A Semiring-based Trace Semantics for Processeswith Applications to Information Leakage Analysis

Michele Boreale1, David Clark2, and Daniele Gorla3

1 Dipartimento di Sistemi e Informatica, Universita di Firenze2 Department of Computer Science, King’s College London

3 Dipartimento di Informatica, “Sapienza” Universita di Roma

Abstract. We propose a framework for reasoning about program security build-ing on language-theoretic and coalgebraic concepts. The behaviour of a systemis viewed as a mapping from traces of high (unobservable) events to low (ob-servable) events: the less the degree of dependency of low events on high traces,the more secure the system. We take the abstract view that low events are drawnfrom a generic semiring, where they can be combined using product and sum op-erations; throughout the paper, we provide instances of this framework, obtainedby concrete instantiations of the underlying semiring. We specify systems via asimple process calculus, whose semantics is given as the unique homomorphismfrom the calculus into the set of behaviours, i.e. formal power series, seen as afinal coalgebra. We provide a compositional semantics for the calculus in termsof rational operators on formal power series and show that the final and the com-positional semantics coincide.

1 Introduction

Security analysis of programs has traditionally been centered on a notion of non-interference [15]. Research has mostly been into a functional interpretation wherebya program is acceptable if low-confidentiality variables or actions do not depend onhigh-confidentiality ones. This approach has been developed in both imperative [23]and process algebraic [14] settings. Non-interference is now generally recognised asenforcing too strict a policy. For this reason, more flexible variants of this concept areoften considered. In declassification, a program may be declared as acceptable if infor-mation can flow from high to low but only in prescribed ways [11, 24]. In more recentyears, attempts have been made to provide methods to quantify the amount of leakedinformation, mostly building on information-theoretic or probabilistic tools [12, 13, 8,6]. Then a program may be declared as acceptable if the information it leaks does notexceed a prescribed threshold.

In this paper, we propose a framework for reasoning about information leakagethat builds on language-theoretic and coalgebraic concepts. The framework offers aunifying view of diverse facets of language security, such as those mentioned above,puts them in a more abstract perspective and possibly paves the way to their unification.It also elucidates interesting connections between language-based security, coalgebrasand language theory.

Let us introduce a scenario that motivates our approach. Consider a discrete-time,nondeterministic system P. During the execution of P, certain events, such as updatesof high-variables, are under the control of a secret scheduler and not directly observablefrom the outside. Some other events are observable, including updates of low variables,input/output actions, certain file accesses, and so on. These observable events are not di-rectly controlled by the secret scheduler, and may obey nondeterministic or probabilisticlaws. An attacker can perform observations upon the system only at prescribed times,e.g. only upon termination. Moreover, he can have the system re-execute as many timesas he wishes: through these repeated executions, we assume the policy of the secretscheduler (high behaviour) remains fixed, while all the possibilities arising from thenondeterministic or probabilistic low behaviour of the system are observed. Throughthis process, the attacker collects a set of observations o1, o2, ... and combines them intoa global observation to make deductions about the non-observable events – in essence,about the choices of the secret scheduler. One can think of basically two ways the ob-servations can be combined. The first one is a form of sequential composition, say ?,by which a sequence of consecutive observations, e.g. o1, o2, o3, results into a combinedobservation, o = o1 ? o2 ? o3. Note that, from the point of view of the attacker, only thefinal, combined observation o may be available, not the intermediate oi – the ? opera-tion may not be actually available to him. The second operation, call it +, can be usedto combine observations arising from the repeated executions of the system, e.g. o1?o2and o3 ? o4, into a global observation (o1 ? o2) + (o3 ? o4). This operation is thereforeavailable to the attacker. In the end, to each sequence of unobservable events, say π,there corresponds a global observation o, thus defining a mapping from high traces toobservations that we name L(P). This mapping can be deduced from P’s specification,which must be assumed to be public. Hence, using L(P) and the global observation o,the attacker can learn information about the secret sequence π: at least, he can get toknow that π ∈ (L(P))−1(o).

To make a concrete case, consider a system P, informally specified as follows. Ei-ther of two unobservable events, h or h′, is initially executed, the choice dependingon the secret scheduler. Then, h leads to a state where the low-event l is always ex-ecuted, while h′ leads to a state where either of two branches is taken: in the firstbranch, l′ and then l′′ are executed, while in the second just l is executed. In any case,the system then terminates. The two branches are taken, respectively, with probabil-ity 3

4 and 14 . In this case, the observations o are probability sub-distributions on low-

traces, while ? and + are, respectively, the product and sum of sub-distributions (seenas weighted languages). The above specification hence yields L(P)(h) = [l 7→ 1] andL(P)(h′) = [l′l′′ 7→ 3

4 , l 7→ 14 ].

From the point of view of a designer that must assess the security of the system,the mapping L(P) is the central object of interest. For example, if L(P) is a constant,then the observed low-event does not depend on the secret sequence of high-events:the system is perfectly secure (see [25] for a similar notion of security, formulated in asynchronous setting, Nondeducbility on Strategies). If this is not the case, the designermight at least be interested in learning how many equivalence classes the domain L(P)is partitioned into (that is the number of pre-images (L(P))−1(o), for o ranging overthe observations): the fewer, the better. Also, he might want to perform quantitative

2

measures, in case probabilistic behaviour is involved. In the example above, L(P) canbe seen as a stochastic matrix whose rows and columns are indexed by high- and low-traces, respectively, and its capacity can be computed by standard techniques. Indeed, aninformation theorist might recognize in this example an instance of the noisy Z-channelhaving {h, h′} and {l, l′l′′} as an input and an output alphabet, respectively.

In essence, it is crucial for the designer to be able to specify L(P), generate it andreason on it - e.g. prove that two system specifications generate the same behaviours -in a compositional, syntax-driven fashion. We face these issues and draw on language-theoretic concepts. We take the general view that observable events are elements of asemiring [17], S, whose product and sum correspond to the ? and + operations men-tioned above. A set of unobservable, high-events H is assumed. The security signifi-cant behaviour of the system, L(P), is then a mapping from H∗ to S, that is a formalpower series () on H and S [17]. We provide a simple process calculus to specifysystems, equipped with an operational semantics given in terms of Moore automata.Then, following [22], we characterize the semantic mappingL(·) in terms of the uniquehomomorphism from this calculus into the set of formal power series seen as a finalcoalgebra. We next provide a compositional semantics of the calculus in terms of ratio-nal operators on ’s, defined via behavioural differential equations (’s) [22]. Weshow that the final and the compositional semantics coincide. A consequence of thisresult is a Kleene theorem saying that, in our calculus, all and only the rational ’sare definable. The benefits of the two semantics can be summed up as follows: the finalsemantics allows for reasoning – proving equivalences – on systems by co-induction,while the compositional semantics, and in particular the ’s, can be used for step-wise,syntax-driven generation of the behaviours L(P), for any P. Throughout the paper, weprovide instances of this framework obtained by concrete instantiations of the semiringS, and examples that illustrate these ideas.

The rest of the paper is organized as follows: In Section 2 we provide backgroundnotions about semirings and formal power series and introduce a few concrete instancesof them that are relevant to information leakage analysis. In Section 3 we give thesyntax and operational semantics of the language. In Section 4 we describe the abstractsemantics using finality and characterize the semantic mapping in terms of languageequivalence. Following this, we provide a compositional semantics and show that thefinal and the compositional semantics coincide in Section 5. In Section 6, we providetwo non-trivial examples illustrating the use of the compositional semantics and of thelanguage as a modelling tool. To round off the paper, in Section 7 we briefly discuss anextension of the language with a simple form of parallel composition. Finally we offersome comparison with related work and directions for future research. All proofs havebeen confined to the Appendix.

2 Semirings and formal power series

Recall that a semiring S is a tuple (S ,+,×, 0, 1) such that (S ,+, 0) is a commutativemonoid, (S ,×, 1) is a monoid, × distributes over + both on the left and on the right, and0 annihilates both on the left and on the right (i.e., 0 × o = o × 0 = 0 for each o ∈ S ).We let o, o′, ... range over S . Moreover, given o1, . . . , on ∈ S , we let

∑i=1...n oi denote

3

o1 + . . . + on. A semiring (endo)morphism is a function f : S→ S such that: f (0) = 0,f (1) = 1, and for each o, o′ ∈ S, f (o + o′) = f (o) + f (o′) and f (o × o′) = f (o) × f (o′).

The simplest possible semiring is B, obtained by taking S = {0, 1} and + and × tobe the sum and product of booleans, that is or and and. Other examples of semirings arethe natural numbers N and the nonnegative reals R+. Every ring, hence every field, is ofcourse a semiring. As an example of a non-commutative semiring, consider a finite andnon-empty alphabet A; then, L = (2A∗ ,∪, ·, ∅, {ε}), with ∪ being language union, · beinglanguage concatenation and ε being the empty string, is the semiring of languages overA.

Fix a semiring S = (S ,+,×, 0, 1) and a finite, non-empty alphabet A. A formalpower series () over A with coefficients in S is a function σ : A∗ → S. The set ofall such functions will be denoted by FA,S, or simply by F when no ambiguity arises.Given σ, τ ∈ F, the sum σ+ τ and convolution product σ× τ are the ’s defined in theexpected manner, that is, by setting for each w ∈ A∗

(σ + τ)(w) = σ(w) + τ(w) (σ × τ)(w) =∑

u,v:uv=w

σ(u) × τ(v) (1)

where, on the right-hand side + (∑

) and × respectively denote sum and product in S.Note that there is no harm in overloading the symbols + and × as we do here. Indeed, Scan be seen as a subset of F by identifying each o ∈ S with the σ such that σ(ε) = oand σ(w) = 0 elsewhere. This identification is easily seen to preserve the meaning of+, ×, 0 and 1. It is readily checked that (F,+,×, 0, 1) is in turn a (non-commutative)semiring.

Let us now fix a finite, non-empty alphabet L, ranged over by l, l′, .... In the rest ofthe paper, elements of L will usually be interpreted as observable, low confidentialityactions, as opposed to unobservable, high confidentiality actions, to be introduced in thenext section. For the time being, however, there is no need to fix a specific interpretationof L. We let λ, λ′, ... range over L∗. The semiringWL of weighted (low-)traces is definedas FL,R+ . That is, weighted (low-)traces are functions o : L∗ → R+, with operations ofsum and product defined as in (1) above. The reason for our interest in this semiringis that it includes all functions o : L∗ → [0, 1] such that

∑λ∈L∗ o(λ) = 1, that is, all

probability distributions on low traces, as well as all functions o such that∑λ∈L∗ o(λ) ≤

1, that is, all probability sub-distributions. Note that neither of these two sets forms asemiring, which explains why it is mathematically convenient to work with the largersetWL. In what follows we shall sometimes take the freedom of writing down weighted(low-)traces as formal sums. For instance, 1

3 ll′ + 23 ll′′ denotes the element o ∈WL such

that: o(λ) = 13 if λ = ll′, o(λ) = 2

3 if λ = ll′′ and o(λ) = 0 for any other λ ∈ L∗.Let us give another instance of (noncommutative) semiring related to security anal-

ysis. Given any non-empty set V of program variables, a store is a partial functionm : V → D, where D is some data-type. Let M be the set of all such stores. Each el-ement of 2M , the powerset of M, can be thought of as the result of the execution of anondeterministic program. It is natural to endow 2M with a semiring structure as fol-lows. Let us denote by m ? m′ the sequential composition of two stores, defined thus:(m ? m′)(v) = m′(v) if m′(v) is defined, (m ? m′)(v) = m(v) if m(v) is defined and m′(v)undefined, (m?m′)(v) is undefined if neither of m(v), m′(v) are defined. In other words,

4

m?m′ describes the effect of running two programs one after another, the first produc-ing m and the second producing m′. Now consider M = (2M ,∪, ?, ∅, {∅}), where: ? isextended point-wise to 2M (that is, given I1, I2 ⊆ M, I1 ? I2 = {m ? m′|m ∈ I1,m′ ∈ I2})and ∅ denotes the empty set, which is also the nowhere defined partial function. It isreadily checked thatM is a semiring.

3 A process calculus

Let us fix a finite, non-empty alphabet H, ranged over by h, h′, . . .. It is convenient tothink of H as a set of unobservable, high-confidentiality actions (as opposed to the setL introduced in the preceding section; the two sets are assumed to be disjoint). We letπ, π′, . . . range over H∗. Let us fix a semiring S. The set of all processes is given by thefollowing syntax

P ::= o | h | P + P | P; P | P〈 f 〉 | P∗

where o ∈ S, h ∈ H and f : S → S is a semiring morphism. As usual, +, ; and∗ denote nondeterministic choice, sequential composition and iteration, respectively;P〈 f 〉 is a filtering operator that applies the filter f – a morphism on the semiring – tothe observable events produced by P; the condition that f be a morphism appears tobe quite natural, and yields a compositional way to compute filter applications. Givenprocesses P1, . . . , Pn, we let

∑i=1...n Pi denote P1 + . . . + Pn, where the summands are

arranged in any arbitrary fixed order. By convention, we let this summation denote 0 ∈ Swhen n = 0. In what follows, we shall not commit to any specific semiring, even thoughour reference instance is meant to beWL. The set of all processes is denoted by PS, orsimply by P when there is no need to be specific about S.

A measure, ∆ : PS → S, is a map from processes to the semiring S. LetM be theset of all measures. For any P ∈ P, we let δ(P) denote the measure ∆ s.t. ∆(Q) = 1 ifQ = P, ∆(Q) = 0 otherwise; note that here 0, 1 ∈ S. It is useful to define operations ofinternal sum and scalar product for measures. For each P:

(∆ + ∆′)(P) , ∆(P) + ∆′(P) (o × ∆)(P) , o × ∆(P) (2)

where on the right hand side of the definitions the operations are those of the semir-ing S. Such an overload of the symbols + (

∑) and × is harmless, as any ambigu-

ity is easily resolved by the context. With these operations, every measure can bewritten as ∆ =

∑P∈P ∆(P) × δ(P). A few syntactic operations on measures will be

useful. Syntactic right-multiplication by a process: if ∆ =∑

P∈P ∆(P) × δ(P), then∆; Q ,

∑P∈P ∆(P) × δ(P; Q). Syntactic left-multiplication, Q;∆, is defined similarly.

Finally, syntactic filtering: with the same ∆ as above, ∆〈 f 〉 ,∑

P∈P f (∆(P)) × δ(P〈 f 〉).When describing the semantics, the following two notable measures will turn out to

be useful. For every P ∈ P:

0M(P) , 0 1M(P) ,{

1 if P = 10 otherwise

The operational semantics of P is given by a pair of functions (w,−→). Here, foreach P, w(P) ∈ S is the final weight of P, corresponding to the observation that can be

5

made upon P in the current state. A non-zero weight may be understood as indicatingthe possibility of immediate termination. Specifically, w ∈ M is a measure definedby induction on P as follows1:

w(o) = o w(h) = 0 w(P1; P2) = w(P1) × w(P2)w(P〈 f 〉) = f (w(P)) w(Q∗) = 1 if w(Q) = 0

w(P1 + P2) = w(P1) + w(P2) w(Q∗) = 0 if w(Q) , 0

The function −→ : (P × H) → M, describes the effect of executing a high actionand making a transition to a measure. As customary, (P, h, ∆) ∈ −→ will be written as

Ph−→ ∆. The judgments defining P

h−→ ∆ are reported below, where we assume h′ , h.

hh−→ 1M h′

h−→ 0M o

h−→ 0M

Ph−→ ∆1 Q

h−→ ∆2

P + Qh−→ ∆1 + ∆2

Ph−→ ∆1 Q

h−→ ∆2

P; Qh−→ (∆1; Q) + (w(P) × ∆2)

Ph−→ ∆

P〈 f 〉h−→ ∆〈 f 〉

Ph−→ ∆

P∗h−→ ∆; P∗

The rules should be self explanatory. In particular, the rule for sequential compositionstates that the h-derivative of P; Q results from summing up h-derivatives originatingfrom P, with Q as a sequel, and from Q; the latter contributes to the sum only if Pmay terminate immediately. The rule for filtering P with f applies the filter f to everyelement of the derivative of P. The rule for P∗ is obvious if one thinks that Kleene’slaw, namely P∗ = 1 + P; P∗, should remain valid in our setting.

The operational semantics (w,−→) can be turned into a more tradi-tional representation in terms of state-transition machines. Recall that aweighted automaton [17, 22] is like a nondeterministic automaton, but bothits arcs and its states are also labelled with weights taken from a semiring.

?>=<89:;1h,o2

h′,o3

//?>=<89:;1

h,o2��

h′,o3

SS

Here, we define a weighted automaton where states are P, thestate labeling function is w(·) and the transition relation −→ ⊆

P× H × S ×P is defined thus: (P, h, o, P′) ∈ −→, written Ph,o−→

P′, whenever Ph−→ ∆ and ∆(P′) = o , 0. As an example,

the weighted automaton for the process Q = (o2; h + o3; h′)∗

is given here on the right, where the leftmost state correspondsto process Q and the rightmost one to 1; Q. In the next section, we shall introduce anabstract semantics that equates automata with the same weighted language. It will turnout that the classical law Q = 1; Q holds also in our setting; a possible application ofsuch a law could be simplification of the previous automaton to one with just one state(the rightmost one).

To conclude, let us fix S = WL and give a specification in our language of the Z-channel mentioned in the Introduction. The input alphabet is h, h′ ∈ H and the output

1 Note that the semantics of Q∗ is usually taken as undefined when w(Q) , 0: the reason isevident if one tries to expand Q∗ according to Kleene’s law, namely Q∗ = 1 + Q; Q∗. Here,for simplicity, in case w(Q) , 0 we stipulate w(Q∗) = 0, so as to avoid dealing with a partialsemantic function.

6

alphabet is l, l′l′′ ∈ L∗; let p ∈ [0, 1]. Then

Z = h; l + h′; pl′l′′ + h′; (1 − p)l .

As we shall see, this turns out to be equivalent to h; l + h′; (pl′l′′ + (1 − p)l).

4 Abstract semantics

We first describe the abstract semantics of P by finality and then characterize the se-mantic mapping in terms of (weighted) language equivalence.

We endow P with a Moore automaton structure2 and then define its semantics coal-gebraically, following [22, 7]. Recall that a Moore automaton with inputs in a finitenon-empty alphabet A and outputs in K is a triple (Q, δ, γ) where Q is a (not necessar-ily finite) set of states, δ : Q × A → Q is a transition function and γ : Q → K is anoutput function. Let us keep A and K fixed. Central to this treatment is the notion ofbisimulation.

Definition 1 (bisimulation). Given M = (Q, δ, o), a bisimulation is a binary relationR ⊆ Q × Q such that, whenever (q, q′) ∈ R then γ(q) = γ(q′) and (δ(q, a), δ(q′, a)) ∈ R,for every a ∈ A. We write q ∼ q′ if there exists a bisimulation relating q and q′.

The relation ∼ over Q is easily seen to be an equivalence relation and a bisimulationin turn. A homomorphism between two Moore automata M and M′ is a function φmapping the states of M to the states of M′ such that, with an obvious symbology, foreach q ∈ Q, γ(q) = γ′(φ(q)) and, for each a ∈ A, φ(δ(q, a)) = δ′(φ(q), a). The classof all Moore automata has a final object F that can be characterized in terms of ’s.Specifically, we let F be the Moore automaton (Q, δ, γ) defined thus:

– Q = FA,K ;– δ(σ, a) = σa, where σa(w) = σ(aw), for each w ∈ A∗;– γ(σ) = σ(ε).

Theorem 1 (Finality and Coinduction principle [22]). F is final in the class ofMoore automata with inputs in A and outputs in K. That is, for every such automa-ton M there exists a unique homomorphism φ : M → F . Moreover, for every q and q′

states of M, it holds that q ∼ q′ if and only if φ(s) = φ(s′).

We proceed now to endow P with a Moore automaton structure, with inputs inH and outputs in the semiring S. Then, the above results will give us: (1) a notionof bisimulation, and (2) a canonical way of interpreting processes as ’s, which isfully abstract w.r.t. bisimilarity. The construction goes as follows. We extend the weightfunction and transition relation toM by linearity. That is, if we let ∆P,h be the unique

measure such that Ph−→ ∆P,h (for each P, h and ∆), then we have:

2 To be precise, we are endowingM with a Moore automaton structure, i.e. we are consideringMoore automata whose states are measures. With some abuse of terminology, we can considerstates as processes, once we see a process P as the Dirac’s measure δ(P).

7

– w(∆) ,∑

P∈P ∆(P) × w(P);

– ∆h7−→ ∆h, where ∆h ,

∑P∈P ∆(P) × ∆P,h.

Now, we letA , (M, δ,w), where δ(∆, h) = ∆h: this is a Moore automaton with inputsin H and outputs in S. Observe that P is naturally embedded inM, once one identifiesP with the measure δ(P). We now let P ∼ Q stand for δ(P) ∼ δ(Q). It is crucial for thecompositionality of the semantics that bisimilarity over P be a congruence.

Theorem 2. For every P,Q,R ∈ P such that P ∼ Q and for every semiring morphismf : S→ S, it holds that:

(1) P + R ∼ Q + R (2) P; R ∼ Q; R (3) P〈 f 〉 ∼ Q〈 f 〉 (4) P∗ ∼ Q∗

Let us denote by L the unique homomorphism from A to F given by Theorem 1;it is a function of type M −→ F, mapping every measure to a . We want now togive a more explicit characterization of this homomorphism in terms of the operationalsemantics (w,−→) of P. To this purpose, we extend the notion of h-derivative of a state∆, previously written ∆h, to sequences of high actions π ∈ H∗ in the expected way:∆ε , ∆ and ∆hπ , (∆h)π.

Proposition 1. For every ∆ and π, L(∆)(π) = w(∆π), for every π ∈ H∗.

To conclude, we can define the language generated by a process P, written L(P), asexpected: L(P) , L(δ(P)).

Let us now illustrate the semantics just introduced by a small, concrete example. Letus consider the Z-channel again, Z = h; l + h′; pl′l′′ + h′; (1− p)l. The Moore automatongenerated by δ(Z) (or, more formally, the portion of the infinite automaton A that isreachable from δ(Z)) according to the operational rules is given by

δ(Z)h

}}zzzz

zzzz h′

''PPPPPPPPPPPP

δ(l) δ(pl′l′′) + δ((1 − p)l)

So w(∆h) = l, while w(∆h′ ) = pl′l′′ + (1 − p)l, as expected. The same result is obtainedstarting from Z′ = h; l + h′; (pl′l′′ + (1 − p)l); thus, Z ∼ Z′.

5 A compositional construction

We want to provide now another, more informative way of describing the semanticmapping L discussed in Section 4. In particular, we want to introduce the analog of theprocess operators over F and then prove that L is compositional w.r.t. these process op-erators (see Corollary 1 below). We follow the approach in [22, 7] and define operatorson ’s via behavioural differential equations (’s). Generally speaking, a is acoinductive specification of a , providing its initial value – σ(ε) – and the form of itsderivatives σh, for every h ∈ H. Of course, one has in general to prove that the given

8

Initial condition Condition on derivativeso(ε) , o (o)h , 0F

h(ε) , 0 (h)h′ ,

{1F if h = h′

0F otherwise(σ + σ′)(ε) , σ(ε) + σ′(ε) (σ + σ′)h , σh + σ′h

(σ;σ′)(ε) , σ(ε) × σ′(ε) (σ;σ′)h , σh;σ′ + σ(ε) × σ′h(σ〈 f 〉)(ε) , f (σ(ε)) (σ〈 f 〉)h , (σh)〈 f 〉

(σ∗)(ε) ,{

1 if σ(ε) = 00 otherwise (σ∗)h , σh;σ∗

Table 1. Behavioural Differential Equations (’s)

equations have a unique solution. The advantage of this kind of definitions, over ex-plicit but possibly more involved ones, is that they allow for coinductive, step-by-stepreasoning on the ’s they define. The ’s defining the operators associated to theconstructs of the language are given in Table 1. There, for every π ∈ H∗, we let

0F(π) , 0 1F(π) ,{

1 if π = ε0 otherwise

Indeed, some of these ’s give rise to operators well-known in the literature onrational series: σ+σ′ and σ;σ′ are, respectively, just the sum and convolution productdefined by (1) – so another notation forσ;σ′ is justσ×σ′, whileσ∗ is standard iteration(see e.g. [22]). The main result of this section is Corollary 1 below.

Theorem 3. In F, there exist unique constants ‘o’ and ‘h’ and operators ‘+’, ‘ ;’, ‘〈 f 〉’and ‘ ∗’ that satisfy the ’s in Table 1.

Corollary 1 (compositionality). In F, the unique constants ‘o’ and ‘h’ and operators‘+’, ‘ ;’, ‘〈 f 〉’ and ‘ ∗’ defined by the ’s in Table 1 also satisfy the following equalities:

L(o) = o L(h) = h L(P + Q) = L(P) +L(Q)

L(P〈 f 〉) = (L(P))〈 f 〉 L(P; Q) = L(P);L(Q) L(P∗) = (L(P))∗

An obvious consequence of the above result is a Kleene theorem for our language.Recall that a σ ∈ F is rational [17] if it can be inductively built starting from the’ o and h (o ∈ S, h ∈ H) and using the sum, concatenation (sequential composition)and iteration operators defined above. The result entails that one can always eliminate(·)〈 f 〉, essentially by replacing each o occurring in the scope of (·)〈 f 〉 by f (o).

Proposition 2 (a Kleene theorem). Let σ be a . Then σ is rational if and only ifσ = L(P) for some process P ∈ P.

6 Examples

6.1 Modeling a “Single Bid” Auction

We model a scenario where each of a certain number of users (three, for simplicity) bidsfor an item at auction. Each user submits a single (secret) bid to a trusted central server

9

that, in turn, decides the winner by choosing the user whose bid has the highest value.Let U1,U2,U3 be the users; every user knows his bid and the outcome of the auctionproduced by the server; the problem is measuring the information that every user hasabout the other users’ bids.

We choose a user, U1, model his view of the auction and try to understand whatinferences he can perform about other users’ bids – that is, U1 represents here the (pas-sive) attacker. U1’s bid (a natural number between 1 and m) is an observable eventmodeled by actions l1, . . . , lm; also the outcome of the auction (i.e., the index of the userthat wins the auction) is an observable event modeled by actions l′1, l

′2, l′3. On the con-

trary, the bids of U2 (taken from {1, . . . , n} and modeled by high actions h1, . . . , hn) andof U3 (taken from {1, . . . , q} and modeled by high actions h′1, . . . , h

′q) are unobservable

events, from U1’s point of view. Let us fix the semiring as S =WL.A simple way to model the auction is by the following process:

n∑j=1

h j;

q∑k=1

h′k;

m∑i=1

[li 7→ Pr(li)]; oi, j,k

(3)

where Pr(li) denotes the probability of the event li and the element oi, j,k ∈ WL deter-mines who is the winner of the auction. The actual definition of oi, j,k depends on howwe decide to resolve conflicts arising from different users submitting the same bid. Asimple but crude way is to resolve the conflict deterministically, e.g. by choosing theuser with lowest index:

oi, j,k ,

[l′1 7→ 1] if i ≥ j and i ≥ k[l′2 7→ 1] if j > i and j ≥ k[l′3 7→ 1] otherwise.

(4)

A fairer way of choosing the winner is by letting

oi, j,k ,

[l′t 7→

1|Ti, j,k |

]t∈Ti, j,k

(5)

where Ti, j,k is the set of user indexes (i.e., Ti, j,k ⊆ {1, 2, 3}) containing the indexes ofthe users who made the greatest bids among i, j, k. For example, if i = j = k, thenTi, j,k = {1, 2, 3}; if i = j > k, then Ti, j,k = {1, 2}; if i > j and i > k, then Ti, j,k = {1}; andso on.

We let P and Q be the process (3) that uses (4) and (5), respectively, as a definitionof oi, j,k.

Let us now describe the matrix L(P). By the ’s (or the operational seman-tics), the only entries with non-zero values are L(P)(h jh′k)(lil′t) for i ∈ {1, . . . ,m},j ∈ {1, . . . , n}, k ∈ {1, . . . , q} and t such that oi, j,k = [l′t 7→ 1]; moreover, we havethat L(P)(h jh′k)(lil′t) = Pr(li). Suppose now that an a priori probability distribution onhigh traces, Pr(π), reflecting the bidding behaviour of the users, is publicly known. U1can then perform some Bayesan inference about the bids of the other users: these in-ferences are of the form Pr(h jh′k | lil

′t); by noting that L(P)(h jh′k)(lil′t) corresponds to

Pr(lil′t | h jh′k) and by elementary probability theory

Pr(h jh′k | lil′t) =

Pr(lil′t | h jh′k) · Pr(h jh′k)Pr(lil′t)

=Pr(li) · Pr(h jh′k)Pr(l′t | li) · Pr(li)

=Pr(h jh′k)Pr(l′t | li)

.

10

To make a concrete case, let us assume that each user has only two possible biddingvalues; thus, m = n = q = 2. In this case, L(P) is

l1l′1 l1l′2 l1l′3 l2l′1h1h′1 Pr(l1) 0 0 Pr(l2)h1h′2 0 0 Pr(l1) Pr(l2)h2h′1 0 Pr(l1) 0 Pr(l2)h2h′2 0 Pr(l1) 0 Pr(l2)

Thus, Pr(h1h′1 | l1l′1) = 1, since Pr(l′1 | l1) = Pr(h1h′1): indeed, by (4), the only possi-bility for U1 to be the winner if he has bid 1 is to have all the bids at 1. The case forPr(h1h′2 | l1l′3) is similar. Let us consider now Pr(h2h′k | l1l′2), for any k ∈ {1, 2}; in thiscase, Pr(l′2 | l1) = Pr(h2) because, if U1 has bid 1 and the winner is U2, it must be thatU2’s bid is 2, no matter of U3’s bid. Thus, Pr(h2h′k | l1l′2) = Pr(h′k), once we assumethat the users bids are pairwise independent. Finally, let us consider Pr(h jh′k | l2l′1), forany j and k. In this case, U1 will always win; thus, Pr(l′1 | l2) = Pr(l2) and, hence,Pr(h jh′k | l2l′1) =

Pr(h jh′k)Pr(l2) . To sum up:

1. if U1 bids 1,

(a) he can determine with certainty the other bids if the winner is himself or U3:in the first case, the bids are 1 for everybody; in the second case, U2 has bid 1and U3 has bid 2.

(b) if the winner is U2, his only uncertainty is on U3’s bid, since he knows that U2has bid 2.

2. if U1 bids 2, he surely wins, but he cannot determine with certainty any other bid.

Let us now see how the matrix changes by passing from P to Q, and thus comparethe two implementations of the auction system from the security point of view. Thematrix for Q is:

l1l′1 l1l′2 l1l′3 l2l′1 l2l′2 l2l′3h1h′1

Pr(l1)3

Pr(l1)3

Pr(l1)3 Pr(l2) 0 0

h1h′2 0 0 Pr(l1) Pr(l2)2 0 Pr(l2)

2h2h′1 0 Pr(l1) 0 Pr(l2)

2Pr(l2)

2 0h2h′2 0 Pr(l1)

2Pr(l1)

2Pr(l2)

3Pr(l2)

3Pr(l2)

3

As expected, this system has more possible high-traces associated to the same lowtraces, that now are taken from a larger set. Therefore, in this second implementation ofthe auction system, U1 can infer less information about the others’ bids; in other words,Q is more secure than P. This statement can be made precise by saying that the capacity(see e.g. [8]) of L(Q) is less than the capacity of L(P).

We omit the detailed computation for lack of space. It is worth remarking that allthe matrices shown can be calculated in a coinductive way via the ’s presented in theprevious section. Moreover, as discussed in [22], such calculations are mechanizable.

11

6.2 Imperative computations

This section provides a different way of writing examples; indeed, instead of adoptinga process algebraic flavour (like, e.g., in section 6.1), we adopt here a more imperativeflavour, by exploiting the semiring of stores, M, described in Section 2. We let µ, µ′, ...range over sets of stores, i.e. partial functions from a set of variables V to a data domainD that are both non-empty. Notationally, we write the singleton store {[x 7→ v]} as[x = v].

The filter operator (·)〈 f 〉 can be used to express variable updates and conditionalsmostly like in an imperative setting. Indeed, variable updates can be modelled by usingelements of the semiring as process actions, like in e.g. [x = 1]; P. However, this featureonly allows us to assign constants to variables. If we want to copy one variable intoanother, like in e.g. x := y, this trick does not work, and we have to use filters. Forexample, if x, y ∈ V , then the imperative program fragment P; x := 0; y := x + 1; Qcorresponds to the following term in the calculus

(P; [x = 0])〈 fy:=x+1〉; Q

where fy:=x+1 : M→ M is defined by

fy:=x+1(µ) , {m ? [y = m(x) + 1] : m ∈ µ and m(x) is defined}∪ {m ∈ µ : m(x) is not defined} .

We just have to prove that such a function is a semiring (endo)morphism. All propertiesare trivial, except for preservation of product. We have to show that fy:=x+1(µ ? µ′) =

fy:=x+1(µ)? fy:=x+1(µ′). Let m ∈ fy:=x+1(µ?µ′), i.e. m = m1?m2?[y = (m1?m2)(x)+1], if(m1?m2)(x) is defined, and m = m1?m2, otherwise; in any case, m1 ∈ µ and m2 ∈ µ

′. If(m1?m2)(x) is undefined, then both m1(x) and m2(x) are undefined; thus, m1 ∈ fy:=x+1(µ)and m2 ∈ fy:=x+1(µ′), that implies m ∈ fy:=x+1(µ)? fy:=x+1(µ′). If (m1 ?m2)(x) is defined,then it can be that

1. either m2(x) is defined (and in this case (m1 ? m2)(x) = m2(x))2. or that m2(x) is undefined (and in this case m1(x) is defined and (m1 ? m2)(x) =

m1(x));

In case 1, let m1 be m1? [y = m1(x) + 1], if m1(x) is defined, and be m1, otherwise; then,m = m1 ? (m2 ? [y = m2(x) + 1]) ∈ fy:=x+1(µ) ? fy:=x+1(µ′). In case 2, m = (m1 ? [y =

m1(x) + 1]) ? m2 ∈ fy:=x+1(µ) ? fy:=x+1(µ′). The converse inclusion can be proved in asimilar way.

Similarly, the program fragment P; if (x , y) then y := y + 1 else z := 1 corre-sponds to the term (

P〈 f(x,y)〉)〈 fy:=y+1〉 + (P〈 f(x=y)〉)〈 fz:=1〉 .

Here the function f(x,y) filters out the stores not satisfying the condition x , y, that is

f(x,y)(µ) , {m ∈ µ |m(x),m(y) are both defined and m(x) , m(y)}∪ {m ∈ µ : m(x) or m(y) is not defined} .

12

The other filtering functions are defined as expected.We can use the above ingredients to model the non-interference scenario commonly

employed when reasoning on imperative programs. Specifically, let us assume that theset of variables V is partitioned into low and high ones, viz. VL and VH . We shall needa filter (·)〈 fL〉 that hides from the attacker the high-part of stores and is defined to befL(µ) , {m|VL : m ∈ µ} . In a term like P〈 fL〉, assignments to high variables, [h = v],are not directly observable. Rather, in our modelling, it will be convenient to mark theoccurrence of each such assignment with a distinct high event: the semantics L(P〈 fL〉)then takes care of establishing the correct correspondence between sequences of suchevents and observed stores. As an example, the program fragment h := 0; l := h, whereh ∈ VH and l ∈ VL, is modelled as

Q =(

(h0; [h = 0])〈 fl:=h〉)〈 fL〉

and, as expected, L(Q)(h0) = [l = 0].In this setting, it is quite natural to model, for instance, a checking scenario. A

user chooses a 4-digit and then stores it into a high variable h. The attacker choosesa guess for this and stores it into a low variable l. This behaviour is modelled by

Choose ,

∑i∈{0,...,9999}

hi; [h = i]

;

∑j∈{0,...,9999}

[l = j]

The -checker then checks h against l and stores the result of the comparison into thelow variable r. The whole system is now modelled by:

Check , ( Choose 〈 fh=l〉; [r = ok] + Choose 〈 fh,l〉; [r = no] ) 〈 fL〉

where the filtering functions fh=l and fh,l are defined as expected. We could now gen-erate the function L(Check) via the ’s and check that it violates non-interference:indeed, L(Check) maps the trace hi to the set of stores µi = {[l = i, r = ok]} ∪ {[l =

j, r = no] : j , i}; therefore, for i , j, we have µi , µ j. We could make the behaviourof the checker more refined, by e.g. combining the two semirings considered inSection 2 and associate probabilities with the choice of the secret and the attacker’sguess.

7 Parallelism

The interpretation of parallelism and synchronization is notoriously problematic whenprobability is involved. On the other hand, if we content ourselves with just weights –indeed in our calculus we never require weights to add up to 1 – parallelism becomesmuch easier, as studied e.g. by Hillston [16] and other authors doing stochastic processalgebra. In fact, is technically easy to extend the language presented in Section 3 withoperators that introduce some form of parallelism. The corresponding operational rulesmimics those found in process calculi, e.g. [7]. As a further simplification, in thefollowing we shall confine ourselves to a pure interleaving operator, ||. We set w(P||Q) =

13

w(P) × w(Q) and introduce the new operational rule

Ph−→ ∆ Q

h−→ ∆′

P||Qh−→ (∆||Q) + (P||∆′)

where, as expected, (∆||Q) is the measure that assigns the weight ∆(R) to any term ofthe form R||Q, and yields 0 elsewhere ((P||∆′) is defined symmetrically). In the finalsemantics, this corresponds to the shuffle operator on defined by the following :(σ||τ)(ε) = σ(ε) × τ(ε) and (σ||τ)h = (σh||τ) + (σ||τh), for h ∈ H.

As an example, assume H = {h, h′} and L = {l, l′} and consider P , (h; o + h′; o′)∗,for distinct h, h′ and o, o′. This process behaves as a noiseless channel that reveals to theattacker the sequence of actions π ∈ H∗ is performed by the secret scheduler. Assumenow that two other processes work in parallel with P producing distinct observableeffects associated with h and h′, thus

S , P||(h; o′)∗||(h′; o)∗ .

The system S is a quasi-perfect scrambler, that only reveals the total length of the se-quence π performed by the three processes. Indeed, assume for instance that o = [l 7→ 1

2 ]and that o′ = [l′ 7→ 1

2 ]. Then, in the row π (∈ H∗) of the matrix L(S ), the probability isuniformly distributed on the low-traces of length k, {l, l′}k, where k = |π|.

8 Concluding Remarks

In the last eight years there has been steady activity in developing concepts, defini-tions and analyses in the area of measuring information flows for different languages.Ultimately, these aim at being a means of enforcing quantity based security policies. Ahighly desirable outcome of this effort would be the automatic checking of enforcementvia either model checking or program analysis. So far, the efforts have lead to some no-table progress for simple imperative languages [13, 21, 20, 4, 10]. By contrast, progressfor process algebras has been notably slower. One problem has been establishing appro-priate concepts. Lowe’s work [18] provided a starting point, developed in quite diversedirections by many authors [6, 8, 9, 19, 3, 1]. Compared with these works, the presentpaper makes a conceptual, rather than technical, step, by introducing a general, flexi-ble scheme for specifying and analysing regular behaviours of different kinds, of whichquantitative ones are just one flavour.

Our study has connections to the work of Rutten and his collaborators on coalge-bras. As mentioned throughout the paper, the coalgebraic treatment of streams and ’swas introduced, in a syntax-free framework, in [22]. In a recent paper [5], they present asystematic way to generate languages of (generalised) regular expressions, and a soundand complete axiomatization thereof, for a wide variety of quantitative systems. Thereare two major differences between our work and theirs. First, they work with branching-rather than linear-time semantics: their final coalgebras are not ’s, but more compli-cated objects with no natural interpretation in terms of traces, languages and securityanalysis. Second, they focus on axiomatizations rather than on compositional semanticsin terms of rational operators and ’s, as we do here.

14

Future developments of the present framework are exploring instantiations and in-terpretations of the semiring, as well as expanding the process language. Clearly theaddition of a parallel operator with synchronization would be a significant enhance-ment, although it would lead us outside the realm of regular behaviours. So far thisextension has presented non-trivial difficulties.

Acknowledgements This work had the benefit of the support of a Royal Society jointinternational project between King’s College, London and the Dipartimento di Infor-matica, Universita “La Sapienza” di Roma. In addition, Clark was supported by the UKEPSRC project EP/C545605/1, Quantified Information Flow.

References

1. A. Aldini and A. Di Pierro. A quantitative approach to noninterference for probabilisticsystems. ENTC, 99, 2004.

2. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamiclanguages. Proc. of IEEE CSF, 2009.

3. M. Backes. Quantifying probabilistic information flow in computational reactive systems.Proc. of ESORICS, volume LNCS 3679. Springer, 2005.

4. M. Backes, B. Kopf, and A. Ribalchenko. Automatic discovery and quantification of infor-mation leaks. In IEEE Symposium on security and privacy, 2009.

5. F. Bonchi, M. M. Bonsangue, J. J. M. M. Rutten, and A. Silva. Deriving syntax and axiomsfor quantitative regular behaviours. Proc. of CONCUR, volume 5710 of LNCS, pages 146–162. Springer, 2009.

6. M. Boreale. Quantifying information leakage in process calculi. Information and Computa-tion, 207(6):699–725, 2009.

7. M. Boreale and F. Gadducci. Processes as formal power series: A coinductive approach todenotational semantics. Theoretical Computer Science, 360(1-3):440–458, 2006.

8. K. Chatzikokolakis, C. Palamidessi, and P. Panangaden. Anonymity protocols as noisy chan-nels. Proc. of TGC, pages 281–300, 2006.

9. K. Chatzikokolakis, C. Palamidessi, and P. Panangaden. On the bayes risk in information-hiding protocols. Journal of Computer Security, 16(5):531–571, 2008.

10. H. Chen and P. Malacaria. Quantitative analysis of leakage for multi-threaded programs.Proc. of PLAS, pages 31–40. ACM, 2007.

11. S. Chong and A. C. Myers. Security policies for downgrading. Proc. of CCS, pages 189–209,ACM 2004.

12. D. Clark, S. Hunt, and P. Malacaria. Quantitative analysis of the leakage of confidential data.ENTCS, 59, 2002.

13. D. Clark, S. Hunt, and P. Malacaria. A static analysis for quantifying information flow in asimple imperative language. Journal of Computer Security, 15(3):321 – 371, 2007.

14. R. Focardi and R. Gorrieri. A classification of security properties for process algebras. Jour-nal of Computer Security, 3(1):5 – 33, 1995.

15. J. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium onSecurity and Privacy, pages 11 – 20, 1982.

16. J. Hillston. A Compositional Approach to Performance Modelling. Cambridge UniversityPress, 1996.

17. W. Kuich and A. Salomaa. Semirings, automata, languages. Theoretical Computer Science,5, 1986.

15

18. G. Lowe. Quantifying information flow. Proc. of CSFW. IEEE, 2002.19. C. Mu. Measuring information flow in reactive processes. Proc. of ICICS. Springer, 2009.20. C. Mu and D. Clark. An abstraction quantifying information flow over probabilistic seman-

tics. Proc. of QAPL. Elsevier, 2009.21. C. Mu and D. Clark. Quantitative analysis of secure information flow via probabilistic se-

mantics. Proc. of ARES. IEEE, 2009.22. J. J. M. M. Rutten. Behavioural differential equations: a coinductive calculus of streams,

automata, and power series. Theoretical Computer Science, 308(1-3):1–53, 2003.23. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on

Selelcted Areas in Communications, 21(1), 2003.24. A. Sabelfeld and D. Sands. Dimensions and principles of declassification. Proc. of CSFW,

pages 255–269, IEEE 2005.25. J.T. Wittbold, D.M. Johnson. Information flow in nondeterministic systems. Proc. IEEE

Symp. on Security and Privacy, pages 144-161, IEEE 1990.

16

APPENDIX: Proofs

First, it is worth remarking the following properties of some operators defined. Recallthat a semimodule [17] is an algebraic structure satisfying the same axioms as a vectorspace, with the difference that scalars range in a semiring rather than in a field.

Proposition 3.

1. M is a semimodule with the internal sum and scalar product defined in (2);2. o × (∆; P) = (o × ∆); P;3. (∆1; P) + (∆2; P) = (∆1 + ∆2); P;4. (o × ∆)〈 f 〉 = f (o) × ∆〈 f 〉;5. (∆1 + ∆2)〈 f 〉 = ∆1〈 f 〉 + ∆2〈 f 〉.

Proof. The first three items directly come from the definitions.

4. (o × ∆)〈 f 〉 ,∑

R∈P((o × ∆)〈 f 〉)(R) × δ(R),

∑R′∈P f ((o × ∆)(R′)) × δ(R′〈 f 〉)

=∑

R′∈P f (o × ∆(R′)) × δ(R′〈 f 〉)=

∑R′∈P f (o) × f (∆(R′)) × δ(R′〈 f 〉)

= f (o) ×∑

R′∈P f (∆(R′)) × δ(R′〈 f 〉), f (o) ×

∑R∈P(∆〈 f 〉)(R) × δ(R)

, f (o) × ∆〈 f 〉

where the first equality directly comes from (2), the second equality is ensuredby the fact that f is a semiring morphism and the third one by associativity anddistributivity of the semiring.

5. (∆1 + ∆2)〈 f 〉 ,∑

R∈P((∆1 + ∆2)〈 f 〉)(R) × δ(R),

∑R′∈P f ((∆1 + ∆2)(R′)) × δ(R′〈 f 〉)

=∑

R′∈P f (∆1(R′) + ∆2(R′)) × δ(R′〈 f 〉)=

∑R′∈P( f (∆1(R′)) + f (∆2(R′))) × δ(R′〈 f 〉)

=∑

R′∈P f (∆1(R′)) × δ(R′〈 f 〉) +∑

R′∈P f (∆2(R′)) × δ(R′〈 f 〉)=

∑R∈P(∆1〈 f 〉(R)) × δ(R) +

∑R∈P(∆2〈 f 〉(R)) × δ(R)

, ∆1〈 f 〉 + ∆2〈 f 〉

where the first equality directly comes from (2), the second equality is ensuredby the fact that f is a semiring morphism and the third one by distributivity andassociativity of the semiring. ut

Corollary 2. Proposition 3(1) entails the following laws:

1. (∆1 + ∆2) + ∆3 = ∆1 + (∆2 + ∆3);2. (o1 + o2) × ∆ = (o1 × ∆) + (o2 × ∆);3. o × (∆1 + ∆2) = (o × ∆1) + (o × ∆2);4. o1 × (o2 × ∆) = (o1 × o2) × ∆.

17

Proof of Proposition 1: The proof is by induction on the length of π. For the basecase, we have that L(∆)(ε) = w(∆) , w(∆ε), where the first equality holds since L isa homomorphism of Moore automata. For the inductive case, let π , hπ′; then, by thehomomorphism properties of L and induction hypothesis, L(∆)(hπ′) = L(∆h)(π′) =

w((∆h)π′ ) , w(∆hπ′ ). ut

Let us now move to proving that ∼ is a congruence. We first need two auxiliaryresults.

Theorem 4. For every ∆1, ∆2 ∈ M such that ∆1 ∼ ∆2, it holds that:

1. ∆ + ∆1 ∼ ∆ + ∆2, for every ∆ ∈ M;2. o × ∆1 ∼ o × ∆2, for every o ∈ S;3. ∆1; P ∼ ∆2; Q, for every P,Q ∈ P such that P ∼ Q;4. ∆1〈 f 〉 ∼ ∆2〈 f 〉, for every semiring morphism f .

Proof.

1. We prove that R , {(∆ + ∆1, ∆ + ∆2) : ∆1 ∼ ∆2} is a bisimulation.– The output is the same:

w(∆ + ∆1) ,∑

R∈P(∆ + ∆1)(R) × w(R),

∑R∈P(∆(R) + ∆1(R)) × w(R)

=∑

R∈P ∆(R) × w(R) +∑

R∈P ∆1(R) × w(R), w(∆) + w(∆1)= w(∆) + w(∆2)= w(∆ + ∆2)

where the first equality holds because of distributivity in the semiring and thesecond equality holds because w(∆1) = w(∆2), being ∆1 ∼ ∆2.

– The derivatives are still bisimilar:

(∆ + ∆1)h ,∑

R∈P(∆ + ∆1)(R) × ∆R,h

,∑

R∈P(∆(R) + ∆1(R)) × ∆R,h

=∑

R∈P((∆(R) × ∆R,h) + (∆1(R) × ∆R,h))= (

∑R∈P ∆(R) × ∆R,h) + (

∑R∈P ∆1(R) × ∆R,h)

, ∆h + (∆1)h

where the first equality holds because of Proposition 2(1). Similarly, (∆+∆2)h =

∆h + (∆2)h. Since (∆1)h ∼ (∆2)h, we conclude that ((∆ + ∆1)h, (∆ + ∆2)h) ∈ R.

2. We prove that R , {(o × ∆1, o × ∆2) : ∆1 ∼ ∆2} is a bisimulation.– The output is the same:

w(o × ∆1) ,∑

R∈P(o × ∆1)(R) × w(R),

∑R∈P(o × ∆1(R)) × w(R)

= o ×∑

R∈P ∆1(R) × w(R), o × w(∆1)= o × w(∆2)= w(o × ∆2)

since w(∆1) = w(∆2) being ∆1 ∼ ∆2.

18

– The derivatives are still bisimilar:

(o × ∆1)h ,∑

R∈P(o × ∆1)(R) × ∆R,h

,∑

R∈P(o × ∆1(R)) × ∆R,h

=∑

R∈P o × (∆1(R) × ∆R,h)= o ×

∑R∈P ∆1(R) × ∆R,h

, o × (∆1)h

where the two equalities are due to Proposition 2(3,2). Similarly, (o × ∆2)h =

o × (∆2)h. Since (∆1)h ∼ (∆2)h, we conclude that ((o × ∆1)h, (o × ∆2)h) ∈ R.

3. We prove that

R , {((∆′; P) + ∆1 , (∆′′; Q) + ∆2) : ∆′ ∼ ∆′′ and P ∼ Q and ∆1 ∼ ∆2}

is a bisimulation; this trivially implies the result by taking ∆1 = ∆2 = 0M.– The output is the same:

w((∆′; P) + ∆1) ,∑

R∈P((∆′; P) + ∆1)(R) × w(R),

∑R∈P((∆′; P)(R) + ∆1(R)) × w(R)

=∑

R∈P(∆′; P)(R) × w(R) +∑

R∈P ∆1(R) × w(R),

∑R=R′;P ∆

′(R′) × w(R) + w(∆1)=

∑R′∈P ∆

′(R′) × w(R′; P) + w(∆1),

∑R′∈P ∆

′(R′) × w(R′) × w(P) + w(∆1)= w(P) × w(∆′) + w(∆1)

Similarly, w((∆′′; Q) + ∆2) = w(Q) × w(∆′′) + w(∆2). Now, w(P) = w(Q),because P ∼ Q, w(∆′) = w(∆′′), because ∆′ ∼ ∆′′, and w(∆1) = w(∆2), because∆1 ∼ ∆2; this suffices to conclude that w((∆′; P) + ∆1) = w((∆′′; Q) + ∆2).

– The derivatives are still bisimilar:

((∆′; P) + ∆1)h

,∑

R∈P((∆′; P) + ∆1)(R) × ∆R,h

,∑

R∈P((∆′; P)(R) + ∆1(R)) × ∆R,h

=∑

R∈P((∆′; P)(R) × ∆R,h) +∑

R∈P(∆1(R) × ∆R,h),

∑R′∈P(∆′(R′) × ∆R′;P,h) + (∆1)h

=∑

R′∈P(∆′(R′) × (∆R′,h; P + w(R′) × ∆P,h) + (∆1)h

= (∑

R′∈P ∆′(R′) × (∆R′,h; P))

+ (∑

R′∈P ∆′(R′) × (w(R′) × ∆P,h)) + (∆1)h

= (∑

R′∈P(∆′(R′) × (∆R′,h)); P)+ (

∑R′∈P(∆′(R′) × w(R′)) × ∆P,h) + (∆1)h

= (∑

R′∈P ∆′(R′) × (∆R′,h)); P

+ (∑

R′∈P(∆′(R′) × w(R′)) × ∆P,h) + (∆1)h

, (∆′h; P) + (∑

R′∈P(∆′(R′) × w(R′)) × ∆P,h) + (∆1)h

= (∆′h; P) + (w(∆′) × ∆P,h) + (∆1)h

where the first equality holds because of Proposition 2(1), the second one de-rives from the operational semantics of sequential composition, the third one by

19

Proposition 2(2), the fourth one by Proposition 2(4,3), the fifth one by Propo-sition 3(2) and the last one by Proposition 2(1). Similarly with Q in place of P,∆′′ in place of ∆′ and ∆2 in place of ∆1. By hypothesis, (∆1)h ∼ (∆2)h; more-over, the fact that ∆P,h ∼ ∆Q,h (that holds because P ∼ Q), w(∆′) = w(∆′′) andTheorem 4(2) allow us to conclude that w(∆′) × ∆P,h ∼ w(∆′′) × ∆Q,h. Thus, byTheorem 4(1), (w(∆′)×∆P,h)+ (∆1)h ∼ (w(∆′′)×∆Q,h)+ (∆2)h. Thanks to Propo-sition 3(1), this suffices to conclude that (((∆′; P) +∆1)h , ((∆′′; Q) +∆2)h) ∈ R,as required.

4. We prove that R , {(∆1〈 f 〉, ∆2〈 f 〉) : ∆1 ∼ ∆2} is a bisimulation.– The output is the same:

w(∆1〈 f 〉) ,∑

R∈P(∆1〈 f 〉)(R) × w(R),

∑R′∈P f (∆1(R′)) × w(R′〈 f 〉)

,∑

R′∈P f (∆1(R′)) × f (w(R′))= f (

∑R′∈P ∆1(R′) × w(R′))

, f (w(∆1))= f (w(∆2))= w(∆2〈 f 〉)

where the fourth step has been obtained by using preservation of product andsum ensured by the fact that f is a morphism.

– The derivatives are still bisimilar:

(∆1〈 f 〉)h ,∑

R∈P(∆1〈 f 〉)(R) × ∆R,h

,∑

R′∈P f (∆1(R′)) × ∆R′〈 f 〉,h

=∑

R′∈P f (∆1(R′)) × (∆R′,h〈 f 〉)=

∑R′∈P(∆1(R′) × ∆R′,h)〈 f 〉

= (∑

R′∈P ∆1(R′) × ∆R′,h)〈 f 〉, (∆1)h〈 f 〉

where the first equality comes from the definition of the operational seman-tics and the last two ones are due to Proposition 3(4,5). Similarly, (∆2〈 f 〉)h =

(∆2)h〈 f 〉. Since (∆1)h ∼ (∆2)h, we conclude that ((∆1)h〈 f 〉, (∆2)h〈 f 〉) ∈ R.ut

Lemma 1. δ(P) + δ(Q) ∼ δ(P + Q).

Proof.

– The output is the same:

w(δ(P) + δ(Q)) ,∑

R∈P(δ(P) + δ(Q))(R) × w(R),

∑R∈P(δ(P)(R) + δ(Q)(R)) × w(R)

=∑

R∈P δ(P)(R) × w(R) pl∑

R∈P δ(Q)(R) × w(R)= δ(P)(P) × w(P) + δ(Q)(Q) × w(Q)= w(P) + w(Q), w(P + Q)= w(δ(P + Q))

20

– The derivative is the same:

(δ(P) + δ(Q))h ,∑

R∈P(δ(P) + δ(Q))(R) × ∆R,h

,∑

R∈P(δ(P)(R) + δ(Q)(R)) × ∆R,h

, (∑

R∈P δ(P)(R) × ∆R,h) + (∑

R∈P δ(Q)(R) × ∆R,h)= ∆P,h + ∆Q,h

= ∆P+Q,h

=∑

R∈P(δ(P + Q))(R) × ∆R,h

, (δ(P + Q))h

Indeed, by definition of the operational semantics, Ph−→ ∆P,h and Q

h−→ ∆Q,h imply

that P + Qh−→ ∆P,h + ∆Q,h , ∆P+Q,h. ut

Proof of Theorem 2: The first fact is a trivial consequence of Theorem 4(1) andLemma 1. The second fact is a trivial consequence of Theorem 4(3) and of the factthat, by definition, δ(P; R) = δ(P); R. The third fact is a trivial consequence of Theo-rem 4(4) and of the fact that, by definition, δ(P〈 f 〉) = (δ(P))〈 f 〉. Let us prove the fourthfact. We prove that

R , {(∆1; P∗ , ∆2; Q∗) : P ∼ Q and ∆1 ∼ ∆2}

is a bisimulation; this trivially implies the result by taking ∆1 = ∆2 = 1M and by notingthat 1M; P , δ(1; P) ∼ δ(P), for every P.

– The output is the same:

w(∆1; P∗) ,∑

R∈P(∆1; P∗)(R) × w(R)=

∑R′∈P ∆1(R′) × w(R′) × w(P∗)

= w(P∗) × w(∆1)= w(Q∗) × w(∆2)= w(∆2; Q∗)

Indeed, w(∆1) = w(∆2), since ∆1 ∼ ∆2. Moreover, w(P∗) is 1, if w(P) = 0, and is0, otherwise; thus, w(P∗) = w(Q∗) by the fact that w(P) = w(Q), that holds sinceP ∼ Q.

– The derivatives are still bisimilar:

(∆1; P∗)h ,∑

R∈P(∆1; P∗)(R) × ∆R,h

=∑

R′∈P ∆1(R′) × ∆R′;P∗,h=

∑R′∈P ∆1(R′) × (∆R′,h; P∗ + w(R′) × ∆P∗,h)

=∑

R′∈P ∆1(R′) × ∆R′,h; P∗

+∑

R′∈P ∆1(R′) × (w(R′) × (∆P,h; P∗))= (∆1)h; P∗ + (w(∆1) × ∆P,h); P∗

= ((∆1)h + w(∆1) × ∆P,h); P∗ .

Similarly for Q in place of P and ∆2 in place of ∆1. Now, since w(∆1) = w(∆2) and∆P,h ∼ ∆Q,h, by Theorem 4(2) w(∆1) × ∆P,h ∼ w(∆2) × ∆Q,h; by (∆1)h ∼ (∆2)h andTheorem 4(1), ((∆1)h + w(∆1) × ∆P,h) ∼ ((∆2)h + w(∆2) × ∆Q,h). This suffices toconclude that ((∆1; P∗)h , (∆2; Q∗)h) ∈ R, as desired. ut

21

To prove Corollary 1, we characterize the solutions of the ’s in an operationalmanner, as follows. For each σ ∈ F, fix a distinct symbol σ. We consider a syntaxof extended process EP, which includes P, built out of the following grammar whichfeatures an extra clause for constants:

EP ::= σ | o | h | EP + EP | EP; EP | EP∗ .

The weight function and operational semantics of Section 3 are extended by the rules

w(σ) = σ(ε) and σh−→ δ(σh) .

The definitions and results described for P – including the Moore automaton definition– carry over to EP. We shall continue to call L(·) the final morphism mapping EP to F.

For its proof we need the following auxiliary results.

Proposition 4.1. (L(∆))h = L(∆h);2. ∆ ∼ ∆′ if and only if L(∆) = L(∆′).

Lemma 2. δ(σ)h = δ(σh).

Proof. δ(σ)h ,∑

EP∈EP δ(σ)(EP) × ∆EP,h = 1 × ∆σ,h = ∆σ,h = δ(σh). ut

Lemma 3. L(σ) = σ.

Proof. By induction on the length of π, we show that L(σ)(π) = σ(π). For the basecase, by definition of σ, we have that L(σ)(ε) , L(δ(σ))(ε) , w(δ(σ)) = σ(ε). Forthe inductive case, let π be hπ′. By the homomorphism properties of L and Lemma 2,L(σ)(hπ′) , L(δ(σ))(hπ′) = L(δ(σ)h)(π′) = L(δ(σh)(π′) , L(σh)(π′); by definition ofderivatives in FPS, σ(hπ′) = σh(π′). We conclude by using the inductive hypothesis.

ut

Lemma 4. δ(L(∆)) ∼ ∆.

Proof. By showing that R = {(∆, δ(L(∆)))} is a bisimulation. First, ∆ and δ(L(∆)) havethe same output: indeed, w(δ(L(∆))) = w(L(∆)) , w(L(∆)(ε) +

∑h∈H h;L(∆)h) =

L(∆)(ε) , w(∆). Second, ∆ and δ(L(∆)) have the same h-derivative: indeed, δ(L(∆))h =

δ((L(∆))h) = δ(L(∆h)), where the first equality is Lemma 2 and the second one followsfrom Proposition 4(1). This suffices to conclude. ut

Lemma 5. o × δ(σ) ∼ δ(o × σ).

Proof. We prove that R , {(o × δ(σ), δ(o × σ))} is a bisimulation.

– w(o× δ(σ)) ,∑

EP∈EP(o× δ(σ))(EP)×w(EP) ,∑

EP∈EP o× δ(σ)(EP)×w(EP) =

o × w(σ) = o × σ(ε) , (o × σ)(ε) , w(o × σ) = w(δ(o × σ)).– (o × δ(σ))h ,

∑EP∈EP(o × δ(σ))(EP) × ∆EP,h ,

∑EP∈EP(o × δ(σ)(EP)) × ∆EP,h =

o×∆σ,h = o×δ(σh). Moreover, δ(o × σ)h ,∑

EP∈EP δ(o × σ)(EP)×∆EP,h = ∆o×σ,h =

δ((o × σ)h) = δ(o × σh). Indeed, for every π ∈ H∗, it holds that (o × σ)h(π) ,(o×σ)(hπ) , o×σ(hπ) , o×σh(π) , (o×σh)(π). Thus, ((o×δ(σ))h, δ(o × σ)h) ∈ R,as desired. ut

22

Proof of Theorem 3: Let us define

o , L(o) (6)h , L(h) (7)

σ + σ′ , L(σ + σ′) (8)σ;σ′ , L(σ;σ′) (9)σ〈 f 〉 , L(σ〈 f 〉) (10)σ∗ , L(σ∗) (11)

First, let us prove that they satisfy the BDEs in Table 1.

1. – o(ε) , L(o)(ε) , L(δ(o))(ε) = w(δ(o)) , 1×w(o) = o, where the first equalityholds by Proposition 1.

– By Proposition 4(1) and definition of h-derivative for δ(o), it holds that (o)h ,(L(o))h , (L(δ(o)))h = L(δ(o)h) = L(0M) = 0F.

2. – By Proposition 1, h(ε) , L(h)(ε) , L(δ(h))(ε) = w(δ(h)) = w(h) = 0.– By the homomorphism properties of L, (h)h′ , (L(h))h′ , (L(δ(h)))h′ =

L(δ(h)h′ ).• If h = h′, the definition of h-derivative for δ(h) entails that L(δ(h)h) =

L(1M) = 1F;• If h , h′, the definition of h′-derivative for δ(h) entails that L(δ(h)h′ ) =

L(0M) = 0F.3. – By Proposition 1, (σ+σ′)(ε) , L(σ+σ′)(ε) , L(δ(σ+σ′))(ε) = w(δ(σ+σ′)) =

w(σ + σ′) , w(σ) + w(σ′) = L(σ)(ε) + L(σ′)(ε) = σ(ε) + σ′(ε), where thelast equality holds by Lemma 3.

– By (8) and Proposition 4(1), (σ + σ′)h , (L(δ(σ + σ′)))h = L(δ(σ + σ′)h). Bydefinition of the operational semantics, δ(σ + σ′)h = ∆, where ∆ is such that

σ+σ′h−→ ∆; thus, it must be ∆ = ∆′ + ∆′′, where σ

h−→ ∆′ and σ′

h−→ ∆′′. By

definition of · , we have that ∆′ = δ(σh) and ∆′′ = δ(σ′h). Thus,L(δ(σ+σ′)h) =

L(δ(σh) + δ(σ′h)) = L(δ(σh +σ′h)) , L(σh +σ′h) = σh +σ′h, where the secondequality holds by Lemma 1 and the last one by (8).

4. – By Proposition 1, (σ;σ′)(ε) , L(σ;σ′)(ε) , L(δ(σ;σ′))(ε) = w(δ(σ;σ′)) =

w(σ;σ′) , w(σ) ×w(σ′) = L(σ)(ε) × L(σ′)(ε) = σ(ε) × σ′(ε), where the lastequality holds by Lemma 3.

– By (9) and Proposition 4(1), (σ;σ′)h , (L(δ(σ;σ′)))h = L(δ(σ;σ′)h). Bydefinition of the operational semantics, δ(σ;σ′)h = ∆, where ∆ is such that

σ;σ′h−→ ∆; thus, it must be ∆ = (∆′;σ′) + (w(σ) × ∆′′), where σ

h−→ ∆′

and σ′h−→ ∆′′. By definition of · , we have that ∆′ = δ(σh) and ∆′′ = δ(σ′h).

Thus, L(δ(σ;σ′)h) = L((δ(σh);σ′) + (w(σ)× δ(σ′h))) , L(δ(σh;σ′) + (w(σ)×δ(σ′h))). By definition of σ and by Lemma 5, w(σ) × δ(σ′h) ∼ δ(σ(ε) × σ′h);moreover, by Lemma 4 and (9), δ(σh;σ′) ∼ δ(L(δ(σh;σ′))) , δ(L(σh;σ′)) =

δ(σh;σ′). Hence,L(δ(σh;σ′)+(w(σ)×δ(σ′h))) = L(δ(σh;σ′)+δ(σ(ε) × σ′h)) =

L(δ(σh;σ′ +σ(ε) × σ′h)) , L(σh;σ′ +σ(ε) × σ′h) = σh;σ′ +σ(ε)×σ′h, where

23

the first equality holds by Theorem 4(1) and Proposition 4(2), the second oneby Lemma 1 and the last one by (8).

5. – By Proposition 1, (σ〈 f 〉)(ε) , L(σ〈 f 〉)(ε) , L(δ(σ〈 f 〉))(ε) = w(δ(σ〈 f 〉)) =

f (w(σ)) = σ(ε), where the last equality holds by definition of w(·) and σ.– By (10) and Proposition 4(1), (σ〈 f 〉)h , (L(δ(σ〈 f 〉)))h = L(δ(σ〈 f 〉)h). By

definition of the operational semantics, δ(σ〈 f 〉)h = ∆, where ∆ is such that

σ〈 f 〉h−→ ∆; thus, it must be ∆ = ∆′〈 f 〉, where σ

h−→ ∆′. By definition of

· , we have that ∆′ = δ(σh); thus, L(δ(σ〈 f 〉)h) = L(δ(σh)〈 f 〉). Now, by thefact that δ(EP〈 f 〉) = (δ(EP))〈 f 〉 and by (10), we have that L(δ(σh)〈 f 〉) =

L(δ(σh〈 f 〉)) , L(σh〈 f 〉) = σh〈 f 〉.6. – By Proposition 1, (σ∗)(ε) , L(σ∗)(ε) , L(δ(σ∗))(ε) = w(δ(σ∗)) = w(σ∗).

Now, w(σ∗) = 1, if w(σ) = 0, and w(σ∗) = 0, otherwise. We conclude bynoting that w(σ) = σ(ε), by definition of w(·) and σ.

– By (11) and Proposition 4(1), (σ∗)h , (L(δ(σ∗)))h = L(δ(σ∗)h). By defini-

tion of the operational semantics, δ(σ∗)h = ∆, where ∆ is such that σ∗h−→ ∆;

thus, it must be ∆ = ∆′;σ∗, where σh−→ ∆′. By definition of · , we have that

∆′ = δ(σh); thus, L(δ(σ∗)h) = L(δ(σh);σ∗). By Lemma 4 and (11), δ(σ∗) ∼δ(L(δ(σ∗))) , δ(L(σ∗)) = δ(σ∗). Thus, L(δ(σh);σ∗) = L(δ(σh);σ∗) ,L(δ(σh;σ∗)) , L(σh;σ∗) = σh;σ∗, where the first equality holds by Theo-rem 4(3) and Proposition 4(2), and the last one by (9).

Concerning uniqueness, suppose that there is o that satisfies the first BDE in Table 1;thus, by the coinduction principle, o = o. The case for h is similar. Let us suppose thatthere is ‘+’ that satisfies the third BDE in Table 1 (unicity of ‘ ;’, ‘〈 f 〉’ and ‘ ∗’ can beproved similarly). We now prove that (σ + σ′)(π) = (σ+σ′)(π), for every π; the proofis by induction on π. For the base case, (σ + σ′)(ε) = σ(ε) + σ′(ε) = (σ+σ′)(ε), sinceboth ‘+’ and ‘+’ satisfy the third BDE in Table 1. For the inductive case, let π = hπ′; bydefinition of h-derivative for FPSs, by the condition on derivatives of the third BDE andby induction hypothesis, (σ+σ′)(hπ′) = ((σ+σ′)h)(π′) = (σh+σ′h)(π′) = (σh+σ′h)(π′) =

((σ+σ′)h)(π′) = (σ+σ′)(hπ′). ut

Proof of Corollary 1: The constants defined by (6) and (7) satisfy the first two equalitiesby definition.

It suffices to prove that (8) satisfies L(P + Q) = L(P) + L(Q). We know byLemma 4 that δ(P) ∼ δ(L(δ(P))) , δ(L(P)) and, similarly, that δ(Q) ∼ δ(L(Q));thus, by Lemma 1 and Theorem 4(1), δ(P + Q) = δ(P) + δ(Q) ∼ δ(L(P)) + δ(L(Q)) =

δ(L(P) + L(Q)); thus, by the homomorphism properties of L and (8), L(P + Q) =

L(L(P) +L(Q)) = L(P) +L(Q).It suffices to prove that (9) satisfies L(P; Q) = L(P);L(Q). Lemma 4 entails that

δ(P) ∼ δ(L(P)) and δ(Q) ∼ δ(L(Q)); thus, by definition of ‘;’ and Theorem 4(3),δ(P; Q) , δ(P); Q ∼ δ(L(P));L(Q) , δ(L(P);L(Q)). by the homomorphism propertiesof L and (9), L(P; Q) = L(L(P);L(Q)) = L(P);L(Q).

It suffices to prove that (10) satisfies L(P〈 f 〉) = L(P)〈 f 〉. Lemma 4 and Theo-rem 2(3) entail that δ(P〈 f 〉) ∼ δ(L(P)〈 f 〉); thus, by the homomorphism properties of Land (10), L(P〈 f 〉) = L(L(P)〈 f 〉) = L(P)〈 f 〉.

24

It suffices to prove that (11) satisfies L(P∗) = L(P)∗. Lemma 4 and Theorem 2(4)entail that δ(P∗) ∼ δ(L(P)∗); thus, by the homomorphism properties of L and (11),L(P∗) = L(L(P)∗) = L(P)∗. ut

25