������������ ����������������� ������������������ ��"!��$#&%�'(���*)+������ ��,�.-�-/���(0�1325476�6�198:9;�<>=/?$@�@7AB=DC�C�E�E�EGFDH�I$J�HLK�M�H�N>FPO�I9C�I7Q$R7S�@9H9C�H�O9@�R9J7CLK$Q�I�T�U+H9V�V"FP?$@LU�I 1�W�%X 7Y����

Information Flow Security in Boxed Ambients

Silvia Crafa Z Michele Bugliesi ZDipartimento di Informatica

Universita Ca’ FoscariVenezia, Italy

Giuseppe Castagna [Departement d’InformatiqueEcole Normale Superieure

Paris, France

Abstract

We study the problem of secure information flow for Boxed Ambients in terms of non-interference. We develop a sound type system that provides static guarantees of absenceof unwanted flow of information for well typed processes. Non-interference is stated, andproved, in terms of a typed notion of contextual equivalence for Boxed Ambients akin tothe corresponding equivalence defined for Mobile Ambients.

1 Introduction

The calculus of Boxed Ambients [4] is a novel process calculus derived from Mo-bile Ambients [8] to provide finer grained abstractions for resource protection andaccess control in systems of distributed and mobile agents.

In Mobile Ambients, abbreviated MA, agents are processes of the form \�]_^a` ,representing the ambient, named b , executing the process ^ . Processes can becomposed in parallel, as in ^dcfe , exercise a capability, as in gih�^ , declare localnames as in jk3bml�^ , or simply do nothing as in n . Ambients may be nested to forma tree structure that can be dynamically reconfigured by exercising the capabilitieso_prq�sut+v

ands"wXx�p

. As an example, the system

y ] o�p b*h�^�z/cX{|] s"t+v b�h�^�}�`D`.c�\~] s"wXx�p�� h�ea`contains two ambients,

�and b , running in parallel. The system may evolve as

follows. First, ambient�

may migrate to b by exercising the capability “o_p b ”:

�Email: � silvia,michele � @dsi.unive.it�Email: Giuseppe.Castagna@ens.fr

c���$���L�.���(�7���_�D�����������B�_���L����������������f���� 3¡>¢m¡

����������� ��������������������������� �����!�

\�] s"wXx�p � h�e c y ]�^�z/c�{|] s"t+v b�h�^�}�` `D` . Now b may “dissolve”�

unleashing its con-tents: \~]_e c+^~z c�{�] s"t+v b*h�^�}�`D` . Finally, " may exit b : \~]�e c9^.z�` cf{|]_^�}�` . In addi-tion, ambients and processes may communicate. In MA, communication is anony-mous, and happens inside ambients. The system j$# l�^ c&%�g(' represents the parallelcomposition of two processes, the output process %�g)' “dropping” the message g ,and the input process j*# l,^ reading the message g and continuing as ^,+-#/.10 g32 .

The calculus of Boxed Ambients, henceforth BA, is a variant of MA from whichit inherits the primitives

o_pand

s"t+v(but not

s"w�x(p) for mobility with exactly the

same semantics. As for communication, besides local exchanges, BA relies on anadditional set of primitives that provide for the exchange of values across ambientboundaries, between parent and child. Syntactically, this is achieved by means oftags that specify the location with which the exchange should take place: as anexample, j$# l�4�^ indicates an input from a child ambient name b , while %�g)'�5 is anoutput to the parent ambient (in the latter case we speak of an upward exchange).The semantics of parent-child exchanges is defined by the following reductions 6 :

j*# l74f^ c�\~]8%�g)'�5�e�` ➞ ^,+-#/.10 g32 cX\�]�e�`%�g)' 4 ^ cX\~] j*# l 5 e�` ➞ ^ c�\~]�e9+-#/.:0 g;2+`

This semantics of communication yields, as a byproduct, a direct interpretation ofthe local and upward anonymous channels of an ambient as that ambient’s “re-source space”: the local channel is private to the ambient, whereas the upwardchannel is available for access by clients. By relying on this interpretation, one canformalize a precise notion of resource access, namely: j*# l<4X^ is a read access to b ,whereas %�g('�4X^ is a write access.

In [5] we showed that BA provides an effective framework for resource accesssecurity: specifically, we used a typed version of BA to model multilevel Manda-tory Access Control (MAC) policies, including both military (no read-up, no write-down) and commercial (no read-up, no write-up) security = .

Boxed Ambients and Information Flow SecurityThe type system we defined in [5] was targeted at resource access control, andspecifically designed to protect resources, viz. channels, from undesired uses byunauthorized clients. Here, we change perspective, and focus on a different analysisthat targets information flow. To motivate the change in perspective, consider thefollowing example, where > is a “low-level” ambient and ? a “high-level” one:

> ]5j$# l�@�^ c�A�]*%�g)' 5 e cCB ` ` (1)

DThese are not the reductions we introduced in [5,4]. The choice of the present new semantics is

motivated in Section 2.EAlthough the resource access control policies we study in [5] are based on a different reduction

semantics, those techniques adapt smoothly to the new semantics (cf. Section 2 for a discussion).

2

����������� ��������������������������� �����!�

In the system of [5] the attempt by the process enclosed in the low-level ambient> to read from ? is classified as a read-up, and therefore rejected as “insecure” byboth military and commercial security, regardless of the information content of g .On the other hand, if the expression g is public, i.e., low-level, there is no reasonfor disallowing the read access: a piece of data is flowing from high to low, but theflow is “secure” as the piece of data carries a “low” information content.

The goal of the present paper is to provide static safeguards against “unsafe”flow of information. A first, rather intuitive, notion of information flow may di-rectly be related to the flow of data: a system is “secure” if no high-level data flowsfrom high-level to low-level principals. This form of secure information flow iseasily accounted for, and enforced, by a static control over the transport layer usedfor data communication, viz channels. If we classify data and channels accordingto their security levels, absence of this form of “explicit” flow of information canbe guaranteed by requiring that:

(� ) High-level data be only communicated along high-level channels, and high-level channels be only located within high-level subjects.

A subtler, and more interesting, notion of information flow security is related tothe presence of implicit flow of information, resulting from indirect ways of trans-mitting information (namely, covert channels) via system-wide side effects. Toillustrate, consider the following specialization of the system (1) above, where ^ is“low level”:

>r] j$# l�@�% � ' 5 c�A�]8%�g)' 5 `D` c j*# l � ^ (2)

Assuming that g and�

are low-level values, there is no direct flow in this system.However, a covert channel is established between ^ and the ambient ? , as ^ isunleashed by an exchange that depends on the presence of the high ambient ? , andthe very presence (or absence) of a high-level ambient can be assimilated to a bitof high-level information that, in the system in question, flows downwards.

Information Flow Security and Non-interferenceDefining what is exactly meant by (implicit) information flow can be hard (perhapsimpossible), and various authors have instead relied on non-interference, a conceptof easier formalization which implies absence of flow.

The notion of non-interference was first proposed by Goguen and Meseguer[14] for deterministic state machines. The idea is to determine whether in a givensystem the “inputs” of high level subjects (or “users”) may influence, i.e. interferewith, the “outputs” of low level subjects. If the latter are invariant on the former,then the system is decreed interference free.

Non-interference was later [13] reformulated in a CCS-like process calculusas the so-called Non Deducibility on Composition (NDC) property, which impliesthat low-level observers are insensitive to the presence of high-level components(sources) in the system. Here we take the same approach, and rephrase the NDCproperty to capture ambient-based specific aspects of computation, namely, localityand mobility.

3

����������� ��������������������������� �����!�

OverviewOur technique for providing guarantees of non-interference in BA is based on statictyping. We rely on types both to formalize the notions of high and low data and pro-cesses, and to define the relation of process equivalence underlying the definitionof non-interference.

The type system is based on ambient and capability types akin to those em-ployed in companion type systems for MA. In addition, the types of our type systemcarry security annotations that define the security clearance of values and processes.Processes have the clearance of their enclosing ambient, while values (i.e. capabil-ities and names) are assigned security levels as follows: names have the securitylevel associated to their type, while capabilities are decreed “low-level” data, basedon the observation that capabilities do not disclose their target ambient names, andhence provide rather limited control over such names.

Having partitioned data and processes into “high” and “low”, we then singleout the set � of high level sources as the set of all processes that can only producehigh-level “inputs”, where an “input” corresponds to the presence, at top level,either of a communication, or an ambient, or a mobility action. Again, this notionis formalized with the help of the type system (see Section 3).

As the next step of our formalization, we introduce a relation of behavioralequivalence to compare processes. This relation is a typed version of the equiva-lence relation introduced in [9] for MA: a contextual equivalence that equates twoprocesses if and only if they admit the same elementary observations wheneverthey are inserted inside any arbitrary, but well-typed, enclosing context. Our ob-servability predicate is akin to the one studied in [9], but refined to capture thecore form of interaction between Boxed Ambients, namely, the ability for an am-bient to exchange values along its upward channel. We thus say that a process ^exhibits a name b if ^ (reduces, in any number of steps, to a process that) con-tains an ambient b that may accept interactions with the external environment,that is if ^ (or any of the processes it reduces to) is structurally equivalent tojk " z�l�h9h$h$jDk "��+l�j,\~]$%�g)'�5�^���c$e���`�c>e�� ��l where b��� + " z q h$h9h q "���2 . Even thoughthis notion of observation is specifically focused on communication, ambient mo-bility is still observed, indirectly, via its consequences on upward communications,as the following example illustrates (the presence of a high level ambient ? triggersthe upward communication of the low-level ambient > ):

j$# l � ^ c >r] o_p ?mh s"t+v ?mh8%�g)' 5 `�c�A�]�`Finally, we introduce the notion of contextual equivalence induced by a low levelobservation: two (well-typed) processes ^ and e are equivalent, ^ 0�� e , if when-ever they are inserted inside an arbitrary (well-typed) context, they exhibit the samelow level names. Based on that, we can phrase the NDC property of [13] for BA as:

(� � ) A process ^ is interference free if and only if �� � � ^ c���0�� ^ .

As in [13] non interference of ^ is checked only against high-level sources thatappear in parallel with ^ . This is rather natural in that context, since the topologyof CCS processes is completely flat. On the contrary, in BA ambients may be nested

4

����������� ��������������������������� �����!�

arbitrarily and, consequently, a high-level process interacting with ^ may also ( � )enclose ^ or ( ��� ) be enclosed within ^ . It would then appear that our definition ofnon-interference should be generalized to capture these additional cases. Indeed,however, the definition, as given, does address these cases as ambients running inparallel may nest arbitrarily as a result of mobility.

Main results and paper planThe main contributions of the paper are j���l the definition of a sound type system forthe new version of BA and, more importantly, j�����l a proof that well-typed processesare indeed interference free, in the sense we just outlined. The non-interferenceproof builds on the technical tools developed in [9] by Cardelli and Gordon for MA,adapting them to BA, and relies critically on the choice of contextual equivalence asthe underlying equivalence relation. In fact, as we discuss in Section 6, our presentresults do not extend to finer equivalence relationships, such as barbed congruence[19].

The paper continues as follows. In Section 2 we present a new version ofBoxed AmbientsCalculus, that differs from [4] in the semantics of its communica-tion model. The resulting calculus has a simpler presentation and its finer-grainedcontrol over ambient interactions more naturally enables the development of an al-gebraic theory and a security assessment. In Section 3 we describe a sound typesystem for BA, whose well typed processes are proved in Section 4 to be interfer-ence free. Sections 5 and 6 are dedicated to related work and conclusions.

2 Boxed Ambients

In this section we review the syntax of Boxed Ambients from [4], and we present anew reduction semantics, borrowed from [11] (where it was first introduced for theSeal Calculus), and defined in terms of new rules for communication across am-bient boundaries. The new calculus still adheres the principle of resource localitydistinctive of the original calculus, while at the same time providing ambients withfull control of exchanges they may have with their children.

2.1 Syntax

The syntax of the typed calculus is defined by the following productions:

Expressions

g . .10 "���� names

#��� variables

o�p g enter g

s"t+v g exit g

gih�g path

Locations . .10 g names, variables

� parent ambient

� local

5

����������� ��������������������������� �����!�

Processes

^ . .10 n stop

gih�^ action

jDk*b .�� l�^ restriction

^ c+^ composition

� ]_^�` ambient

��^ replication

j$#mz .�� z q h h q # �&.�� �$l���^ input

%�g z q h$h$h q g �C'���^ output

Expression Types

� . .10�� ����� � ambient

��� w capability

Process Types

� . .10 ��� q�� � composite exchange

Exchanges

� q�� . .10������ no exchange

� z��! " " #�$� 4 exchange

As in MA, processes can be named, as in \�]�^�` , be composed in parallel and repli-cated, exercise a capability

o_por

s"t+v, declare local names, do nothing or exchange

values. Input processes may read a value locally, as in j*# .%� l�&�^ , from a subambientnamed b , as in j$# .�� l�4X^ , or from the enclosing context: j$# .�� l�57^ . Correspond-ing primitives are provided for output. As usual, the syntax allows the formationof meaningless process forms such as

o_p j s"t+v " l or j s"t+v \ml�]�^�` : these terms mayarise as a result of reduction, but only for ill-typed terms. We use a number ofnotation conventions. We use " q b q h9h$h � to range over names, # q(' q over vari-ables, and ) q�*+q�+ over both. We write j-,# . ,� l,^ for j$#�z .�� z q h$h$h q # �&.�� �+l�^ , % ,g ' for%�g z q h$h$h q g �-' , and jDk.,/ l�^ for jDk / z�l�h$h$h$jk / �$l�^ . As usual we omit trailing deadprocesses, writing g for gih�n , % ,g ' for % ,g('�n , and 0�]�` for 0m]�n>` . We also omit typeannotations in restrictions and input prefixes when they are not important. Finally,the superscript � denoting local communication, is omitted.

2.2 Dynamic Semantics

The definition of the sets of free names fn j^ l and free variables fv j^ l of a process^ is straightforward, once we know that the former are bound by restrictions andthe latter by input prefixes. We identify processes up to 1 -renaming of boundnames and variables. Furthermore, assuming that ,# and ,g stand for #mz q h$h$h q # � and

6

����������� ��������������������������� �����!�

g z q h9h$h q g � , we write ^9+ ,#/.:0 ,g 2 to indicate the capture-avoiding, simultaneous,substitution of g � for # � within ^ .

Structural congruence is defined as the least congruence relation that is a com-mutative monoid for n and c and closed under the following rules

(Res Dead) jDk " l�n�� n(Path Assoc) jgih�g � l�h�^�� gihPj�g � h�^ l(Repl) ��^�� ��^ c9^(Res Res) jk " l�jk*bml�^�� jDk*b�l�jk " l,^ b �0 "(Res Par) jk " l�j^ c+e l�� ^ crjk�" l�e " �� fn j ^ l(Res Amb) jk " l-0m]�^�`�� 0�] jDk " l�^�` " �0 )

Structural congruence is functional to the definition of the reduction relation ofFigure 1.

Evaluation Contexts � ��� ������ ���� ���� ���� "! $#

� ENTER � %&!('*)�+�,-�.�0/1#��324!-51# ➞ 24!6%&! �.�0/1#7��51#� EXIT � %&!824! 9;:�<>=?,-����/@#7��51# ➞ 24! ���0/1#��A%B! 51#

� LOCAL � �DCE �����3F CG�H / ➞ �JIKCE � CG�L �M/� INPUT =;� �DCE ��NM���3%B!OF CG�H 5 /���51# ➞ �JIKCE � CG�L �A%B!�/���51#� OUTPUT =P� F CGQH NM�.�A%B!6�DCE � 5 /���51# ➞ �.�3%&!R/SIKCE � CG�L ��51#

� STRUCT � ��TU� � � � ➞ / � / � TV/� ➞ / � CONTEXT � � ➞ /

JI�� L ➞ WI0/ L

Fig. 1. Reduction: � ➞ /Ambient mobility is governed by the rules ( X �!�!� � ) and ( X�Y �:� ) of the Mobile Am-bients. Communication can be local, as in Mobile Ambients, or across ambientboundaries, between parent and child. The rules for communication are differentfrom those of [4]. The original formulation of the reduction semantics used dif-ferent interaction patterns, as parent-child synchronization always involved a localprefix, as illustrated by the following example:

\�]5j$# l[Z�^ cM\�]8%�g)'�^ c�j*# l�e cP]G]$% � ' 5 `D` ` (3)

the ambient b makes a downward request to read / ’s local value g , while theambient � makes an upward write request to communicate its value

�to its par-

7

����������� ��������������������������� �����!�

ent. With the original semantics, the input prefix of j*# l,e can non-deterministicallysynchronize with either outputs. With the new semantics, instead, the only enabledexchange in the system (3) above is the local exchange between ^ and e , as syn-chronization requires downward and upward exchange requests to “match”.

The new reductions still fit the design principles of BA, that is resource locality.An ambient can be viewed as possessing two channels: a private channel whichis only available for local exchanges, and an “upward channel” which the ambientoffers to its enclosing context for read and write access. There are at least tworeasons in favor of the new semantics. First, it enhances the algebraic theory ofthe calculus, by reducing the intrinsic non-determinism of the original semanticsof communication. Secondly, it enhances the typing of mobility, as mobility canbe typed independently of communication (see next session). Of course, there alsoare tradeoffs. In fact, the new reductions require an ambient to know the names ofits children in order to communicate with them. This makes it difficult to encodecertain protocols, such as broadcasting a message to all the children, that wereinstead easily expressed with the original semantics. We leave a discussion on therelative expressive power between the two versions for future work, and focus oninformation flow security instead.

2.3 Static semantics

The structure of types for BA is similar to that of companion type systems for theMA [10,6].

Ambient Types. Like Mobile Ambients, Boxed Ambients are ‘places of conver-sation’. However, Boxed Ambients allow more than just one “topic” of conversa-tion: in particular, the type of an ambient shows the topic of its upward conversa-tions, but the values it exchanges locally and with its children may have differenttypes. More precisely, �� ����� � is the type of all ambients whose channel for exter-nal communication carries values of type � .

Process Types. The types of processes are defined as two-place constructors��� q�� � that trace the types of the local ( � ) and upward j � l exchanges that processeswith this type may have.

Capability Types. All capabilities are assigned a type constant, noted ��� w . Thisis possible, and sound, because the new semantics of communication disentanglesthe local exchanges of an ambient from the upward accesses attempted by anynested sub-ambients. As a consequence, ambient mobility in the new calculus is notconstrained by the type of values exchanged within ambients, and is thus orthogonalto communication. Thus, the moded types we studied in [4] are not needed here, asambient mobility has no constraint. To exemplify, consider the following process:

\�]�j*# .%� l�B c�%�g)'�crj$# .%� z�l Z ^ cfj ' . �|}�l���e c�\�]$% � z�' 5 `�c ]B] % � } ' 5 `�`The process above can be safely typed with any process type, provided that ( � )g q � z q � } have types, respectively, � q � z q ��} , ( ��� ) / and � have type �� ��� � z �and �� ��� ��}(� , ( ����� ) ^ q e and B have type ��� q � � where � is an exchange type such

8

����������� ��������������������������� �����!�

that b�.��� ����� � . In particular, in the process above there is no risk of type confusionbetween the three exchanged values g q � z q � } since read requests form childrenare distinct, and they do not interfere with local communication.

The typing rules are summarized in Figure 2. The system satisfies the followingfundamental property:

Proposition 2.1 (Subject Reduction) If��� ^ . � and ^ ➞ e then

��� e . � .

Proof. Follows as a corollary of Proposition 3.2. �

3 A Type System for Secure Information Flow

In this section we enrich the type system of BA so as to provide static safeguardsagainst insecure flow of information in the evolution of well-types processes.

We presuppose a complete lattice of security levels j�� q�� l , and let q� q � rangeover security levels. We then partition the elements of this lattice into two classes,‘high’ and ‘low’, as formalized in the following definition.

Definition 3.1 [Low and High levels] Let j�� q�� l be a complete lattice of securitylevels. A security classification is a partition of � into two non-empty sets � and � ,with � downward closed. Based on this classification, we then define the followingorder: �� �� j� � ��� � �~l3.1 Types and Judgments

The types � of exchanges, and the types of processes are defined as in Section 2.The types of expressions are redefined as follows:��� \���� � ���! (\#"%$ \&� � � . .:0 �� ��� q � � ambient

t ��� w � � unsafe capability

� � � w � � safe capability

Each ambient type is annotated with a security level that defines the clearance ofthe ambient names with that type. Capability types also have an associated securitylevel, and are partitioned into safe and unsafe. In particular,

t � � w is the type ofdangerous capabilities, those that are potential sources of flow of information: thetyping rules will ensure that such capabilities may only be exercised within high-level ambients. Capability types are also annotated with a security level: whilethe annotation of ambient types is used to assign a security level to an ambient,the annotations of capability types are used to record the security of the actionsperformed by a process. The intuition is that in ��� w � � (with � � w � + t ��� wrq ����� w 2 ),

is the greatest lower bound of (the security levels of) the capabilities on a path.This is formalized by the following “cap-type” composition:' ����� w � � "����� w � � � 0 ����� w � )(*� �' t ��� w � � t ��� w � � �0 ����� w � � t ��� w � � � 0 t � � w � � � �� � � w � � 0 t � � w � )(*� �

9

����������� ��������������������������� �����!�

(ENV EMPTY)

�����(ENV NAME)� ��� =����� � � � �

��� = 3� ���(PROJECTION)��� = 4� ��� � ������ = 4� ��� � � = 3�

(SUB PROC)

� I������ � � L�� � � I������ ��� � L� ������� � � ��� � �(SUBSUMPTION)� � ���� � � � �

� � ���� �

(IN)� � G ��� "! � �� � ' ) G $#���%

(OUT)� � G $�� &! � �� � 9;:�< G $#���%

(PATH)� � G z $#���% � � G } �#���%� � G z , G } $#���%

(PREFIX)� � G �#���% � � �� � ������ � G ,-�� � �����

(PAR)� � �� � �����'� � /. � ������ � �.�0/� � �����

(NEW)��� ��$�� &! �)( � � �� � ������ � ��� �@*�� &! �)( � ���� � �����

(AMB)� � G $�� &! � �+� � �� � �,� �� �.- ! �@#� � ���$� � ���$� �

(DEAD)� ���� �0/ � ���$� � ���$� �

(REPL)� � �. � ������ �1 �. � ���2�

(INPUT)��� CE C� � �� � C� � �� � �DCE C������ � C� � �

(OUTPUT)� � CG C� � � �� � C� � �� � F CG�H �. � C� � �

(INPUT 3 )��� CE C� � �� � � C� �� � �DCE C��� 5 �. � � C� �

(OUTPUT 3 )� � CG C� � � �� � � C� �� � F CG�H 5 �� � � C� �

(INPUTG

)� � G $�� "! � C� �4��� CE C� � �� �)( ��5.�� � �DCE C�Q�76 �� �)( ��5.�

(OUTPUT 8 )� � 8 ��� "! � C� �4� � CG C� � � �� �)( ��5.�� � F CG�H79 �� �)( ��5�

Fig. 2. Type system

where(

is relative to the order � introduced in Definition 3.1.The next step is to determine the security clearance of the values that are ex-

changed in a process communication. This is formalized by the following level

10

����������� ��������������������������� �����!�

function 1 . Exchange Types � Security Levels, where ��� w � + t � � wrq � � � w 2 , and�

is the bottom element in the lattice of security levels.

1 j ��.��� q � �5l�0 1&j � z �! " " �$� 4 l 0�� + 1&j � z,l q h$h9h q 1 j � 4 l 21 j ������l 0 1 j ��� w � �5l 0 �

As we anticipated in the Introduction, we are thus stipulating that capabilitiesshould always be considered ‘low-level’ values, as passing a capability does notdisclose the name occurring in the capability. Notice, furthermore, that the type ofa capability does trace the level of the target ambient: this information is needed todetect flows of information resulting from exercising (as opposed to exchanging)the capability in question.

The type system is defined in terms of the following classes of judgments.�����

Well-formed Type Environment

��� � Well-formed Exchange Type

����� ��� q�� � Well-formed Process Type at level

��� g .�� Well-typed Expression

������� �� ^ . ��� q�� � Well-typed Process

The judgments for well-formed (exchange and process) types are functional to en-force a safe flow of data along the (anonymous) communication channels insideand across ambient boundaries. In the judgment for well-typed processes, we usetwo annotations on the turnstile, with the following intended meaning:

is the

clearance of the ambient enclosing ^ (if any), while is the lower-bound on theclearance of the actions encountered so far, and it helps define the clearance atwhich ^ should type-check. To understand the rationale of the typing rules, con-sider the following examples (as usual, > denotes a low-level, while ? and

�are

high-level).' the process >r] j$# l @ %�g)'�57` is not safe, because the observable upward exchange ofg is enabled as a result of > exchanging a value with the high-level subambient? . Observing an upward communication on > may thus reveal the presence ofthe high level ambient ? within > . The very same reasoning shows that, instead,� ] j*# l @ n c�%�g)' 5 ` is a secure process.

Flows of information may arise from subtler combinations of high-level and low-level actions. In particular, such actions need not occur sequentially as suggestedby the example above. An implicit flow of information, may also arise as a resultof running two parallel threads:' the process >r]5j*# l @ % � '�^ c�j ' l�%�g)'�5L` is not secure because the local exchange

‘links’ the two threads, thus determining a causal dependency, and hence animplicit flow of information.

11

����������� ��������������������������� �����!�

Both the previous examples, show that ‘secure’ processes should satisfy a verybasic invariant, namely that ‘actions’ following a high-level synchronization (likej*# l @ ) must not be available for further low-level-context interactions. This explainsthe role of in the typing judgement of processes. When prefixing a process ^ withan ‘action’ (where action means capability, communication, and top level presenceof an ambient), that action should have clearance not lower than . In other words, should be non-decreasing as a well-typed process progresses. However, this con-dition is not sufficient by itself.' consider the process ^ 0 A�] > ]5j$# l � s"t+v ?mh�n>`D` , where a low-level ambient > first

reads from a high-level ambient�

, and then exits from the high-level location? . In this case, the very presence, at top level, of the ambient > represents apublic (low-level) information that depends in a private (high-level) one. Thisis a problem, as the ability to test the presence of > at top level may, implicitly,reveal the presence of ? to any low-level observer. To see the problem, andphrase it in terms of non-interference, we may encode the observer as the context:����� 0 >��>] o_p >�h s"t+v >�h8% � '�5L`&c ��� . Now, taking � 0 y ] o_p ?mh o_p >�h %�g)'�5�n>` , a routinecheck verifies that the context distinguishes ^ from ^ c � .

This last example shows that low-level ambients exiting high-level locations maypotentially disclose secret information about that high-level location. This suggestsj ��l that the

s"t+vcapability should be deemed unsafe when the target ambient is

high-level, and j�����l that only high-level ambients should be allowed to exercisesuch capability.

3.2 Typing Rules

Environment and Type FormationAs we anticipated, the rules for well-formed types provide safeguards against ex-plicit flows, in that they guarantee that

-level values only circulate over channels

(or ambients) with higher clearance. This is obtained by requiring that the clear-ance

of an ambient ) be an upper bound on the clearance of its upward exchanges

(rule ��� �� ���� ) and on the exchanges performed by the processes it contains (rule��� ��� ����� ).

(ENV EMPTY)

� � �(ENV NAME)� � � = �� � � � � �

��� = 4� ���(TYPE SHH)� ���� � ���$�

(TYPE CAP)� ���� � #���% � � �

(TYPE AMB)� � � �� ��� �� � �� &! � � � �

(TYPE PROC)� � � � �� � ��� � � � � �"!� � � � z � } �

Subtyping and SubsumptionThe relation of subtyping coincides with the one defined for the system of Section2. The rule of subsumption requires the target type to be well-formed to enable

12

����������� ��������������������������� �����!�

type promotion.

(SUB PROC)

� I����$� � � L�� � � I����$� ��� � L� ���2��� � � ��� � �

(SUBSUMPTION)� � ���� �� �� � ����� � ����� � � � ��� � �+� � � � � ��� � �� � ���� �� �� � � ��� � �

ExpressionsAs suggested by the last example of � 3.1, a capability

s"t+v b should be consideredunsafe if b is high-level. On the other hand, an

o_pcapability may safely be exercised

by any ambient (a low-level ambient > entering a high-level ambient ? may createa flow of information, but only if > were allowed to eventually exit ? ).

(PROJECTION)��� = 4� ��� � ������ = 3� ��� � � = 4�

(PATH)� � G z $#���% � � z � � � G } $#���% � � } � � #���% � I���#���% � : #���% L �� � G z , G } $#���% � � z ��� #���% � � } �

(IN)� � G ��� "! � � � �� � ' ) G ���#���% � � �

(SAFE-OUT)� � G $�� &! � � � � ������� � 9;:�< G ��#���% � � �

(UNSAFE-OUT)� � G ��� &! � � � � � ���� � 9;:�< G : #��$% � � �

ProcessesFor the rules that follow, we define � � x j q q � l � j � �3l � j� � � l : intuitively,a process ^ is safe either ( � ) if it is contained within an high level ambient, or ( ��� )if the clearances of the ‘actions’ performed by ^ do not decrease as ^ progresses.

(SAFE-PREFIX)� � G ��#���% ��� �+� � ���� �� �. � ������ ����� � � ��� � � �� � ���� �� G ,-�� � �����

(UNSAFE-PREFIX)� � G : #���% ��� � � � � � � �� �� � ����� � � ��� �� � ���� �� G ,-�� � �����

Safe prefixes are lower-bounded by , following the previous intuition. As an ex-ample, the process j*# l @ s"t+v > is well-typed only at level

� � , as it represents alow-level action that depends from (as it follows) a high level one. Instead, unsafeprefixes may only be exercised within high-level ambients: this prevents low-level

13

����������� ��������������������������� �����!�

ambients from escaping from high-level contexts. Notice that mobility does notaffect the lower bound : this is safe and leaves a certain freedom to move (e.g. thepath

o_p ?mh o_p��can be executed also at level

� � ).The following four rules are standard, and should be self-explanatory.

(PAR)� � ���� �� �� � ����� � � � � � � /� � ������ � � � � � ���M/. � ���2�

(DEAD)� � � � ������ � ���� �� / � �����

(NEW)��� �� �$ "! � � � ( � � ���� �� �� � ���2�� � ���� �� ��� ����� "! � � � ( � ��� � �����

(REPL)� � � � � � �� � ������ � ���� �� 1 �� � �����

The � ������ rule implements the idea that an ambient is viewed as an “action”. Thatis why the rule needs the hypothesis � � x j �q q � l as in rule � �����C��� � �!� �C� Y � . Further-more, the process enclosed in g is typed at level

�(the clearance of g ) and with

initially set to the bottom security level.

(AMB)� � G $�� &! ��� � �'� � �� � � �� � �,� � � � � �)( ��5�� ����� � � ��� � � �� � ���� �� - ! �@#� �)( ��5.�

We finally come to the rules for communication, which test the predicate � � x inways similar to the rules for prefixes. In addition, exchanging a value affects thelower bound in the typing of the continuation process ^ . Thus, when typed atlevel

� � , a process may safely communicate with a high level subambient,provided that all the subsequent actions are high-level. Thus, for instance, theprocesses >r]5j*# l @ % # ' @�� ` and

� ]$%$>(z�'�%�g)' @ ` are well typed, while >r]8%�g)' @ %*>�z�'�` is not.

(INPUT)��� CE C� � ���� � �� � � � �� � C� � � � � � � � ��� � � � � � � �� � ���� �� �DCE C������ � C� � �

(OUTPUT)� � CG C� � � ���� � �� � � � �� � C� � � � � � � � ��� � � � � � � �� � ���� �� F CGQH �� � C� � �

(INPUTG

)� � G ��� "! ��� � C� �4��� CE C� � ���� � � �� � ����� ��� � � � ��� � � �� � ���� �� �DCE C�Q� 6 �. � ���2�

14

����������� ��������������������������� �����!�

(OUTPUT 8 )� � 8 $�� &! ��� � C� �4� � CG C� � � � � � � � �� � ������ ����� � � ��� � � �� � ���� �� F CGQH 9 �� � �����

(INPUT 3 )��� CE C� � ���� � �� � � � �� � � C� � � � � � � ��� � � � � � � �� � � � � �� �DCE C�Q� 5 �� � � C� �

(OUTPUT 3 )� � CG C� � � ���� � �� � � � �� � � C� � � � � � � ��� � � � � � � �� � ���� �� F CGQH 5 �� � � C� �

As usual, the correctness of the type system is guaranteed by the subject reductionproperty.

Proposition 3.2 (Subject Reduction)If���� � � �� ^ . ��� q�� � and ^ ➞ e then

��� ���� �� e . ��� q�� � .It is rather straightforward to show that the type system detects, and prevents, allunsafe forms of explicit flow, in the sense of property (� ) in the Introduction (cf.page 3). More interestingly, we can show that unsafe implicit flows are also de-tected: this is the topic of the next section.

4 Non-interference

We start introducing the notion of ‘high-level sources’, in terms of which we thenstate our NDC-based definition of non-interference.

Definition 4.1 [High-level Sources] A process ^ is a high-level source if and onlyif j���l �#� � � � �� ^ . � , for some security levels

and with � � , and j ����l if ^ is

of the form gih�^�� then��� g .���� w � � � with

� � � .

Accordingly, high-level sources are well-typed processes that may only engage‘high’ top-level interactions with any context in which they are inserted. This istrue of processes in prefixed form by virtue of condition j�����l . In addition, an in-spection of the typing rules verifies the following properties of any process ^ suchthat

� �� � � � ^ . � with � � . First, all the top-level value exchanges with ^must be high-level, and so must be all the top-level ambient occurrences in ^ . Sec-ondly, the well-typedness condition ensures that no low-level ambient may escapeits enclosing high-level contexts.

Notation: We henceforth write��� ^ . � to indicate that ^ is a high-level source

in�

. Also, we write� � ^ . ��� q�� � and

� � ^ .�� � when�q and/or ��� q�� � are

not relevant.

15

����������� ��������������������������� �����!�

4.1 Typed Equivalence

Next, we introduce a typed notion of process equivalence. The equivalence is typedas we compare only processes with the same types, and inserted in contexts thatrespect their typing. We formalize these notions below following [22].

A context�����

is a process term with just one hole� �

. We denote with��� ^ �

the process resulting from replacing the hole with ^ in�����

. Note that variablesand names that are free in ^ may become bound in

��� ^ � . Thus we do not identifycontexts up to renaming of bound variables and names.

Definition 4.2 [� ��� Context] Let

�and � be type environments and

�a process

type.�����

is a j � ��� q � l -context if� � ����� . � � is derivable in the type system of

Section 3 enriched with the a rule that derives � � � � . � for all � extending � .

Intuitively, a j � ��� q � l -context is a context whose hole, of type�

, is in the scopeof the binders recorded in � , and whose free names and variables are contained in�

.

Definition 4.3 [Barbs] Define ^�� 4� ^ � j���� l9j,\~]8%�g)'�5�^�� c+e��_` c e�� ��l b ��

+�32 . A process ^ exhibits the name b , written ^� 4 iff there exists e such that^ 0 � e and e�� 4 , where 0�� is the reflexive and transitive closure of ➞ .

Now we can define our notion of ‘low’ typed equivalence, relative to an underlyingsecurity classification into ‘low’ and ’high’ levels. Based on that we then have ourdefinition of the non-interference.

Definition 4.4 [Typed observational equivalence and Non-interference] Assume� � ^ . � and � � e . � . The two processes are equivalent in � , written� ' ^ 0 � e if and only if for all j � ��� q � l -context

�����with

��� ^ � and��� e �

closed, for all b with 1&j � j b�l�l � � , ��� ^ � 4����� e � 4

Definition 4.5 [Non-interference] Let � be a security lattice and ^ a process.Given a security classification of � such that � � ^ . � , ^ is secure for thatclassification iff � ' ^ 0�� ^ c � for all � such that � � � . � . ^ is interference-free if it secure for all security classifications of � .

We conclude with the main result, a theorem that states that the type system guar-antees non-interference for well-typed processes.

Theorem 4.6 (Non-interference)Given any security classification, if � � ^ . � and � � � . � , then � ' ^ 0��^ c � .

Notice that the theorem is stated, and proved, only in reference to well-typed con-texts. Accordingly, the non-interference analysis it addresses corresponds to ver-ifying the ‘internal’ security of a system rather than its security with respect toexternal attackers.

The non-interference proof draws on the technical tools developed by Cardelliand Gordon for Mobile Ambients [9], adapting them to our Boxed Ambients. The

16

����������� ��������������������������� �����!�

non-interference result derives from a lemma that shows that high-level sources arelow-level equivalent to the inactive process. More precisely, we show that for everycontext

� ���and high-level source � if

��� � � is well-typed then it is indistinguish-able at low level from

��� n � . Proving this result requires a characterization of allthe possible interactions between a process and the surrounding context.

4.2 Discussion

The type system we have defined to derive the non-interference proof is admittedlysomewhat restrictive. While this is unfortunate, the discipline we impose on inter-actions between high and low-level processes has effects comparable to those foundin existing type systems for secure information-flow in simpler process calculi [16],and multi-threaded languages [26,24,1] (cf. Section 5 for a detailed comparison).

Also, even though well-typed processes are constrained in the actions they mayperform, the type system still allows non-trivial forms of interaction between highand low levels, both in terms of mobility, and of value exchanges. Figure 3 showsthe legal flow of information for a well-typed composition of the two processes ^and � , when � is a high-level source.

High

Low

P H

h

l

l

h

Fig. 3. Flows of information of �.� 5

In particular, the flows enabled by the type system are ( � ) those from � to the highsub-processes of ^ (and vice versa), and ( ��� ) those from the high-level componentsof ^ to those low components of ^ that are not observable since they are shieldedby high-level ambients. A low-level observer may thus observe only flows of in-formation between low-level components of ^ and low level components of thesurrounding context.

Also note that high-level information can be freely exchanged between the highand low level processes of ^ , as long as the latter are nested within high-levelambients. This is because the type system ensures that these low sub-processes areconfined within high-level ambients.

17

����������� ��������������������������� �����!�

In the calculus of Mobile Ambients, a similar property would be harder to en-force. This is because the

s"w�x(pcapability represents an objective action that the

context may impose on a process. To see the consequences of that, note that toprove our non-interference theorem in MA, a process ^ should be checked againstall high level processes that appear in parallel with ^ , in particular against thehigh-level processes

s"w�x(p ?mh�n , for all high-level names ? . This implies that pro-cesses of the form A�]�^�` , with ^ low-level, should be rejected by the type system asnot secure. To motivate, consider the process ^ 0 A�] >r]_^���` ` , for any ^�� , and with? and > high and low-level names, respectively. This process is not interference-free, as the context

����� 0 > �"] o_p >�h s"t+v >�h8%�g)'�57` c ��� may distinguish between ^and ^ c s"wXx�p ?mh�n . A similar reasoning applies to the processes A�] o_p >�h�^ c$ea` andA�] s"t+v � h�^ c9e�` , and in general to any process A�]�^ ��` where ^�� is a low-level process.All such processes are instead well-typed, and interference-free in our calculus, un-der the additional assumption that the low-level components of ^ � do not attemptto escape outside ? .

As a further remark, we note that the proof of non-interference would notgo through in the presence of finer equivalence relations such as barbed congru-ence, bisimulation or must testing. To see the problem with barbed congruence,consider defining � � as the barbed congruence relation induced by our observ-ability predicate ^ � 4 . Then, take the processes ^ 0 >r]8%�g)'�5ac o�p ?�h�n>` and thehigh-level process � 0 A�](` . Now take the context

����� 0 ���, and observe

that��� ^ c�� � ➞ B 0 A�] >r]$%�g)' 5 ` ` , while there exists no process B � such that��� ^ � ➞ B � and B�� � B � .

5 Related Work

Volpano and Smith [26,24,25], and recently Boudol and Castellani [1] study type-based techniques to enforce non-interference in multi-threaded imperative languages.In their approach explicit flow is prevented by imposing constraints on variable as-signments, while additional restrictions on conditional commands and while-loopsrule out implicit flow. In [1] the authors point out that introducing parallelism maycause new problems, since information flow may be “disguised as control flow”,and a program may observe (and be influenced by) the behavior of other concur-rent components in the course of their execution. The problem is solved in [25,1]by relying on a form of asynchrony, whereby consulting the value of a high-levelvariable must not be followed by an assignment to a low variable. In BA we havea similar problem even though in a different setting, and our solution follows thesame rationale, by imposing a non-decreasing clearance on the sequence of ‘ac-tions’ performed by a process.

More directly related to ours are the type systems for � -calculus by Honda etal [17] and for the security � calculus by Hennessy and Riely [16]. In [17], theauthors propose to use the informal principle of causal dependency to understandsafety of information flow in various programming language, and develop a type

18

����������� ��������������������������� �����!�

system based on a behavioral notion of types to capture causality of actions. Ourapproach is similar, as it also draws on the principle of causal dependency, but ourframework appears to be more complex, as in BA processes may interact both viacommunications and mobility.

In [16], security levels are attached to processes and to capabilities for read-ing/writing to channels, and a ’no read-up/no write-down’ security policy is en-forced by typing. To prove non-interference, further restrictions must be imposed,namely high-level processes must not evolve in low-level ones and the calculusmust be asynchronous. Under these hypotheses, the authors show that well-typedasynchronous processes are interference free, where non-interference is defined ina way similar to ours, based on may test equivalence. Our type system enforcessimilar restrictions on the value exchanges between high and low processes, andcorresponding restrictions on mobility. Unlike [16], our result holds true for thesynchronous case as well. In [15], Hennessy has developed an enhanced type sys-tem for teh security � calculus for which non-interference can be proved also withrespect to must test equivalence.

In [23] Sewell and Vitek introduce box- � , a process calculus that providesmechanisms for composing (partially trusted) software components and for en-forcing information flow security policies. Their approach is based on a coloredsemantics, which annotates output processes with the sets of principals that haveaffected them (the processes) in the past; then the security properties are stated interms of a colored lts. Finally, they introduce a type system that statically capturescausal flows. As such, the characterization of information flow security is basedon a causal model, rather then on non-interference as in our approach. Furtherimportant differences are the asynchronous semantics of box- � (as opposed to thesynchronous semantics of BA) and our treatment of mobility and nested topology.A more in-depth comparison between the two approaches deserves to be made.

No type-based study of non-interference appears to have been conducted onambient-based calculi. A number of papers have instead dealt with other aspectsof security. Cardelli et al. present a type system for Mobile Ambients [7] based onthe notion of group names, that statically prevents unwanted propagation of names.The typing system by Levi and Sangiorgi [18] for Safe Ambients provides finercontrol over ambient interactions and prevents ‘grave interferences’. Dezani andSalvo, in [12], develop a type system for Mobile Ambients in which ambient typesare associated with security levels in ways similar to ours, and security checks areover opening and moves.

Other approaches based on type systems [3] and control-flow analyses have alsobeen applied [21,20] to analyze different security properties of (various dialectsof) mobile ambients. In particular Braghin et al. [2] study ’explicit’ informationflow security in the scenario of pure Mobile Ambients by defining a control-flowanalysis to detect security breaches arising as confidential data moving outside anyvoundary protection.

19

����������� ��������������������������� �����!�

6 Conclusions

We have studied information flow security in the calculus of Boxed Ambients. Wehave developed a notion of non-interference based on a typed equivalence inducedby “low level observations”, and presented a sound type system whose well-typedprocesses are guaranteed to be interference-free. To our knowledge, no such studyhas been conducted in the existing literature.

Plans of future work include the development of refined type systems capable ofcapturing stronger non interference properties based on stricter equivalences, and oftype and effect systems allowing more flexibility in the typing of value exchangesand mobility. Also, it would be desirable to extend the non-interference proof tothe case of partially-typed systems.

References

[1] G. Boudol and I. Castellani. Non-interference for concurrent programs. InProceedings of ICALP’2001, number 2076 in Lecture Notes in Computer Science,pages 328–395. Springer, 2001.

[2] Chiara Braghin, Agostino Cortesi, and Riccardo Focardi. Control Flow Analysisof Mobile Ambients with Security Boundaries. In B. Jacobs and A. Rensink,editors, Proc. of Fifth IFIP International Conference on Formal Methods for OpenObject-Based Distributed Systems (FMOODS’02), pages 197–212. Kluwer AcademicPublisher, 2002.

[3] M. Bugliesi and G. Castagna. Secure safe ambients. In Proc. of the 28th ACMSymposium on Principles of Programming Languages, pages 222–235, London, 2001.ACM Press.

[4] M. Bugliesi, G. Castagna, and S. Crafa. Boxed ambients. In TACS 2001 (4th.International Symposium on Theoretical Aspects of Comuter Science), number 2215in Lecture Notes in Computer Science, pages 38–63, Sendai, Japan, 2001. Springer.

[5] M. Bugliesi, G. Castagna, and S. Crafa. Reasoning about security in mobile ambients.In CONCUR 2001 (12th. International Conference on Concurrency Theory), number2154 in Lecture Notes in Computer Science, pages 102–120, Aalborg, Danemark,2001. Springer.

[6] L. Cardelli, G. Ghelli, and A. Gordon. Mobility types for mobile ambients. InProceedings of ICALP’99, number 1644 in Lecture Notes in Computer Science, pages230–239. Springer, 1999.

[7] L. Cardelli, G. Ghelli, and A. D. Gordon. Ambient groups and mobility types. InInternational Conference IFIP TCS, number 1872 in Lecture Notes in ComputerScience, pages 333–347. Springer, August 2000.

[8] L. Cardelli and A. Gordon. Mobile ambients. In Proceedings of F0SSaCS’98, number1378 in Lecture Notes in Computer Science, pages 140–155. Springer, 1998.

20

����������� ��������������������������� �����!�

[9] L. Cardelli and A. Gordon. Equational properties for mobile ambients. In ProceedingsFoSSaCS’99. Springer LNCS. Full version available as Microsoft Research TechnicalReport MSR-TR-99-11, 1999.

[10] L. Cardelli and A. Gordon. Types for mobile ambients. In Proceedings of POPL ’99,pages 79–92. ACM Press, 1999.

[11] G. Castagna, G. Ghelli, and F. Zappa. Typing mobility in the Seal Calculus. InCONCUR 2001 (12th. International Conference on Concurrency Theory), number2154 in Lecture Notes in Computer Science, pages 82–101, Aalborg, Danemark, 2001.Springer.

[12] M. Dezani-Ciancaglini and I. Salvo. Security types for safe mobile ambients. InProceedings of ASIAN’00, pages 215–236. Springer, 2000.

[13] R. Focardi and R. Gorrieri. A classification of security properties for process algebras.Journal of Computer Security, 3(1):5–33, 1995.

[14] J.A. Goguen and J. Meseguer. Security policy and security models. In Proceedingsof Symposium on Secrecy and Privacy, pages 11–20. IEEE Computer Society, april1982.

[15] M. Hennessy. The security picalculus and non-interference. Technical ReportCS-05-2000, University of Sussex, School of Cognitive and Computing Sciences,BRIGHTON BN1 9QH, UK, Nov. 2000.

[16] M. Hennessy and J. Riely. Information flow vs. resource access in the asynchronous� -calculus (extended abstract). In Automata, Languages and Programming, 27thInternational Colloquium, volume 1853 of Lecture Notes in Computer Science, pages415–427. Springer, 2000.

[17] K. Honda, V.T. Vasconcelos, and N. Yoshida. Secure information flow as typedprocess behaviour. In ESOP ’00, volume 1782 of Lecture Notes in Computer Science,pages 180–199. Springer, 2000.

[18] F. Levi and D. Sangiorgi. Controlling interference in ambients. In POPL2000, pages352–364. ACM Press, 2000.

[19] R. Milner and D. Sangiorgi. Barbed bisimulation. In ICALP’92, number 623 inLecture Notes in Computer Science, pages 685–695. Springer, 1992.

[20] F. Nielson and H.R. Nielson. Shape analysis for mobile ambients. In POPL’00, pages135–148. ACM Press, 2000.

[21] F. Nielson, H.R. Nielson, R.R. Hansen, and J.G. Jensen. Validating firewalls in mobileambients. In CONCUR’99, number 1664 in Lecture Notes in Computer Science,pages 463–477. Springer, 1999.

[22] D. Sangiorgi and D. Walker. The pi-calculus: a Theory of Mobile Processes.Cambridge University Press, 2001.

[23] P. Sewell and J. Vitek. Secure composition of untrusted code: Wrappers and causalitytypes. In 13th IEEE Computer Security Foundations Workshop, 2000. To Appear inJournal of Computer Security.

21

����������� ��������������������������� �����!�

[24] D. Volpano and G. Smith. A type-based approach to program security. In Proc. 7thInt’l Joint Conference on the Theory and Practice of Software Development, number1214 in Lecture Notes in Computer Science, pages 607–621. Springer, 1997.

[25] D. Volpano and G. Smith. Secure information flow in a multi-threaded imperativelangguage. In Proc. of POPL’98, pages 355–364. ACM Press, 1998.

[26] D. Volpano, G. Smith, and C. Irvine. A sound type system for secure flow analysis.Journal of Computer Security, 4(3):167–187, 1996.

A Correctness of the type system

Lemma A.1 (Strengthening) Assume� � ���� �� ^ . ��� q(� � . Then

� � ���� �� � ^ .��� q�� � for every � � .

Proof. By induction on the derivation of��� ���� �� ^ . ��� q�� � . �

Lemma A.2 (Subject Congruence)

(i) If��� � � � � ^ . � and ^�� e then

��� ���� �� e . � .(ii) If

���� � � � ^ . � and e�� ^ then��� ���� �� e . � . �

Lemma A.3 (Substitution)

(i) Assume� q # .�� q � � � g .�� . For any

�, if� q � � � � .�� , then

� q � � � g;+-# .10� 2�.�� .

(ii) Assume� q # .%� q � � � � � � �� ^ . � . For any

�, if

� q � � � � . � , then� q � � � ���� ��

^9+-# .:0 � 2 . � . �

Proof of Proposition 3.2. By induction of the derivation ^ ➞ e . In the base case,we distinguish the possible cases of top-level reduction.

������� X �!�!� � � The redex is of the form 0�] o�p * h�^ c+e�`/c � ]1B ` , and the judgmentin the hypothesis must have been derived by � ����� � followed by ��� � ��� from

��� ���� ��0m] o�p * h�^ c$ea` . ��� N

q��N � and

� � ���� �� � ]1B ` . ����� q�� � � , with � �� � and� �� �

,� � + ) q�* 2 . From the latter judgment, we know that

� � ��� � � B . � � q � � , fromwhich it follows that

� � �� ��� q � � , with � any exchange,� j * l 0 ��.��� � � q � � and

� � x j q q � ��l . From the former judgment, we know that� � ���� � � o�p�* h�^ c�e . � � q�� �

and��� ��� ��� q�� � with � any effect,

� j ) l 0 �� ��� � Nq�� � and � � x j q q � N l .

From� � ���� � � o�p * h�^ c7e . ��� q�� � , an inspection of the rule ��� ���C� � �!� �C� Y � shows

that� � ���� � � ^ cfe . ��� q�� � is derivable. Since

� � �N , one has �#� x j � � q � q �

N l ,and we have just observed that

� � �� � � q � � is derivable. Thus, by � � � � one has��� ��� � � 0�]�^ c9e ` . ��� q � � . From the last judgment, and from��� ��� � � B . � � q � � ,

by (�����

)� � ��� � � 0�]_^ c9e ` c B . ��� q � � , and then

� � ���� �� � ] 0�]�^ c$ea`�cCB ` .����� q�� � � .

������� X�Y �:� � The redex is of the form 0m] � ] s"t+v )Gh�^ c+e�`�cCB ` , and the judgmentin the hypothesis must have been derived by � ����� � and � ������ from

� � � ����� �� ] sut+v )Bh�^ c+e�` . � � q � � and

� � ���� � � B . ��� q � � , with � any exchange,� j )ul 0

22

����������� ��������������������������� �����!�

�� � � � Nq � � such that � � x j �q q�� N l . A routine analysis shows that

� � ���� �� 0�]�B ` .��� q�� � is derivable. On the other hand,

�#� �� � � � � ] s"t+v )Gh�^ c$ea` . � � q � � must de-pend on a judgment of the form

� � �� � � s"t+v )Gh�^ cfe . � , for a suitable processtype

�which, in turn, depends on the typing of

s"t+v ) . We distinguish the twopossible subcases:

–��� s"t+v );. ����� w � � N � . Then

�N�� � , and

� � �� � � s"t+v )Bh�^ . � must havebeen derived by ( � ���C� � �!� �C� Y ). An inspection of the typing rules shows that� ��� � � ^ cBe . � also is derivable. Now, from

�N�� � and � � x j q q � N l

we know that � � or � � . In both cases � � x j �q q � �,l , and hence

� � ���� ��� ]�^ c9ea` . ��� q�� � . The claim follows now by � ����� � from the last judgmementand from

��� � � � � 0�]:B ` . ��� q�� � .–� � s"t+v ) . t ��� w � � N � . Then

�N� � , and

� � � �� � � s"t+v )Gh�^ cre . � must havebeen derived by ( � ��������� � � �!� �C� Y ). Now the side-condition to that rule requiresthat

� � � � , and the previous analysis shows that� � ���� �� � ]�^ c+e�` . ��� q(� � , as� � � � implies � � x j �q q�� �,l . The claim follows then by � ����� � .

����������� ��� ���&��� � � �!� b ������� ��� � �!� b � We give the proof for the case� �������

as representative. In this case the redex is j*# .�� l�^ c�%�g)'�e . The judgment in thehypothesis is

� � ���� �� j*# . � l�^dc %�g('�^ . � � q � � for some exchange � , derivedfrom

� q # . � � ���� � � � � � ^ . � � q � � , and from� � g . � and

� � ���� � � � � �e . � � q � � with � � x j q q 1&j � l�l . By Lemma A.1, we know that derived from� q # . � � ���� �� ^ . ��� q � � , and from

� � g . � and� � � � � �� e . � � q � � . By

Lemma A.3,��� � � � �� ^9+-# . g32 . ��� q � � , and the proof follows by � ����� � .

For the inductive steps, the proof follows by a case analysis of the possible contex-tual reductions.

(������� �����

) The reduction is ^ c�e ➞ ^�� c�e derived from ^ ➞ ^�� . Thejudgment in the hypothesis,

��� ���� �� ^ c$e . ��� q(� � must depend on two judgments� � ���� �� ^ . � and� � � � � �� e . � for a suitable

�. By the induction hypothesis,������� �� ^��. � and

��� ���� �� ^ c+e . ��� q�� � derives by (�����

).

(������� � ���&� � � ) follows by the induction hypothesis and Lemma A.2, while

(��������� �

) follows directly by the induction hypothesis.

(������� � �

.) The reduction is 0m]_^�` ➞ 0�]_e�` , derived from ^ ➞ e , and thejudgment

��� ���� �� 0m]�^�` . ��� q�� � , in the hypothesis, must depend on��� ���� � � ^ . �

for a suitable�

, with�N 0 1 j � j ) l�l . By the inductive hypothesis, one has

��� � ����� �e . � . From this

� � ���� �� 0�]_e�` . ��� q(� � derives from� � ���� � � e . � by the same

steps that derived� � ���� �� 0�]_^�` . ��� q(� � from

��� ���� � � ^ . � .

B Proof of non-interference

To ease the notation, throughout this section the type annotation on restricted namesand input variables are omitted unless relevant to the context.

23

����������� ��������������������������� �����!�

B.1 A Hardening Relation

Following [9], we define a hardening relation for Boxed Ambients, that is a re-lation that explicitly identifies the top-level sub-processes of a process that maybe involved in a reduction. The hardening relation will be useful in defining analternative operational semantics based on a labelled transition system.

The hardening relation takes the form ^ � jDk.,/ l�%�^ � '�^ � � where jk ,/ l�%�^ � '�^ � �is called a concretion, ^ � is the prime of the concretion, and ^ � � is the residue ofconcretion. Both ^�� and ^�� � are in the scope of the restricted names ,/ . Dconcretionsare defined below, following [9]:

Concretions� q�� . .10djDk ,/ l�%�gih�^ '�e action

q g � + o_p b q�s"t+v b�2jDk ,/ l�%,\�]�^�` '�e ambient

jDk ,/ l�%�j*# .�� l �$^ '�e input � + �q � q b�2

jDk ,/ l�%<%�g)'��9^ ',e output � + �q � q b�2

The order of bound names j�� ,/ l in a concretion jk.,/ l %�^ � '�^�� � does not matter andthey can be renamed consistently. If + ,/ 2 0�� , we write the concretion as jk�l %�^��:'�^�� � .Before defining the hardening relation we introduce the notation j��ubml � for restrict-ing a concretion.

Definition B.1 [Restricting a concretion [9]] Let�

be jk ,/ l�%�^ z�'�^�} and b �� + ,/ 2 ,then:

(i) If b � fn jD^�z�l then

(a) If ^�z 0 {|]�e�` q " �0 b q b �� fn j^�}7l , then j�� b�l ���0 jDk.,/ l�%,{|]5j�� b�l�^��z ` '�^�}(b) Otherwise, j��ubml ���0 jDk*b q ,/ l�%�^~z�'�^�}

(ii) If b �� fn jD^�z�l , then j �ub�l ��0 jk ,/ l %�^�z�'9j�� b�l�^�} �

Hardening relation is then defined by rules collected in Figure B.1.The following lemma establishes some useful properties of the hardening relation.

Lemma B.2 (Properties of Hardening)

(i) If ^� jk ,/ l %�^ � '�^ � � , then ,/�� fn jD^ � l and the names ,/ are pairwise distinct.(ii) If ^� jk ,/ l�%�^ � '�^ � � , then ^�� j�� ,/ l9j^ � c$^ � � l .

Proof. By induction on the derivation of ^ � jDk ,/ l %�^ � '�^ � � . �

Proposition B.3 If ^ � e and e�� jDk ,� l�%�e�� '�e�� � , then ^�� jk ,� l�%^���'�^�� � for ^and ^�� such that ^��B� e�� q ^�� �?� e�� � .Proof. By induction on the derivation of ^ � e . �

24

����������� ��������������������������� �����!�

(HARDEN ACTION)G � I '*) � � 9;:�<>� LG ,-��� ���"�DF G ,-� H /

(HARDEN .)G ,(� 8 ,-� ������ G ,)8 � ,-�����

(HARDEN AMB)

�! �@#�� ���"�DF� "!*�@# H /

(HARDEN INPUT � )

� E � � ��� ���"�DF � E � � � H /(HARDEN OUTPUT � )

F G�H � ��� �����DF F G�H � � H /

(HARDEN PAR 1)

��� ���$C �DF�� � H � � � C� fn � / ��� ����0/�� ���@C �DF�� � H ��� � � �M/ �

(HARDEN PAR 2)

/�� ���@C �DF / � H / � � C � fn ��� �"� ����0/�� ���@C �DF / � H ���.�0/ � � �

(HARDEN REPL)

��� ���$C �DF�� � H � � �1 ��� ��� C �DF�� � H ��� � � � 1 � �

(HARDEN RES )

��������;������� ���;�����

Fig. B.1. Hardening: �����B.2 A Labelled Transition System

In this subsection we present an alternative semantics for BA, based on a labelledtransition system. The main advantage of the LTS is that it allows an analysis of thepossible evolutions of a process in terms of its syntactic structure. The transitionsystem we use is built upon the following set of labels:

Labels 1 . .10 � c o_p b c s"t+v b c j�g l 5The transitions ^ � � 4� � e and ^ ����� 4� � e mean that the process ^ has a top level pro-

cess that exercise the capabilityo�p b and

s"t+v b . The transition ^�6���

� � e means thatthe process ^ has a top level process that reads upward the value g . Finally, thetransition ^ �

� � e means that the process ^ evolves in one step to e . The labelledtransitions are defined by the rules collected in Figure B.2. Theorem B.4, below,proves that � -transitions and reductions are the same, up to structural congruence.

Theorem B.4 ^ ➞ e if and only if ^ �� � � e .

B.3 Context and Activity Lemmas

Before proving non-interference, we state two important lemmas that are useful toestablishing contextual equivalence. The first is a context lemma, that implies that

25

����������� ��������������������������� �����!�

(INPUT UP)

��� ���$C �DF � E � 5 � � H � � � fn � G � C � �

��6� �

��� ��� C �D��� � I E � G.L ��� � � �

(CAP)

��� ��� C �DF G ,-� � H � � � fn � G � C � �� 6��� ��� C �D��� � ��� � � �

(AMB)

��� ���$C �DF� �!�/@# H 5 /���� / �

� ���� ��� C �D�� "!�/ � #7��5 �

(�

-IN) (where fn �� �!�/@# � C� � �)

��� ���$C �DF� �!�/@# H 5 /� ������ / � 5�� ��� C� �DF�� !*5 � # H 5 � �

����� ��� C � C� �D��� !O �!R/ � #7��5 � # ��5 � � �

(�

-OUT) (where � �� I?C L )��� ���$C �DF� �!�/@# H � � /�� ���@C �DF�� !*51# H / � 5

��� � 4��� 5 �� ���� ����C �D� ����C �D��� !R5 � # � �!R/ � #[� ��� � �

(�

-I/O) (where fn � F G�H � � � C � �)

��� ���$C �DF F GQH � � H � � � � � � � ���@C �DF � E � / H / ��

���� ����C � C �D� / I E � G.L �0/ � ��� � �

(�

-OUTPUT � ) (where fn � F GQH 4 � � � C � �)

��� ���$C �DF F GQH 4 � � H � � � � � � � ���@C �DF� "!*51# H 5 � 5�6� �

����5 � �� ���� ��� C �D��� � �A����C �D�� "!*5 � � #���5 � � �

(�

-INPUT � ) (where I&C L fn ��� � � ��� IPC� L fn �� �! � � # ��� )

��� ���$C �DF� �!*� � # H � � � � � � ���@C �DF F G�H 5 / � H / � � � � � � ��� C� �DF � E � 4 5 � H 5 � ��

���� ��� C � C � C� �D��5 � I E � G�L ��5 � � � "!R/ � �0/ � � # �

Fig. B.2. Labelled Transitions: P

���� P’

we may consider only a limited set of contexts when proving contextual equiva-lences, namely, evaluation contexts.

Evaluation Contexts � . .10 � c�j��ubml � c ^ c�� c�� c$e c \~]�� `26

����������� ��������������������������� �����!�

In an evaluation context there is exactly one variable “ � ”. We denote with �9+(^92the process resulting from substituting the variable with ^ in � : differently fromcontexts, names restricted in an evaluation context � are renamed in � +(^,2 to avoidcapture of free names of ^ . The different semantics of the two classes of contextsis emphasized by using a different notation for evaluation contexts ( � +(^,2 ) andcontexts (

��� ^ � ). We extend the notion of structural equivalence and reduction forevaluation contexts as follows:

– � � � � � � +(^,2S� � � +(^,2 for every process ^ .– � ➞ � � � � +(^,2 ➞ � � +(^92 for every process ^ .

Our context theorem is the equivalent of the corresponding theorem for MobileAmbients in [9]. In addition, we need to restrict to “compatible substitutions”, inthe following sense. A substitution � is a mapping from variables to terms such that�3j$# l 0 g implies fv j�g l 0 � . A substitution is

�-compatible is if � ({ j���l �

� ({ j � l and� j$# l 0 � implies

� � �*j*# l . � . Let ��� � be the type environment��� � � " j���l .Theorem B.5 (Context) For all ^ q e s.t. � � ^ . � and � � e . � , � ' ^ 0 � eif and only if for all � -compatible substitutions � s.t.

���" j��ml 0 fv jD^ l fv jDe l , for

all closed j � ��� � � q � l evaluation contexts E, and for all b such that 1 j � jDbml�l � �one has � +(^�� 2 4 � � �9+(e���2 4 .

Proof. Long proof, which follow as in [9]. �

In order to apply the previous theorem, we need to analyze judgments of the form� +(^,2 � 4 and � +(^,2 ➞ e . These analyses are formalized by the following tworesults, whose proofs follow as in [9]. The first result states that there are two waysin which � +(^,2 � 4 can arise: either the process ^ exhibits the name by itself, or theevaluation context � exhibits the name b by itself.

Proposition B.6 If �9+(^92 � 4 , then either

(i) � +(e,2 � 4 for all e , or

(ii) ^ � 4 and for all e , e � 4 � � +(e,2 � 4 �

The second result is an activity lemma showing that there are three ways in whicha reduction � +(^,2 ➞ e may arise: either (1) the process ^ reduces by itself, or (2)the evaluation context � reduces by itself, or (3) there is an interaction between theprocess and the evaluation context.

Theorem B.7 (Activity) �9+(^92 ➞ B if and only if:

(Act Proc) there is a reduction ^ ➞ ^ � with B � � +(^ � 2 , or

(Act Ctx) there is a reduction � ➞ � � with B � � � +(^92 , or

(Act Inter) there are � � and ,� , ,��� fn jD^ l 0 � and one of the following:

(Inter In) � � j � ,� l�� �8+r{�] � c-B ��`�c�\~]:B � ��`�2 , ^ � � 4� � ^�� andB � j � ,� l � � +r\�] {�]�^ � c-B � `�cCB � � `�2

27

����������� ��������������������������� �����!�

(Inter Out) � � j�� ,� l�� � +r\~]5{�] � cCB ��`�c-B � ��`�2 , ^ ����� 4� � ^�� andB � j � ,� l � � +r\�]1B � ��`.c�{�]�^�� cCB ��`�2

(Inter Input) � � j�� ,� l � � + � c�%�g)'<B �82 , ^ � jk ,/ l�%�j$# l�^���'�^�� �and B � j�� ,� l�� � +uj�� ,/ l9j^ � +-# .10 g32 c+^ � � l/c�B � 2 with ,/ � fn j�%�g)'<B � l 0�� .

(Inter Output) � � j � ,� l � � + � crj$# l�B �82 , ^� jk ,/ l�% %�g('�e '�^��and B � j�� ,� l�� � +uj�� ,/ l9j^�� c+e cCB �8+-#/.:0ig32�l 2 with ,/ � fn j B � l 0 � .

(Inter Input n) � � j�� ,� l � �8+ � c�\�]$%�g)'�5�e���c$e�� ��`�2 , ^� jDk.,/ l�%�j$# l�4X^��:'�^�� �and B � j�� ,� l�� � +uj�� ,/ l9j^�� +-# .10 g32 c+^�� � cX\~]�e���c$e�� ��`�l 2with + ,/ 2 � fn j,\~]$%�g)'�5�e���c$e�� �_`�l 0�� .

(Inter Output n) � � j � ,� l � � + � cX\~] j*# l 5 e � c$e � � `�2 , ^� jDk.,/ l�%<%�g)' 4 ^ � '�^ � �and B � j � ,� l�� � +uj � ,/ l9jD^ � c�^ � � c�\�]_e � +-# .10 g32 c$e � � `�l 2 with ,/ � fn j,\~]�e � c9e � � `�l 0� .

(Inter Amb) ^� jk ,/ l�%�\~]�ea` '�^�� and one of the following:

(1) e � � �� � e�� , ��� j � ,� l�� � + � c�{�]1B ��`�2 , ,/ � fn j,{�]�B ��`�l 0 �

and B � j�� ,� l�� � +uj�� ,/ l9jD^ � cX{�]5\~]�e � `.c�B � `�l 2(2) e ����� �

� � e�� , � � j � ,� l � � +r{|] � c�B ��`�2 , " �� ,/and B � j�� ,� l�� � +uj�� ,/ l9j�\�]_ea`�c�{|]:B ��c$^���`�l 2

(3) � � j�� ,� l � � +r{�]:B � c o�p b*h B � � `�c � 2 , ,/ � fn j,{�]:B � c o_p b�h1B � � `�l 0 �and B � j�� ,� l�� � +uj�� ,/ l9j�\�]_e c�{�]�B � cCB � � `D`�c$^ � l 2

(4) e � jk ,��l % %�g)' 5 e � '�e � � , � � j � ,� l�� � + � c(j*# l 4 B � 2 , + ,/ 2 � j�+�b�2 fn j B � l�l 0� ,+ ,��2 � j�+�b�2 fn j^�� cCB ��l�l 0 � ,and B � j�� ,� l�� � +uj�� ,/ q ,�Xl9j B � +-# .10 g32 cX\�]�e��mc$e�� �_`�c9^���l 2

(5) e�6� �

� � e�� , � � j � ,� l�� � + � c�%�g)'�4&B �82 , ,/ � fn j<%�g('�4!B ��l 0 � .and B � j�� ,� l�� � +�B � cfj�� ,/ l9j,\~]�e � `.c$^ � l 2 �

B.4 Proof of non-interference

We start with a few preliminary results on the type system, showing some usefulinvariants that are guaranteed for well-typed processes.

Proposition B.8 (High Processes and Low Barbs) Assume� � � . � for some�

. Then � � 4 � b � � .

Proof. By definition, � � 4 if and only if � � jk ,/ l7\�]�^�`~c+^�� for suitable ^ and^�� and b �� + ,/ 2 . By Lemma A.2 we know that

� � jDk ,/ l7\�]�^�`.c9^ � . Thus, inparticular,

� � ���� �� jk ,/ l7\�]�^�`�c$^�� with � � . An inspection of the ( � �

) ruleshows that

� j b�l � � . �Lemma B.9 (

�versus

�) If

� � � � � � ^ . � then� � ���� �� ^ . � .

Proof. Immediate: well-formed types of�

derivations are also well-formed for thecorresponding

�-derivations. �

Lemma B.10

28

����������� ��������������������������� �����!�

(i) Let � be a closed j � ��� q � l evaluation context and � ➞ � � . Then � � is alsoa closed j � ��� q � l evaluation context.

(ii) Let ^ q e be two processes such that ^�� e and ^ 4 for some name b . Thene 4 by a reduction sequence of the same length as ^� 4 .

(iii) Let� � {|]_^�` . � be a derivable judgment. Let be ^

�� � ^ � , then

� �

{|]�^���` . � is also a derivable judgment.

(iv) Let be� � ^ . � and ^ � � 4� � ^�� , then 1&j � j b�l�l � � .

(v) Let be� � ���� �� ^ . � and ^ ����� 4� � ^ � , then 1 j � jDbml�l � � and

� � . �Lemma B.11 Assume � � ^ . � . For every closed j � ��� q � l evaluation context� , and for all b s.t. 1 j � jDbml�l � � , one has � +(n 2 4 � �9+(^92 4 .

Proof. Take any b with 1&j � j b�l�l � � . The proof is by induction on the number ofreductions. For the base case, assume �9+(n 2 � 4 . Since n �� 4 , by Proposition B.6 weknow that �9+(^92 � 4 for all ^ . For the inductive case, assume �9+(n 2 ➞ B and B 4 .By Theorem B.7, it must be the case that B�� � � +(n 2 . By Proposition 3.2 (SubjectCongruence), � � is a j � ��� q � l evaluation context. By Lemma B.10 (1) it is closed.Furthermore, by Lemma B.10 (2) ��� +(n 2 4 by a reduction sequence of the samelength as B 4 . Thus, by induction hypothesis, we know that � � +(^92 4 . We aredone, since � +(^,2 ➞ � � � +(^,2 . �Corollary B.12 Assume � � � . � with fv j � l 0 �

. For every closed j � ��� q � levaluation context � , and for all b s.t. 1&j � j b�l�l � � , one has �9+(n 2 4 � �9+ � 2 4 .

Lemma B.13 Assume � � � . � with fv j ��l 0 �and � � jDk.,/ l�% � � '�n . For every

closed j � ��� q � l evaluation context � , and for all b s.t. 1&j � j b�l�l � � , one has� + � 2 4 � �9+(n 2 4Proof. Choose a closed j � ��� q � l context � , and > with

� j$>$l � � . The proof isby induction on the number of reductions. For the base case, assume � + � 2�� � .By Proposition B.8 we know that � �� � . Then, by Proposition B.6, �9+(n 2 � � . Forthe inductive case, assume �9+ � 2 ➞ B and B � . By Theorem B.7, one of thefollowing cases applies.

(Act Ctx) � ➞ � � with B � ���8+ � 2 . By Proposition 3.2 (Subject Reduction)and Lemma B.10(i) � � is a closed j � ��� q � l evaluation context, and � � + � 2 �

by a reduction sequence of the same length as B � . By Induction hypothesis,� � +(n 2 � and then �9+(n 2 � as �9+(n 2 ➞ � � +(n 2 .

(Act Proc) � ➞ � � with B � � + � � 2 . By Proposition 3.2 (Subject Reduction),we know that � � � � . � . By Induction hypothesis, �9+(n 2 � .

(Act Inter) Then there exist � � and ,� , with ,� � fn j � l 0 � , and one of several sub-cases applies (note: the cases are simpler than those mentioned in the statementof Theorem B.7 thanks to the hypothesis � � jDk ,/ l % � � '�n ).

(Inter In) � � j�� ,� . ,� l ��� +r{�] � c�B �_`�cX\~]�B � ��`�2 , �� � 4� � � � � , and

B � j�� ,� . ,� l�� � +r\�]P{|] � � ��c�B �_`�cCB � ��`�2 . By Lemma B.10(4) it follows that� jDbml � � . Since � is a j � ��� q � l (evaluation) context, one has 1&j � j b�l�l �� . Then it is easy to see that

� � \~]�B � � ` . � � for some� � . Hence also

29

����������� ��������������������������� �����!�� � \~]P{|] � � � cCB ��`.c�B � �_` . � � . Define � � � 0 j � ,� . ,� l ���8+ � 2 , so that B 0� � � +r\~]5{�] � � ��c�B �_`�c�B � �_`�2 . By induction hypothesis ��� � +(n 2 � , that is j�� ,� . ,� l � � +(n 2 � .Now by Lemma B.11, we have j�� ,� . ,� l�� �8+r{�]�n�c�B �_`�c�\�]:B � ��`�2 � , that is � +(n 2 �

as desired.(Inter Out) � � j�� ,� l � � +r\�]P{|] � c-B � `.cCB � � `�2 , �

����� 4� � � � � andB�� j�� ,� l � � +r\~]1B � � `.c�{�] � � � cCB � `�2 . By Lemma B.10(5), 1 j � jDbml�l q 1&j � j*" l�l �� . Then it is easy to see that

� � \~]1B � � ` cf{�] � � � c�B � ` . � � for some� � . Now

the proof now proceeds as in the previous case.(Inter Input), (Inter Output), (Inter Input n), (Inter Output n) These cases fol-

low similarly to the case (Inter In).(Inter Amb) ��� jk ,/ . ,� l %�\~]_e�` '�n and one of the following:

(1) e � � �� � e�� , ��� j � ,� . ,� l � � + � cX{|]1B ��`�2 , ,/ � fn j,{�]1B �_`�l 0 � and

B � j�� ,� . ,� l ��� +uj � ,/ . ,� l�j,{�]5\~]�e���`.c�B ��`�l 2 .From Lemma B.2(2) we know that � � jk ,/ . ,� l9j,\~]_ea`�l . From the

hypothesis � � � . � , it follows that � q ,/ . ,� � \~]�ea` . � . Thus, since+ ,/ 2 � fn j,{�]1B �_`�l 0 � we have:

� + � 2S� jk ,� . ,� l�� � +ujk ,/ . ,� l9j�\�]�e�`.cX{|]1B � `�l 2Now define � � � + � 2 0 � � +ujk ,/ . ,� l9j�{|] � c-B � `�l 2 . � � � is a closed j � �>j � q ,/ . ,� l q � levaluation context, and we have:

� � � +r\�]�e � `�2 0 � � +ujDk ,/ . ,� l�j,{�] \�]�e � `�cCB � `�l 2Thus B � jDk ,� . ,� l�� � � +r\�]_e � `�2 , and from the hypothesis B � it followsthat > �� + ,� 2 and that � � �8+r\~]�e���`�2 � with the same or smaller depth ofinference. Thus, by induction hypothesis, ��� �8+(n 2 � , and the proof followsby observing that � +(n 2W� jDk ,� . ,� l ��� �8+(n 2 .

(Inter Amb) (2), (3), (4), (5) these cases follow similarly to the previous one.�

Proposition B.14 (Closed High Processes) Assume � � � . � with fv j ��l 0 �.

For every closed j � ��� q � l evaluation context � , and for all b s.t. 1&j � j b�l�l � � ,one has � + � 2 4 � � +(n 2 4Proof. The ( � ) direction follows by Corollary B.12. For the ( � ) direction, choosean > with

� j$>$l � � , and assume, without loss of generality, that � � jDk ,/ l�% � � ' � � � .We prove that for all closed j � ��� q � l evaluation contexts � , one has � + � 2 � �� +(n 2 � . The proof is by induction on the structure of � � � . If � � �&� n the proof fol-lows by Lemma B.13. Now � � � � jDk ,��l %�e�� '�e�� � , with e�� � strictly smaller than � � � .Define define � � 0 � +ujk ,/ l9j � � c � l 2 . We have � � + � � � 2 0 � +ujDk.,/ l�j � � c � � � l 2with � � closed j � ��� q � l evaluation context. Then, by induction hypothesis � �8+(n 2 0� +ujDk ,/ l � � 2 � . Since � � jk ,/ l�% � � ' � � � , we know that ,/ � fn j � ��l , and since � �is a prime, jk ,/ l � � � jk.,/ l % � ��'�n . Thus, again by lemma B.13, �9+(n 2 � . �Corollary B.15 Assume � � � . � . For all � -compatible � with

�� " j���l 0

30

����������� ��������������������������� �����!�

fv j ��l , for every closed j � ��� � � q � l evaluation context � , and for all b with 1&j � j b�l�l �� , one has � + ��� 2 4�� � +(n 2 4 .

Proof. By Lemma A.3 (Substitution), and the hypothesis of � being � -compatible,it follows that � � � � ��� . � . Then the proof follows by Proposition B.14. �Theorem B.16 (High Processes) Assume � � � . � . For every j � ��� q � l con-text�����

with� � � � and

��� n � closed, and for all b with 1&j � jDb�l�l � � , one has��� � � 4 ���� n � 4

Proof. Apply the Context theorem (Theorem B.5), and the previous corollary. �

Proof of Theorem 4.6. Assume � � ^ . � . We want to prove that for every �such that � � � . � one has � ' ^ 0 � ^ c � . Let then

� � �be any j � ��� q � l

context with��� ^ � and

��� ^ c � � closed. Now, define� � ��� 0 ��� ^ c � � . Then� � ��� is also a j � ��� q � l context with

� � � � � and� � � n � closed. By Theorem B.16

we have that for all b with 1&j � j b�l�l � � , � � � � � 0 ��� ^ c�� � 4��� � � n � ���� ^ � 4 .

31