathrel{R} \text{thr}_2 \) if and only if the following two conditions hold:

(a) \( \text{thr}_1(0) = \text{thr}_2(0) = \text{com}_i; \text{com}_{ii} \) for two commands \( \text{com}_i \) and \( \text{com}_{ii} \) and \( \text{thr}_1(0) \) is typable with \( \text{stp} = \text{low} \), or both \( \text{thr}_1(0) \) and \( \text{thr}_2(0) \) are high commands.

(b) When removing the threads at position 0 from \( \text{thr}_1 \) respectively \( \text{thr}_2 \), the remaining thread pools are related by the relation \( \sim \).

We now show that the relation \( R \) is a low bisimulation modulo low matching.

- We only consider transitions of the thread at position 0. Transitions of the remaining threads comply with the requirements of low bisimulations modulo low matching by the requirement (b) in the definition of \( R \).
- If both \( \text{thr}_1(0) \) and \( \text{thr}_2(0) \) are high commands, then the requirements of low bisimulations modulo low matching are satisfied for those threads (compare proof of Theorem 3).
- Now assume that \( \text{thr}_1(0) = \text{thr}_2(0) = \text{com}_i; \text{com}_{ii} \) and that \( \text{thr}_1(0) \) is typable with \( \text{stp} = \text{low} \). Assume furthermore that \( \langle \text{com}_i; \text{com}_{ii}, \text{mem}_1 \rangle \overset{\alpha}{\rightarrow} \langle \text{com}_{ii}, \text{mem}'_1 \rangle \). By the definition of the operational semantics for sequential composition, there are two cases:

Case 1. \( \langle \text{com}_i, \text{mem}_1 \rangle \overset{\alpha}{\rightarrow} \langle \text{stop}, \text{mem}'_1 \rangle \) and \( \text{com}_{iii} = \text{com}_{ii} \).

Case 2. \( \langle \text{com}_i, \text{mem}_1 \rangle \overset{\alpha}{\rightarrow} \langle \text{com}_{iv}, \text{mem}_1 \rangle \) and \( \text{com}_{iii} = \text{com}_{iv}; \text{com}_{ii} \).

By Lemma 5, in both cases the execution step can be simulated in a low-equal memory, resulting in equal commands and low-equal memories. Hence, the execution step of \( \text{thr}_1(0) \) can be simulated by \( \text{thr}_2(0) \). The resulting threads satisfy the requirements from the definition of \( R \) (the command \( \text{com}_{iii} \) is typable due to Lemma 6).

Hence, \( R \) is a low bisimulation modulo low matching. As \( \text{thr}_\text{com} \mathrel{R} \text{thr}_\text{com} \), \( \text{thr}_\text{com} \) is FSI-secure.

7. Assume that \( \text{com} = \text{while} (\text{exp}) \text{do com}_1 \text{od} \). This case is proven by combining the arguments from the cases for conditionals (5.) and sequential composition (6.).

References