Anytime, Anywhere Modal Logics for Mobile Ambients Luca Cardelli, Andrew D. Gordon Microsoft Research Abstract a b a b The Ambient Calculus is a process calculus where processes may re- p side within a hierarchy of locations and modify it. The purpose of the calculus is to study mobility, which is seen as the change of spatial p configurations over time. In order to describe properties of mobile computations we devise a modal logic that can talk about space as In the Ambient Calculus, contiguous locations (or processes) well as time, and that has the Ambient Calculus as a model. are represented by standard parallel composition (P | Q), and named locations are represented by ambients (n[P]) which name a location 1 Introduction n with contents P. This fragment of the Ambient Calculus, together with a void process (0) and simple syntactic equivalences, amounts In the course of our ongoing work on mobility [3,4,5,12], we have to a textual representation of edge-labeled trees. The example above often struggled to express precisely certain properties of mobile could be written as a[p[0]] | b[0], assuming there are no active pro- computations. Informally, these are properties such as “the agent has cesses within the locations. gone away”, “eventually the agent crosses the firewall”, “every Even before considering process execution, we can talk about agent always carries a suitcase”, “somewhere there is a virus”, or spatial properties and spatial specifications. For example, we have “there is always at most one agent called n here”. There are several the following correspondence between spatial constructs in the Am- conceivable ways of formalizing these assertions. It is possible to bient Calculus and certain formulas of the logic we develop later: express some of them in terms of equations [12], but this is some- times difficult or unnatural. It is easier to express some of them as Processes properties of computational traces, but this is very low-level. 0 (void) Modal logics (particularly, temporal logics) have emerged in n[P] (location) many domains as a good compromise between expressiveness and P | Q (composition) abstraction. In addition, many modal logics support useful computa- Formulas tional applications, such as model checking. In our context, it makes 0 (there is nothing here) sense to talk about properties that hold at particular locations, and it n[$] (there is one thing here) becomes natural to consider spatial modalities for properties that hold at a certain location, at some location, or at every location. $ | % (there are two things here) Space We have a logical constant 0 that is satisfied by the process 0 repre- senting void. We have logical propositions of the form n[$] (mean- Interesting spatial structures can be represented conveniently as un- ing that $ holds at location n) that are satisfied by processes of the ordered edge-labeled trees, where edge labels correspond to names form n[P] (meaning that process P is located at n) provided that P of sublocations, and subtrees correspond to sublocations. Such a rep- satisfies $. We have logical propositions of the form $ | % (mean- resentation of locations is shared by the Ambient Calculus [3], the ing that $(cid:3)and %(cid:3)hold contiguously) which are satisfied by contigu- Distributed Join Calculus [10], the Seal Calculus [20], and trivially ous processes of the form P | Q if P satisfies $(cid:3)and Q satisfies %, or by the many distributed process calculi with a flat location structure vice versa. (e.g.: [2]). The following edge-labeled tree represents two contiguous lo- Time cations, a and b, such that b has no sublocations, and a has a sublo- Spatial configurations evolve over time as a consequence of the ac- cation called p. The diagram on the right gives a more intuitive but tivities of processes. For example, our initial tree may go through the equivalent description of location contiguity and containment: following two steps of evolution, as the result of a process moving the location p from a to b through the ether in between. Permission to make digita/hard copies of all or part of this material for personal or class- room use is granted without fee provided that the copies are not made or distributed for profit or commercial advantage, the copyright notice, the title of the publication and its a b a b date appear, and notice is given that copyright is by permission of the ACM, Inc. To ˛ p ˛ copy otherwise, to republish, to post on servers or to redistribute to lists, requires spe- cific permission and/or fee. p POPL 2000, Boston, USA. © 2000 ACM. 1 We can think of processes as sitting at the nodes of edge-labeled strengthening the definition of structural congruence so that it char- trees, and directing the movement of those nodes through the trees. acterizes the intended equivalence on spatial configurations. So, the steps above could be caused by a process executing move- The following table summarizes the syntax of processes. We ment instructions at the node under p. have separated the process constructs into spatial and temporal; this is similar to the distinction between static and dynamic constructs in Mobility CCS [17]. This paper focuses on the spatial constructs; the temporal We regard mobility as the evolution of spatial configurations over constructs and the dynamic behavior are necessary but secondary for time. A specification logic for mobility should be able to talk about our current purposes. the structure of spatial configurations and about their evolution Processes through time; that is, it should be a modal logic of space and time. A typical specification would say that the configuration looks P,Q,R ::= processes initially like a certain tree, and eventually like some other tree. In 0 void some cases we may want to be very precise about describing the P | Q composition spatial structure of locations, even though this runs against the traditional !P replication attitude in logics for process calculi that prevents “counting” the M[P] ambient number of processes (or locations) involved. Our logic can be very M.P capability action specific, in this sense. (n).P input action temporal Of course, since we are dealing with specifications, we may jMk output action also want to be able to be imprecise, and describe things that happen “somewhere” or “sometime”. Rarely, though, we want to be very M ::= messages precise about particular execution steps, so that the same flavor of n name names logic of mobility seems applicable to a variety of calculi. In fact, the in M can enter into M notion of mobility as evolution of location trees is shared by several out M can exit out of M capabilities calculi, including Ambients, Join, and Seal, although the mechanism open M can open M and properties of mobility steps differ greatly between them. e null In this paper, we concentrate on the Ambient Calculus for con- paths M.M’ composite creteness, but our main thrust is applicable to any distributed process calculus that includes a hierarchical and dynamic structure of loca- The set of free names of a process P, written fn(P), is defined as usu- tions. al; the only binder is in the input action. We write P{n‹ M} for the Paper Outline substitution of the message M for each free occurrence of the name Spatial modalities have an intensional flavor that distinguishes our n in the process P. Similarly for M{n‹ M’}. The 0 process is often logic from other modal logics for concurrency. Previous work in the omitted in the contexts n[0] and M.0, yielding n[] and M. area concentrates on properties that are invariant up to strong equiv- 2.2 Structural Congruence and Reduction alences such as bisimulation [15,6], while our properties are invari- ant only up to simple spatial rearrangements. Some of our tech- Structural congruence is a relation between processes; it is used niques can be usefully applied to other process calculi, even ones heavily in the logic, as well as in the reduction semantics. Intuitively, that do not have locations, such as CCS. structural congruence equates processes up to simple “rearrange- We start from a computational basis: a process calculus, sum- ment” of parts, without any computational significance. We can marized in Section 2, that acts as a model for the logic. In Section 3 identify five groups of rules in the following table: for equivalence, we introduce logical formulas and a notion of satisfaction. In Section for congruence of spatial operators, for composition, for replication, 4, we derive logical inference rules, including rules for time, space, and for temporal operators and paths. and satisfiability modalities, and novel rules for locations and pro- Structural Congruence cess composition (the rules are summarized in the Appendix). At the end of this section we give a detailed example of logical inference. P (cid:27) P (Struct Refl) In Section 5 we investigate model checking of mobile programs, on P (cid:27) Q (cid:222) Q (cid:27) P (Struct Symm) the basis of the satisfaction relation between processes and formulas. P (cid:27) Q, Q (cid:27) R (cid:222) P (cid:27) R (Struct Trans) Finally, in Section 6, we compare our logic with relevant and linear P (cid:27) Q (cid:222) P | R (cid:27) Q | R (Struct Par) logics. P (cid:27) Q (cid:222) !P (cid:27) !Q (Struct Repl) 2 The Ambient Calculus with Public Names P (cid:27) Q (cid:222) M[P] (cid:27) M[Q] (Struct Amb) In this paper we consider only ambients having public names; that is P | Q (cid:27) Q | P (Struct Par Comm) we do not deal with name restriction and scope extrusion. Handling (P | Q) | R (cid:27) P | (Q | R) (Struct Par Assoc) of private names in a logic is a very interesting topic, but we leave it P | 0 (cid:27) P (Struct Par Zero) for future work. !(P | Q) (cid:27) !P | !Q (Struct Repl Par) 2.1 Ambients !0 (cid:27) 0 (Struct Repl Zero) !P (cid:27) P | !P (Struct Repl Copy) We summarize a modified version of the basic Ambient Calculus of [3]. The changes consist in removing name restriction, and in !P (cid:27) !!P (Struct Repl Repl) 2 P (cid:27) Q (cid:222) M.P (cid:27) M.Q (Struct Action) here and now an empty location called n. The operator n[$] repre- P (cid:27) Q (cid:222) (x).P (cid:27) (x).Q (Struct Input) sents a single step in space, allowing us to talk about the place one e .P (cid:27) P (Struct e ) step down into n. Another operator, (cid:151)$, allows us to talk about an arbitrary number of steps in space; this is akin to the temporal even- (M.M’).P (cid:27) M.M’.P (Struct .) tuality operator, 2$. Spatial configurations are ambient configurations consisting 3.1 Logical Formulas only of spatial operators. For example, a[b[0] | !c[0 | 0] | !0] is a spa- tial configuration. These configurations have a natural interpretation The syntax of logical formulas is summarized below. This is a modal as edge-labeled finite-depth trees, where replication introduces infi- predicate logic with classical negation. As usual, many standard nite branching. The rules for structural congruence are sound and connectives are interdefinable. The meaning of the formulas will be complete for equivalence of these trees. We do not elaborate this fur- given shortly in terms of a satisfaction relation. Informally, the first ther, but it suffices to say that this completeness result motivates the three formulas (true, negation, disjunction) give propositional logic. choice of axioms for structural congruence, and particularly the ax- The next three (void, location, composition) capture spatial config- ioms for replication (which are the same as in Engelfriet’s work on urations, as we discussed. Then we have quantification over names, the p -calculus [9]). the two temporal and spatial modalities, and two further operators that we explain later. Quantified variables range only over names: Reduction these variables may appear in the location and location adjunct con- n[in m. P | Q] | m[R] xyyz m[n[P | Q] | R] (Red In) structs. m[n[out m. P | Q] | R] xyyz n[P | Q] | m[R] (Red Out) Logical Formulas open n. P | n[Q] xyyz P | Q (Red Open) h is a name n or a variable x (n).P | jMk xyyz P{n‹ M} (Red Comm) P xyyz Q (cid:222) n[P] xyyz n[Q] (Red Amb) $, %, & ::= P xyyz Q (cid:222) P | R xyyz Q | R (Red Par) T true P’ (cid:27) P, P xyyz Q, Q (cid:27) Q’ (cid:222) P’ xyyz Q’ (Red (cid:27)) (cid:216) $ negation xyyz* is the reflexive and transitive closure of xyyz $ (cid:218) % disjunction 0 void The reduction relation describes the dynamic behavior of am- h [$] location bients. In particular, the rules (Red In), (Red Out) and (Red Open) $ | % composition represent mobility, while (Red Comm) represents local communica- (cid:210)x.$ universal quantification over names tion (see [3] for an extended discussion). For example, the process: 2$ sometime modality a [p[out a. in b. jmk]] | b[open p. (x). x[]] (cid:151)$ somewhere modality $@h location adjunct represents a packet p that travels out of host a and into host b, where $'% composition adjunct it is opened, and its contents m are read and used to create a new am- bient. The process reduces in four steps (illustrating each of the four The free names of a formula, fn($), are easily defined since there are reduction rules) to the residual process a[] | b[m[]]. The first three no name binders. The free variables of a formula, fv($), are defined states correspond to the tree diagrams in the Introduction. along standard lines: only quantifiers bind variables. A formula $ is a[p[out a. in b. jmk]] | b[open p. (x). x[]] closed if fv($) = (cid:212). xyyz a[] | p[in b. jmk] | b[open p. (x). x[]] (Red Out) xyyz a[] | b[p[jmk] | open p. (x). x[]] (Red In) 3.2 Satisfaction xyyz a[] | b[jmk | (x). x[]] (Red Open) The satisfaction relation P (cid:159) $(cid:3)means that the process P satisfies the xyyz a[] | b[m[]] (Red Comm) closed formula $. This relation is defined inductively in the follow- ing table, where P is the sort of processes, F is the sort of formulas, 2-1 Facts about Structural Congruence J is the sort of variables, and L is the sort of names. We are very ex- (1) P | Q (cid:27)(cid:3)0 iff P (cid:27)(cid:3)0 and Q (cid:27)(cid:3)0. plicit about quantification and sorting of meta-variables because of (2) n[P] #(cid:3)0. subtle scoping issues, particularly in the definition of P (cid:159) (cid:210)x.$. We (3) n[P] (cid:27)(cid:3)Q | R iff either Q (cid:27)(cid:3)n[P] and R (cid:27)(cid:3)0, or Q (cid:27)(cid:3)0 and R (cid:27)(cid:3)n[P]. use the same syntax for logical connectives at the meta-level and ob- (4) m[P] (cid:27) n[Q] iff m = n and P (cid:27) Q. ject-level, but this is unambiguous. (5) m[P] | n[Q] (cid:27)(cid:3)m’[P’] | n’[Q’] iff either m = m’, n = n’, P (cid:27) P’, The meaning of the temporal modality is given by reductions in Q(cid:27)Q’, or m = n’, n = m’, P (cid:27) Q’, Q (cid:27) P’. the operational semantics of the Ambient Calculus. For the spatial modality, we need the following definition: the relation P(cid:139)P’ indi- 1 cates that P contains P’ within exactly one level of nesting; that is, P’ is one step away from P in space, in some downward direction. 3 The Logic P(cid:139)P’ iff (cid:211)n, P”. P (cid:27) n[P’] | P” In a modal logic, the truth of a formula is relative to a state (or world). In our case, the truth of a space-time modal formula is rela- Then, P(cid:139)*P’ is the reflexive and transitive closure of the previous re- tive to the here and now. Each formula talks about the current time, lation, indicating that P contains P’ at some nesting level. Note that that is, the current state of execution, and the current place, that is, P’ consists of either the top level P, or the entire contents of an en- the current location. For example, the formula n[0] is read: there is closed ambient. 3 Satisfaction $ (cid:181) % $ (cid:216) (% ' (cid:216) $) fusion (cid:210)P:P . P (cid:159) T $ |(cid:222) % $ (cid:216) ($ | (cid:216) %) fusion adjunct (cid:210)P:P , $:F . P (cid:159) (cid:216) $ $ (cid:216) P (cid:159) $ Syntactic conventions: ‘'’, ‘2’, ‘4’, ‘(cid:151)’, and ‘(cid:152)’ bind more strong- (cid:210)P:P , $,%:F . P (cid:159) $(cid:218) % $ P (cid:159) $ (cid:218) P (cid:159) % ly than ‘|’; and they all bind more strongly than the standard logical (cid:210)P:P . P (cid:159) 0 $ P (cid:27) 0 connectives, which have standard precedences. Quantifiers extend (cid:210)P:P , n:L , $:F . P (cid:159) n[$] $ (cid:211)P’:P . P (cid:27) n[P’] (cid:217) P’ (cid:159) $ to the right as far as possible. (cid:210)P:P , $,%:F . P (cid:159) $ | % $ (cid:211)P’,P”:P . P (cid:27) P’|P” Decomposition is the DeMorgan dual of composition. A de- (cid:217) P’ (cid:159) $ (cid:217) P” (cid:159) % composition formula $ || % is satisfied if for every parallel decom- (cid:210)P:P , x:J , $:F . P (cid:159) (cid:210)x.$ $ (cid:210)m:L . P (cid:159) ${x‹ m} position of the process in question, either one component satisfies $ (cid:210)P:P , $:F . P (cid:159) 2$ $ (cid:211)P’:P . Pxyz*P’ (cid:217) P’ (cid:159) $ or the other satisfies %. Then, $(cid:210) means that in every decomposition (cid:210)P:P , $:F . P (cid:159) (cid:151)$ $ (cid:211)P’:P . P(cid:139)*P’ (cid:217) P’ (cid:159) $ either one component satisfies $ or the other satisfies F; since the (cid:210)P:P , $:F . P (cid:159) $@n $ n[P] (cid:159) $ latter is impossible, in every possible decomposition one component (cid:210)P:P , $,%:F . P (cid:159) $'% $ (cid:210)P’:P . P’ (cid:159) $ (cid:222) P|P’ (cid:159) % must satisfy $. For example: (n[T](cid:222) n[m[T]])(cid:210) means that every ambient n that can be found here contains a single subambient m. The DeMorgan dual of $(cid:210) is $(cid:211), which means that it is possible to We spell out some of these definitions. A process P satisfies the find a decomposition where one component satisfies $. For exam- formula n[$] if there exists a process P’ such that P has the shape ple, n[m[T](cid:211)](cid:211) means that there is at least one ambient n here that n[P’] with P’ satisfying $. A process P satisfies the formula $“ | $¤ contains at least one subambient m. if there exist processes P’ and P” such that P has the shape P’ | P” Other operators are derived as DeMorgan duals: existential with P’ satisfying $“ and P” satisfying $¤. A process P satisfies the quantification, and everytime and everywhere modalities. Examples formula 2$ if $ holds in the future for some residual P’ of P, where for these modalities are: 4n[T] (there is always a location called n “residual” is defined by Pxyz*P’. A process P satisfies the formula here), and (cid:152)(cid:216) (n[T](cid:211)) (there is now no location called n anywhere). (cid:151)$ if $ holds at some sublocation P’ within P, where “sublocation” Fusion, $ (cid:181) %, is an operator that arises in relevant logic (when is defined by P(cid:139)*P’. ' is seen as relevant implication). In our context, $ (cid:181) % means that The last two connectives, @ and ', can be used to express as- there is a context satisfying %(cid:3)that helps ensuring $. The adjunct of sumption/guarantee specifications [1]; they were inspired by the fusion, $ |(cid:222) %, turns out to be very natural in specifications: it wish to express security properties. A reading of P (cid:159) $@n is that P means that in every decomposition, if one part satisfies $, then the (together with its context) manages to satisfy $ even when placed other part must satisfy %. into a location called n. A reading of P (cid:159) $'% is that P (together The following is a fundamental property of the satisfaction re- with its context) manages to satisfy % under any possible attack by lation; it states that satisfaction is invariant under structural congru- an opponent that is bound to satisfy $. Moreover, P (cid:159) (4$)'(4$) ence of processes. In other words, logical formulas can only express can be interpreted as saying that P preserves the invariant $. We will properties that are invariant up to structural congruence. The proof see that these two connectives arise as natural adjuncts to the loca- is a simple induction on the structure of $. tion and composition connectives, respectively. The definition of satisfaction is based heavily on the structural 3-1 Proposition (Satisfaction is up to (cid:27)) congruence relation. This use of structural congruence may appear (P (cid:159) $(cid:3)(cid:217) P (cid:27) P’) (cid:222) P’ (cid:159) $ arbitrary: other equivalence relations could be used in its place. We 1 have tried to motivate the choice of structural congruence by dis- We end this section with an example of a proof that a certain cussing in Section 2.2 how structural congruence precisely captures process satisfies a certain formula. A proof of even a very simple the intuition of ambients as spatial configurations. Moreover, struc- negative formula requires techniques for analyzing the derivation of tural congruence is easily decidable, which is useful in model- structural congruences. For example, consider proving the following checking applications (see Section 5). assertion, where m „ n: The following table lists some derived connectives, illustrating m[] | n[] (cid:159) (cid:216) (cid:211)x. x[T] | x[T] some properties that can be expressed in the logic. The informal meanings can be understood better by expanding out the definitions For a contradiction, suppose that m[] | n[] (cid:159) (cid:211)x. x[T] | x[T]. By from the table above. Some discussion follows. definition, this means there is a P such that m[] | n[] (cid:27) P and there is Derived Connectives a q with P (cid:159) q[T] | q[T]. This implies that there are processes P’ and P” such that m[] | n[] (cid:27)(cid:3)P’ | P” with P’ (cid:159) q[T] and P” (cid:159) q[T]. In F $ (cid:216) T false turn, P’ (cid:159) q[T] implies there is Q’ such that P’ (cid:27)(cid:3)q[Q’]. Similarly, $ (cid:217) % $ (cid:216) ((cid:216) $ (cid:218) (cid:216) %) conjunction P” (cid:159) q[T] implies there is Q” such that P” (cid:27)(cid:3)q[Q”]. In summary: $ (cid:222) % $ (cid:216) $ (cid:218) % implication $ (cid:219) % $ ($ (cid:222) %) (cid:217) (% (cid:222) $) logical equivalence m[] | n[] (cid:27)(cid:3)q[Q’] | q[Q”] $ || % $ (cid:216) ((cid:216) $ | (cid:216) %) decomposition According to the Fact 2-1(5), there are two ways in which this equa- $(cid:210) $ $ || F every component satisfies $ tion can have been derived. In either case, it follows that m = q and $(cid:211) $ $ | T some component satisfies $ n = q, and therefore m = n. This yields the desired contradiction, as (cid:211)x.$ $ (cid:216) (cid:210)x.(cid:216) $ existential quantification we are assuming that m „ n. 4 $ $ (cid:216) 2(cid:216) $ everytime modality (cid:152)$ $ (cid:216) (cid:151)(cid:216) $ everywhere modality 4 4 Validity fore, there may be formulations of our logic which identify a set of structural rules, perhaps along the lines of [18]. At the current stage In this section, we study valid formulas, valid sequents, and valid in the development of our logic, however, it is unclear how to pro- logical inference rules. All these are based on the satisfaction rela- ceed in that direction. tion given in the previous section. Once the definition of satisfaction is fixed, we are basically committed to whatever logic comes out of 4.2 Rules of the Logic it. Therefore, it is important to stress that the satisfaction relation ap- pears very natural to us. In particular, the definitions of 0, n[$], and In the sequel, we organize our results into tables of Rules, which are $ | % seem inevitable, once we accept that formulas should be able validated in the model, and into tables of Corollaries, which are de- rived purely logically from the inference rules. to talk about the tree structure of locations, and that they should not distinguish processes that are surely indistinguishable (up to (cid:27)). The 4.2.1 Propositions connectives $@n and $'%(cid:3)have natural security motivations. The modalities 2$(cid:3)and (cid:151)$(cid:3)talk about process evolution and structure in The following is a non-standard presentation of the propositional se- an undetermined way, which is good for mobility specifications. The quent calculus [14], based on our single-assumption single-conclu- rest is classical predicate logic, with the ability to quantify over lo- sion sequents. In this presentation, the rules of propositional logic cation names. become very symmetrical, and many proofs become more regular, Through the satisfaction relation, our logic is based on solid having to consider only single formulas instead of sequences of for- computational intuitions. We should now approach the task of dis- mulas. covering the rules of the logic without preconceptions. As we shall Propositional Rules see, what we get has familiar as well as novel aspects. (A-L) $(cid:217) (&(cid:217) ’)(cid:3)L} % (cid:253)(cid:237) ($(cid:217) &)(cid:217) ’(cid:3)L} % 4.1 The Meaning of Rules (A-R) $(cid:3)L} (&(cid:218) ’)(cid:218) % (cid:253)(cid:237) $(cid:3)L} &(cid:218) (’(cid:218) %) (X-L) $(cid:217) &(cid:3)L} % (cid:253) &(cid:217) $(cid:3)L} % A closed formula is valid if it is satisfied by every process. (For the (X-R) $(cid:3)L} &(cid:218) % (cid:253) $(cid:3)L} %(cid:218) & moment, we consider only validity for closed formulas, i.e., propo- sitional validity.) We use validity for interpreting logical inference (C-L) $(cid:217) $(cid:3)L} % (cid:253) $(cid:3)L} % rules, as described in the next definition. We use a linearized nota- (C-R) $(cid:3)L} %(cid:218) % (cid:253) $(cid:3)L} % tion for inference rules, where the usual horizontal bar separating an- (W-L) $(cid:3)L} % (cid:253) $(cid:217) &(cid:3)L} % tecedents from consequents is written ‘(cid:253) ’ in-line, and ‘;’ is used to (W-R) $(cid:3)L} % (cid:253) $(cid:3)L} &(cid:218) % separate antecedents. (Id) (cid:253) $(cid:3)L} $ Validity, Sequents, and Rules (Cut) $(cid:3)L} &(cid:218) %; $“(cid:217) &(cid:3)L} %“ (cid:253) $(cid:217) $“(cid:3)L} %(cid:218) %“ vld($) $ (cid:210)P:P . P (cid:159) $ Validity for (closed) $ (T) $(cid:217) T(cid:3)L} % (cid:253) $ L} % (F) $(cid:3)L} F(cid:218) % (cid:253) $ L} % $(cid:3)L} % $ vld($ (cid:222) %) Sequent ((cid:216) -L) $(cid:3)L} &(cid:218) % (cid:253) $(cid:217)(cid:216) &(cid:3)L} % $(cid:3)xML} % $ $(cid:3)L} % (cid:217) %(cid:3)L} $ Double Sequent ((cid:216) -R) $(cid:217) &(cid:3)L} % (cid:253) $(cid:3)L} (cid:216) &(cid:218) % $ (cid:3)L} % ; ...; $ (cid:3)L} % (cid:3)(cid:253) $ (cid:3)L} % $ Inference Rule (n‡ 0) 1 1 n n 0 0 The standard deduction rules of propositional logic, both for the se- $1(cid:3)L} %1 (cid:217)... (cid:217) $n(cid:3)L} %n (cid:222) $0(cid:3)L} %0 quent calculus and for natural deduction (interpreting “,” as (cid:217) on the $ (cid:3)L} % ; ...; $ (cid:3)L} % (cid:3)(cid:253) $(cid:3)xML} % $ Double Conclusion left and (cid:218) on the right), are derivable from the rules in the table. 1 1 n n $1(cid:3)L} %1 (cid:217)... (cid:217) $n(cid:3)L} %n (cid:222) $0(cid:3)xML} %0 4.2.2 Composition $ (cid:3)L} % (cid:253)(cid:237) $ (cid:3)L} % $ Double Rule The logical rules of composition apply not only to our calculus but 1 1 2 2 $ (cid:3)L} % (cid:253) $ (cid:3)L} % (cid:217) $ (cid:3)L} % (cid:253) $ (cid:3)L} % also to any calculus that includes a standard process composition op- 1 1 2 2 2 2 1 1 erator, for example, CCS. We adopt a non-standard formulation of sequents, where each Composition Rules sequent has exactly one assumption and one conclusion: $(cid:3)L} %. Our ( | 0) (cid:253) $ | 0 xML} $ intention in doing so is to avoid pre-judging the interpretation of the structural operator “,” in standard sequents. In our logic, by taking (cid:217) ( | (cid:216) 0) (cid:253) $ | (cid:216) 0 L} (cid:216) 0 on the left and (cid:218) on the right of(cid:3)L} as structural operators (i.e., as “,”), (A | ) (cid:253) $ | (% | &) xML} ($ | %) | & all the standard rules of sequent and natural deduction systems with (X | ) (cid:253) $ | % L} % | $ multiple premises/conclusions can be derived. Instead, by taking | on ( | L}) $“(cid:3)L} %“; $¤(cid:3)L} %¤ (cid:253) $“ | $¤ L} %“ | %¤ the left of(cid:3)L} as a structural operator, all the rules of intuitionistic lin- ( | (cid:218) ) (cid:253) ($(cid:218) %) | & L} $ | &(cid:3) (cid:218) % | & ear logic can be derived. Finally, by taking nestings of (cid:217) and | on the ( | || ) (cid:253) $“ | $¤ L} ($“ | %¤)(cid:3) (cid:218) (%“ | $¤)(cid:3)(cid:218) ((cid:216) %“ | (cid:216) %¤) left of L} as structural “bunches”, we obtain a bunched logic [18]. We ( | ') $ | &(cid:3)L} % (cid:253)(cid:237) $(cid:3)L} &'% discuss this further in Section 6. Noticeably, we abandon Gentzen’s distinction between struc- The first two rules assert that 0 is part of any process, and that tural rules and other logical rules, which has been a staple of formal if a part is non-0 so is the whole. The next three rules give associa- logic since [11]. We do not see this as a fundamental or irrevocable tivity, commutativity, and congruence of composition. step. Not all logics fit easily into Gentzen’s initial approach, and The converse of the |-(cid:218) distribution rule ( | (cid:218) ), namely $ | &(cid:3)(cid:218) many alternative sequent structures have been studied [7]. There- % | & L} ($(cid:218) %) | &, is derivable. So is a |-(cid:217) distribution rule, ($(cid:217) %) 5 | & L} $ | &(cid:3) (cid:217) % | &. However, the converse of that, namely $ | &(cid:3) (cid:217) % ity of locations with respect to (cid:217) and (cid:218) . The rule (n[] @) states that | & L} ($(cid:217) %) | &, is not sound. (Take $ = n[m[T]], % = n[p[T]], & = $@n and n[$] are adjuncts, and the rule ((cid:216) @) states that the loca- n[T], and P = n[m[]] | n[p[]]; then P (cid:159) $ | & and P (cid:159) % | &, but (cid:216) P tion adjunct @ is self-dual. (cid:159) ($(cid:217) %) | &.) As a consequence, one cannot always “push | inside Note that (n[](cid:3)L}) holds in both directions, and that the inverse (cid:217) ” on the left-hand side of a sequent. In particular, after an applica- directions of (n[] (cid:217) ) and (n[] (cid:218) ) are derivable; hence, the location tion of ( | L}) one cannot in general renormalize a sequent to bring (cid:217) fragment of the logic is particularly simple to handle. (or “,”) to the top level. Some Location Corollaries The decomposition axiom, (|||), can be used to analyze a com- position $“ | $¤ with respect to arbitrarily chosen %“(cid:3)and %¤. An easy (n[] F) (cid:253) n[F](cid:3)L} F consequence of it is (cid:216) ($ | %) L} ($ | T) (cid:222) (T | (cid:216) %), which means (n[] (cid:217) ) (cid:253) n[$(cid:217) %](cid:3)L} n[$](cid:217) n[%] that if a process cannot be decomposed into parts that satisfy $ and (n[] (cid:218) ) (cid:253) n[$](cid:218) n[%] L} n[$(cid:218) %] %, but can be decomposed in such a way that a part satisfies $, then (@ L}) $(cid:3)L} % (cid:253) $@n(cid:3)L} %@n it can also be decomposed in such a way that a part does not satisfy (n[$@n]) (cid:253) n[$@n](cid:3)L} $ %. An even simpler consequence is that (cid:216) (T | %) L} T | (cid:216) %, which (n[$]@n) (cid:253) $(cid:3)xML} n[$]@n is one of the few cases in which one can push (cid:216) across |. (n[(cid:216) $]) (cid:253) n[(cid:216) $](cid:3)L} (cid:216) n[$] The rule ( | ') states that $ | %(cid:3)and $'% are logical adjuncts1. ((cid:216) n[$]) (cid:253) (cid:216) n[$](cid:3)xML} n[T] (cid:222) n[(cid:216) $] This has a large number of interesting consequences, most of them deriving from the adjunction along standard lines. 4.2.4 Time and Space Modalities Some Composition Corollaries The “somewhere” modality was our starting point in developing our ('(cid:3)L}) $“(cid:3)L} $; %(cid:3)L} %“ (cid:253) $'%(cid:3)L} $“'%“ logic. We can now investigate its properties. ('(cid:3)| ) (cid:253) ($'%) | $ L} % Time and Space Modality Rules ('') (cid:253) ($'%) | (%'&) L} $'& ('-L) ’ L} $; % L} & (cid:253) ’ | ($'%) L} & (2) (cid:253) 2$ xML} (cid:216) 4(cid:216) $ ((cid:151)) (cid:253) (cid:151)$ xML} (cid:216) (cid:152)(cid:216) $ ( | T) (cid:253) $L} $ | T (4 K) (cid:253) 4($(cid:222) %) L} 4$(cid:222) 4% ((cid:152) K) (cid:253) (cid:152)($(cid:222) %) L} (cid:152)$(cid:222) (cid:152)% ( | F) (cid:253) $ | FL} F (4 T) (cid:253) 4$ L} $ ((cid:152) T) (cid:253) (cid:152)$ L} $ ( | (cid:217) ) (cid:253) ($(cid:217) %) | & L} $ | &(cid:3)(cid:217) % | & (4 4) (cid:253) 4$ L} 44$ ((cid:152) 4) (cid:253) (cid:152)$ L} (cid:152)(cid:152)$ ( | (cid:218) ) (cid:253) $ | &(cid:3)(cid:218) % | & L} ($(cid:218) %) | & (4 T) (cid:253) T L} 4T ((cid:152) T) (cid:253) T L} (cid:152)T (T ') (cid:253) T'$ L} $ (4 L}) $(cid:3)L} % (cid:253) 4$(cid:3)L} 4% ((cid:152) L}) $(cid:3)L} % (cid:253) (cid:152)$(cid:3)L} (cid:152)% (F ') (cid:253) T L} F'$ (2n[])(cid:253) n[2$](cid:3)L} 2n[$] ((cid:151)n[])(cid:253) n[(cid:151)$](cid:3)L} (cid:151)$ ('(cid:218)(cid:217) ) (cid:253) $'% L} ($(cid:217) &)'%. (cid:253) $'(%(cid:217) &) xML} $ '%(cid:3)(cid:217) $ '& (2 | ) (cid:253) 2$ | 2%(cid:3)L} 2($ | %) ((cid:151) | ) (cid:253) (cid:151)$ | %(cid:3)L} (cid:151)($ | T) (cid:253) $'(&(cid:217) %) L} $'%. (cid:253) ($(cid:218) &)'% xML} $ '%(cid:3) (cid:217) & '% (cid:253) $'% L} $'(&(cid:218) %). (cid:253) $ '%(cid:3) (cid:218) $ '& L} $'(%(cid:218) &) ((cid:151)2) (cid:253) (cid:151)2$ L} 2(cid:151)$ (cid:253) ($(cid:218) &)'% L} $'%. (cid:253) $ '%(cid:3) (cid:218) & '% L} ($(cid:217) &)'% The operators 2 and (cid:151) obey the rules of S4 modalities (the first 6 rules in each column); these follow simply from reflexivity and It is worth pointing out that some composition rules produce in- transitivity of xyyz* and (cid:139)*. These operators, however, are not S5 mo- teresting interactions between the (cid:217) and | fragments of the logic. For dalities, that is, 2$ L} 42$ is not valid (if $ may happen along some example, ($ | %) (cid:217) 0L} $(cid:3)is derivable using ( | || ) and ( | (cid:216) 0). reduction branch, it will not necessarily happen starting from every 4.2.3 Locations reduction point), and neither is (cid:151)$ L} (cid:152)(cid:151)$ (if $ holds in some sub- location, it does not necessarily hold in some sublocation of every The location rules are specific to calculi with tree-structured loca- sublocation). tions, such as the Ambient Calculus. The modalities differ prominently in the way they distribute Location Rules over compositions and locations, as seen in the subsequent 4 rules. (n[](cid:3)(cid:216) 0) (cid:253) n[$](cid:3)L} (cid:216) 0 The last rule shows that the two modalities permute in one di- rection: somewhere sometime implies sometime somewhere. But (n[](cid:3)(cid:216) | ) (cid:253) n[$](cid:3)L} (cid:216) ((cid:216) 0 | (cid:216) 0) the other direction is not sound. (Consider P = (open n. m[p[]]) | n[]. (n[](cid:3)L}) $(cid:3)L} % (cid:253)(cid:237) n[$](cid:3)L} n[%] Then P (cid:159)(cid:3)2(cid:151)p[0], but P ¡(cid:3)(cid:151)2p[0]). (n[] (cid:217) ) (cid:253) n[$](cid:217) n[%](cid:3)L} n[$(cid:217) %] Some Modality Corollaries (n[] (cid:218) ) (cid:253) n[$(cid:218) %] L} n[$](cid:218) n[%] (n[] @) n[$](cid:3)L} % (cid:253)(cid:237) $(cid:3)L} %@n (2 L}) $(cid:3)L} % (cid:253) 2$(cid:3)L} 2% ((cid:151) L}) $(cid:3)L} % (cid:253) (cid:151)$(cid:3)L} (cid:151)% ((cid:216) @) (cid:253) $@n(cid:3)xML} (cid:216) (((cid:216) $)@n) (4 (cid:217) ) (cid:253) 4($(cid:217) %)(cid:3)xML} 4$(cid:217) 4% ((cid:152) (cid:217) ) (cid:253) (cid:152)($(cid:217) %)(cid:3)xML} (cid:152)$(cid:217) (cid:152)% (2 T) (cid:253) $ L} 2$ ((cid:151) T) (cid:253) $ L} (cid:151)$ The first two rules assert that locations are non-void and are not (4 2) (cid:253) 4$ L} 2$ ((cid:152) (cid:151))(cid:253) (cid:152)$ L} (cid:151)$ decomposable. The next three rules give congruence and distributiv- (2 K) (cid:253) 2$(cid:222) 2% L} 2($(cid:222) %) ((cid:151) K) (cid:253) (cid:151)$(cid:222) (cid:151)% L} (cid:151)($(cid:222) %) (2 4) (cid:253) 22$ L} 2$ ((cid:151) 4) (cid:253) (cid:151)(cid:151)$ L} (cid:151)$ 1. We say that two binary operators -,. are logical adjuncts if $-& (2 (cid:218) ) (cid:253) 2($(cid:218) %)(cid:3)xML} 2$(cid:218) 2% ((cid:151) (cid:218) ) (cid:253) (cid:151)($(cid:218) %)(cid:3)xML} (cid:151)$(cid:218) (cid:151)% L} % (cid:237)(cid:253) $(cid:3)L} &.%. The main adjunction of logic is given by the (2 F) (cid:253) 2F(cid:3)L} F ((cid:151) F) (cid:253) (cid:151)F(cid:3)L} F pair (cid:217) ,(cid:222) . Moreover, we say that two unary operators -,. are log- ical adjuncts if -$(cid:3)L} % (cid:237)(cid:253) $(cid:3)L} .%. 6 (4(cid:152)) (cid:253) 4(cid:152)$ L} (cid:152)4$ As an example, (cid:151)(cid:210)x.(cid:216) (x[T](cid:211)) is the formula for “somewhere there (4 n[])(cid:253) 4n[$](cid:3)L} n[4$] are no ambients”. Since there are no infinite spatial paths P1 (cid:139) P2 (cid:139) (4(cid:17)(cid:17)(cid:17)(cid:17)(cid:17)(cid:17) (cid:3)@) (cid:253) (4$)@n L} $@n P3 (cid:139) ..., we can show in the model that this formula is valid. On the (2(cid:17)(cid:17)(cid:17)(cid:17)(cid:17)(cid:17) (cid:3)@)(cid:253) $@n L} (2$)@n. (cid:253) 2($@n) xML} (2$)@n other hand, its temporal dual, “sometime there are no ambients”, 2(cid:210)x.(cid:216) (x[T](cid:211)), is invalid; for instance, it is not satisfied by n[]. ((cid:17)(cid:17)(cid:17)(cid:17)(cid:17)(cid:17)4(cid:3)') (cid:253) $'% L} (4$)'% The following lemma yields a substitution principle for predi- (2(cid:17)(cid:17)(cid:17)(cid:17)(cid:17)(cid:17) (cid:3)') (cid:253) (2$)'% L} $'%. (cid:253) 2($'%) L} (2$)'(2%) cate validity, allowing us to replace logically equivalent formulas in larger contexts. Let %{- } be a formula with a set of formula holes, 4.2.5 Satisfiability indicated by - , and let %{$} denote the capture-avoiding substitu- Validity and satisfiability can be reflected into the logic by means of tion of $ for the holes in %{- }. the $F(cid:3)operator (here we use $(cid:216) for (cid:216) $): 4-1 Lemma (Substitution) $F $ $'F $ is unsatisfiable vld($“ (cid:219) $¤) (cid:222) vld(%{$“} (cid:219) %{$¤}) Vld $ $ $(cid:216) F $ is valid 1 Sat $ $ $F(cid:216) $ is satisfiable 4-2 Corollary (Substitution Principle) P (cid:159) $F iff (cid:210)P’:P . (cid:216) P’ (cid:159) $ $“(cid:3)xML} $¤ (cid:222) %{$“}(cid:3)xML} %{$¤} P (cid:159) Vld $ iff (cid:210)P’:P . P’ (cid:159) $ 1 P (cid:159) Sat $ iff (cid:211)P’:P . P’ (cid:159) $ 4.2.7 Name Equality From the definitions of '(cid:3)and F, we obtain that P (cid:159) $F (cid:219) ((cid:210)P’:P . It is possible to encode name equality within the logic in terms of lo- P’ (cid:159) $ (cid:222) P|P’ (cid:159) F) (cid:219) ((cid:210)P’:P . (cid:216) P’ (cid:159) $). I.e., P (cid:159) $F iff $(cid:3)is un- cation adjuncts, by taking: satisfiable, independently of P. One of the main properties of $F is that $ | $F L} F, by ('(cid:3)| ). h (cid:3)= m $ h [T]@m That is, $(cid:3)cannot be both satisfiable and unsatisfiable. In addition we We obtain, for all j —fv(h )¨ fv(m )fiL and all P:P : obtain, from the model, the following rules, from which it is possible to show within the logic that Vld and Sat obey the rules of S5 modal P (cid:159) (h =m )j (cid:219) j (h ) = j (m ) operators: As an example, the following formula means “any two ambi- Satisfiability Rules ents here have different names”, which can be read as a no-spoofing ('F (cid:216) ) (cid:253) $F L} $(cid:216) if $ is unsatisfiable then $(cid:3)is false security property: ( (cid:216) 'F) (cid:253) $F(cid:216) L} $FF if $ is satisfiable then $F(cid:3)is not (cid:210)x. (cid:210)y. x[T] | y[T] | T (cid:222) (cid:216) x = y Some Satisfiability Corollaries 4.2.8 Lifting Propositional Validity ( | 'F) (cid:253) $ | $F L} F Using equality, we can extend propositional validity to predicate va- ('F(cid:3)L}) %(cid:3)L} $ (cid:253) $F(cid:3)L} %F lidity in the sense of the proposition proved at the end of this section, ('F(cid:3)') (cid:253) %'$ L} $F'%F Proposition 4-9. This way, we can systematically extend to predicate (F 'F) (cid:253) T xML} FF logic the rules we have derived so far for propositional logic. To prove this proposition, we need renaming lemmas for satis- (T 'F) (cid:253) F xML} TF faction, Lemma 4-6, and for validity, Lemmas 4-7 and 4-8. First, we ( (cid:216) 'F) (cid:253) $(cid:216) F L} $(cid:216)(cid:216) . (cid:253) $FF L} $F(cid:216) state three auxiliary lemmas. (cid:253) $(cid:216) F L} $FF. (cid:253) $(cid:216)(cid:216) L} $F(cid:216) 4-3 Lemma (Fresh renaming preserves (cid:27)) Consider any process P and names m, m’, with m’(cid:209) fn(P). For all 4.2.6 Predicates P’, if P (cid:27) P’ then m’(cid:209)fn(P’) and P{m‹ m’} (cid:27) P’{m‹ m’}. More- So far we have considered only propositional validity; when consid- over, for all Q, if P{m‹ m’} (cid:27) Q then there is a P’ with P (cid:27) P’, ering quantifiers, we need to extend our notion of validity. If m’(cid:209)fn(P’) and Q = P’{m‹ m’}. fv($)={x1, ..., xk} are the free variables of $ and j —fv($)Lfi is a 1 sxuj‹bstit(uxti)o}n, aonfd v awreia dbelefisn feo:r names, we write $j (cid:3)for ${x1j‹ (x1), ..., 4-4 Lemma (Fresh renaming preserves xyz) k k Consider any process P and names m, m’, with m’(cid:209)fn(P). For all vld($) $ (cid:210)j —fv($)Lfi . (cid:210)P:P . P (cid:159) $j P’, if PxyzP’ then m’(cid:209)fn(P’) and P{m‹ m’}xyzP’{m‹ m’}. More- over, for all Q, if P{m‹ m’}xyzQ then there is a P’ with PxyzP’, This definition of predicate validity generalizes the previous defini- tion of vld, which was restricted to the case of fv($) = (cid:212). It similarly m’(cid:209)fn(P’) and Q = P’{m‹ m’}. 1 generalizes the definitions of sequents and rules. We can now introduce quantifiers and their rules: 4-5 Lemma (Fresh renaming preserves (cid:139)) Quantifier Rules Consider any process P and names m, m’, with m’(cid:209)fn(P). For all ((cid:210)-L) ${xh‹ }(cid:3)L} % (cid:253) (cid:210)x.$(cid:3)L} % (h a name or a variable) P’, if P(cid:139)P’ then m’(cid:209)fn(P’) and P{m‹ m’}(cid:139)P’{m‹ m’}. More- over, for all Q, if P{m‹ m’}(cid:139)Q then there is a P’ with P(cid:139)P’, ((cid:210)-R) $(cid:3)L} % (cid:253) $(cid:3)L} (cid:210)x.% where x (cid:209)(cid:3)fv($) m’(cid:209)fn(P’) and Q = P’{m‹ m’}. 1 7 4-6 Lemma (Fresh renaming preserves (cid:159)) ((cid:220) ) Assume P{m‹ m’} (cid:159) ((cid:210)x.$){m‹ m’}. Pick any name n. We For all closed formulas $, processes P, and names m, m’, if m’(cid:209) are to show that P (cid:159) ${x‹ n}. We split the proof into three cases. fn(P)¨ fn($) then P (cid:159) $ (cid:219) P{m‹ m’} (cid:159) ${m‹ m’}. First, suppose n=m’. Pick a fresh name m” such that m”(cid:209)fn(P)¨ Proof fn($)¨ {m,m’}. By assumption, we have P{m‹ m’} (cid:159) ${m‹ m’} The proof is by induction on the number of symbols in the closed {x‹ m”}. We can calculate ${m‹ m’}{x‹ m”} = ${x‹ m”} formula $. Note that the number of symbols in a formula is un- {m‹ m’} since m„ m”. Then, since m’(cid:209)fn(P)¨ fn(${x‹ m”}), the changed by substituting a name for a variable or another name. Con- induction hypothesis implies P (cid:159) ${x‹ m”}. Again, since m’(cid:209)fn(P) sider an arbitrary process P, and any names m and m’. If m=m’ the and m’(cid:209)fn(${x‹ m”}), the induction hypothesis implies P{m” lemma holds trivially, so we may assume that m„ m’. We show only ‹ m’} (cid:159) ${x‹ m”}{m”‹ m’}. But because of the freshness of m”, the case for parallel composition and the case for universal quantifi- this is P (cid:159) ${x‹ m’}. Therefore, since n=m’, we have shown P (cid:159) cation. ${x‹ n}. Second, take n„ m’ but n=m. By assumption, P{m‹ m’} (cid:159) Case for |: We prove each half of the following separately, where m’(cid:209)fn(P)¨ fn($ | %). ${m‹ m’}{x‹ m’}. From m„ m’, we get ${m‹ m’}{x‹ m’} = ${x‹ m’}{m‹ m’}. Moreover, we also get m(cid:209)fn(P{m‹ m’}) and P (cid:159) $ | % (cid:219) P{m‹ m’} (cid:159) ($ | %){m‹ m’}. m(cid:209)fn(${x‹ m’}{m‹ m’}. Hence, the induction hypothesis implies ((cid:222) ) Assume P (cid:159) $ | %. We are to show that there are Q’, Q” such P{m‹ m’}{m’‹ m} (cid:159) ${x‹ m’}{m‹ m’}{m’‹ m}. Since m’(cid:209) that P{m‹ m’} (cid:27) Q’ | Q”, Q’ (cid:159) ${m‹ m’}, and Q” (cid:159) %{m‹ m’}. fn(P)¨ fn($), we can calculate P{m‹ m’}{m’‹ m} = P and By assumption, there are P’, P” such that P (cid:27) P’ | P”, P’ (cid:159) $, and ${x‹ m’} {m‹ m’}{m’‹ m} = ${x‹ m}. Therefore, we have P” (cid:159) %. Let Q’ = P’{m‹ m’} and Q” = P”{m‹ m’}. By Lemma 4- shown P (cid:159)(cid:3)${x‹ n}. 3, P (cid:27) P’ | P” and m’(cid:209)fn(P) imply that m’(cid:209)fn(P’)¨ fn(P”) and Third, suppose n„ m’ and n„ m. By assumption, P{m‹ m’} (cid:159) P{m‹ m’} (cid:27) Q’ | Q”. By induction hypothesis, m’(cid:209)fn(P’)¨ fn($) ${m‹ m’}{x‹ n}. Since n„ m we have ${m‹ m’}{x‹ n} = and P’ (cid:159) $ imply that Q’ (cid:159) ${m‹ m’}, and also m’(cid:209)fn(P”)¨ fn(%) ${x‹ n}{m‹ m’}. Since n„ m’, m’(cid:209)fn(P)¨ fn(${x‹ n}). Hence, the and P” (cid:159) % imply that Q” (cid:159) %{m‹ m’}. induction hypothesis implies P (cid:159) ${x‹ n}. ((cid:220) ) Assume P{m‹ m’} (cid:159) ($ | %){m‹ m’}. We are to show that 1 there are P’, P” such that P (cid:27) P’ | P”, P’ (cid:159) $, and P” (cid:159) %. By as- sumption, there are Q’, Q” such that P{m‹ m’} (cid:27) Q’ | Q”, Q’ (cid:159) 4-7 Lemma (Fresh renaming preserves validity) ${m‹ m’}, and Q” (cid:159) %{m‹ m’}. By Lemma 4-3, P{m‹ m’} (cid:27) Q’| If $(cid:3)is closed and valid and m’(cid:209)fn($) then ${m‹ m’} is closed Q” and m’(cid:209)fn(P) imply there is R with P (cid:27) R, m’(cid:209)fn(R) and Q’|Q” and valid. = R{m‹ m’}, and hence that there are P’, P” such that R = P’ | P”, Proof m’(cid:209)fn(P’), m’(cid:209)fn(P”), Q’ = P’{m‹ m’}, and Q” = P”{m‹ m’}. By We can assume that m’„ m. Take any P and two distinct names n,n’(cid:209) induction hypothesis, m’(cid:209)fn(P’)¨ fn($) and Q’ (cid:159) ${m‹ m’} imply fn(P)¨ fn($)¨ {m,m’}. Since $ is valid we have, in particular, that that P’ (cid:159) $, and also m’(cid:209)fn(P”)¨ fn(%) and Q” (cid:159) %{m‹ m’} imply P{m‹ n}{m’‹ m} (cid:159) $. By Lemma 4-6, since m’(cid:209)fn(P{m‹ n} that P” (cid:159) %. {m’‹ m})¨ fn($), we obtain P{m‹ n}{m’‹ m}{m‹ m’} (cid:159) ${m‹ Case for (cid:210): We prove each direction of the following separately, m’}. This is the same as P{m‹ n} (cid:159) ${m‹ m’}. Again by Lemma where m’(cid:209)fn(P)¨ fn((cid:210)x.$). 4-6, since m(cid:209)fn(P{m‹ n})¨ fn(${m‹ m’}), we obtain P{m‹ n} P (cid:159) (cid:210)x.$ (cid:219) P{m‹ m’} (cid:159) ((cid:210)x.$){m‹ m’}. {n‹ m} (cid:159) ${m‹ m’}{n‹ m}. This is the same as P (cid:159) ${m‹ m’}. ((cid:222) ) Assume P (cid:159) (cid:210)x.$. Pick any name n. We are to show that Hence ${m‹ m’} is valid. Since $ is closed, so is ${m‹ m’}. P{m‹ m’} (cid:159) ${m‹ m’}{x‹ n}. We split the proof into three cases. 1 First, suppose that m=n. Pick a fresh name m” such that m”(cid:209) fn(P)¨ 4-8 Lemma (Injective complete renaming preserves validity) fn($)¨ {m,m’}. By assumption, P (cid:159) ${x‹ m”}. Since m’(cid:209)fn(P)¨ If $ is closed and valid and r —fn($)Lfi is an injective renaming, fn(${x‹ m”}), the induction hypothesis implies that P{m‹ m’} (cid:159) then $r is closed and valid. ${x‹ m”}{m‹ m’}. Recall that m„ m’. Then, since m(cid:209)fn(P{m Proof ‹ m’}) and m(cid:209)fn(${x‹ m”}{m‹ m’}), we get that P{m‹ m’} Let r = {m ‹ n , ..., m‹ n}, where {m , ..., m} = fn($) and all the {m”‹ m} (cid:159) ${x‹ m”}{m‹ m’}{m”‹ m} by a second application 1 1 k k 1 k n are distinct. Take fresh p , ..., p (cid:209) {m , n , ..., m, n}. By induc- of the induction hypothesis. But because of the freshness of m”, we i 1 k 1 1 k k tion on i ranging from 1 to k, since $ is closed and valid and have P{m‹ m’}{m”‹ m} = P{m‹ m’} and ${x‹ m”}{m‹ m’} p(cid:209)fn(${m ‹ p }...{m ‹ p }), by using Lemma 4-7 at each step, {m”‹ m} = ${m‹ m’}{x‹ m}. Since m=n, we have shown i 1 1 i-1 i-1 we obtain that $“(cid:3)$(cid:3)${m ‹ p }...{m‹ p} is closed and valid. Note P{m‹ m’} (cid:159) ${m‹ m’}{x‹ n}. 1 1 k k that fn($“) = {p , ..., p}. Then again, by induction on i ranging from Second, suppose that m„ n and m’=n. By assumption, P (cid:159) ${x‹ m}. 1 to k, since n(cid:209)1fn($“{kp ‹ n }...{p ‹ n }), by using Lemma 4-7 at In general we know that m’(cid:209)fn(P)¨ fn($) and m„ m’. Therefore, we each step, wei obtain th1at $¤1(cid:3)$(cid:3)$“{i-p1 ‹ ni-1}...{p‹ n} is closed and {camn‹ apmp’l}y. tWhee i hnadvuec t$io{nx h‹ ympo}t{hmes‹is mto’ }o b=t a$in{ mP‹{mm‹ ’}m{’x}‹ (cid:159)m $’}{.x S‹ inmc}e valid. Since p1, ..., pk are fresh, $¤(cid:3)= 1$r . 1 k k 1 m’=n, we have shown P{m‹ m’} (cid:159) ${m‹ m’}{x‹ n}. Third, suppose that m„ n and m’„ n. By assumption, P (cid:159) ${x‹ n}. 4-9 Proposition (Lifting propositional validity) We have that m’(cid:209)fn(P)¨ fn($) and in this case we know that m’„ n. If $(cid:3)is closed and valid, then for any injective map y —fn($)Jfi Therefore, we can apply the induction hypothesis to obtain from names to variables, the formula (dfn($)(cid:222) $)y is valid, P{m‹ m’} (cid:159) ${x‹ n}{m‹ m’}. Since m„ n we have ${x‹ n} where dfn($) is the conjunction of all inequalities (cid:216) n=m such {m‹ m’} = ${m‹ m’}{x‹ n}. So we have shown P{m‹ m’} (cid:159) that n,m are distinct names in fn($). ${m‹ m’}{x‹ n}. 8 Proof named q are locked and immobile, that is, they cannot be moved by Assume that $(cid:3)is closed and valid and that y —fn($)Jfi is injective. in or out, nor dissolved by open. We can prove that if E, By construction, we also have that dfn($)(cid:222) $(cid:3)is closed and valid. q:Amb•[RS’], E’(cid:3)L} P : T, then P (cid:159) 4(q[T](cid:211) (cid:222) 4q[T](cid:211)). This expresses Take any j —fv((dfn($)(cid:222) $)y )Lfi (with rng(y )=dom(j )) and con- that in a well-typed process, once a locked, immobile ambient ap- sider j (cid:137)y . There are two cases. If j is not injective then dfn($)j (cid:137)y is pears at the top-level of the process, it will stay there ever after. equivalent to F, and therefore (dfn($)(cid:222) $)j (cid:137) y is valid. Otherwise, if Moreover, we can prove that if E, p:Amb•[S], q:Amb•[RS’], E’(cid:3)L} P : j is injective, then j (cid:137)y is also injective with dom(j (cid:137)y ) = fn($) = T, then P (cid:159) 4((cid:151)(p[q[T](cid:211)](cid:211)) (cid:222) 4(cid:151)(p[q[T](cid:211)](cid:211))). This expresses that fn(dfn($)(cid:222) $). By Lemma 4-8, since dfn($)(cid:222) $ is closed and valid, in a well-typed process, once a locked, immobile ambient named q we have that (dfn($)(cid:222) $)j (cid:137)y is closed and valid. We have shown is somewhere a child of a locked ambient named p, ever after there that (cid:210)j —fv((dfn($)(cid:222) $)y )Lfi . (cid:210)P:P . P (cid:159) (dfn($)(cid:222) $)j (cid:137)y ; that is, will somewhere be a q child of p. vld((dfn($)(cid:222) $)y ). 4.4 An Example 1 For example, the valid proposition: n[T] (cid:222) (cid:216) m[T] is trans- In this example we use the laws of 2, | , and ', to analyze the con- formed into the valid predicate (cid:216) x=y (cid:222) (x[T] (cid:222)(cid:216) y[T]). However, sequences of composing two logical specifications. without the assumption (cid:216) x=y, the predicate x[T] (cid:222)(cid:216) y[T] is not val- The specifications describe two subsystems: a Shopper and a id: for predicate validity one must consider also the substitutions that Thief, and focus on what happens to the shopper’s wallet. The wallet map x and y to the same name. is described simply by the formula Wallet[T], leaving the contents of the wallet unspecified. The absence of a wallet in a given location 4.2.9 Case Analysis Principle is described by the formula NoWallet, defined as (cid:216) (Wallet[T] | T), When reasoning about equality, it is often convenient to reason by meaning that it is not possible to decompose the current location into cases on whether the equality is true or false. To this end, we intro- a part containing a wallet and some other part. duce a case analysis principle. A thief is somebody who, in the direct presence of a wallet, can make the wallet disappear. Its specification is Wallet[T] ' 4-10 Definition (Classical Predicates) 2NoWallet, and its implementation in the Ambient Calculus could $ is classical iff (cid:210)j —fv($)Lfi . {P @(cid:3)P (cid:159) $j } — {P , (cid:212)}. simply be given by open Wallet. 1 A shopper is, initially, a person with a wallet (a Looker) who is The predicates T, F, and h = m are classical. So is the disjunction later likely to become a Buyer. A buyer is a person who has pulled and negation of classical predicates. out the wallet, presumably to buy something. When a wallet has 4-11 Proposition (Case Analysis Principle) been pulled out, it becomes vulnerable to a nearby thief. Let 6{- } be a sequent with a set of formula holes, and $ be a In the following derivation, we show that the interaction of a classical predicate. Then 6{T} (cid:217) 6{F} (cid:222) 6{$}. shopper with a thief (possibly in some larger context) may result in a CrimeScene, which is a situation in which the shopper has no wal- Proof let, and also there is no wallet to be found nearby. Taking 6{- } = %“{- }(cid:3)L} %¤{- } and %{- } $ %“{- } (cid:222) %¤{- }, it is sufficient to show that vld(%{T}) (cid:217) vld(%{F}) (cid:222) vld(%{$}). As- NoWallet $ (cid:216) (Wallet[T] | T) sume vld(%{T}) (cid:217) vld(%{F}). Take any j —fv(%{$})fiL and P:P . Looker $ Person[Wallet[T] | T] By assumption we have P (cid:159) %j {T} and P (cid:159) %j {F}. Since $(cid:3)is clas- Buyer $ Person[NoWallet] | Wallet[T] sical, we have also that {Q @(cid:3)Q (cid:159) $j } — {P , (cid:212)}. Consider the case Shopper $ Looker (cid:217) 2Buyer where {Q @(cid:3)Q (cid:159) $j } = P so that for any P, P (cid:159) $j iff P (cid:159) T. By Lem- Thief $ Wallet[T] '(cid:3)2NoWallet ma 4-1, P (cid:159) %j {$j } iff P (cid:159) %j {T}, hence we obtain P (cid:159) %j {$j }. CrimeScene $ Person[NoWallet] | NoWallet Consider the case where {Q @(cid:3)Q (cid:159) $j } = (cid:212) so that for any P, P (cid:159) $j iff P (cid:159) F. By Lemma 4-1, P (cid:159) %j {$j } iff P (cid:159) %j {F}, hence we have We begin with the system Buyer | Thief; using the rules ('(cid:3)| ) and ((cid:3)| P (cid:159) %j {$j }. In both cases, we have shown that (cid:210)j —fv(%{$})Lfi . L}) we obtain: (cid:210)P:P . P (cid:159) %j {$j }, that is, vld(%{$}). Buyer | Thief 1 = Person[NoWallet] | Wallet[T] | (Wallet[T] '(cid:3)2NoWallet) L} Person[NoWallet] | 2NoWallet 4.3 Logical Properties of Type Systems From the rules (2T) (cid:253) $(cid:3)L}(cid:3)2$, (Id), and ((cid:3)| L}) we obtain, in general, In this section we briefly discuss applications of our logic to express $(cid:3)| (2%)(cid:3)L}(cid:3)(2$)(cid:3)| (2%). Then, by (2 | ) (cid:253) (2$) | (2%)(cid:3)L} 2($ | %) properties guaranteed by type systems, beyond the standard state- and transitivity (derivable from (Cut)) we obtain $(cid:3)| (2%)(cid:3)L}(cid:3)2($(cid:3)| ments of subject reduction. This section assumes knowledge of type %). Using this fact in our example we obtain, by transitivity: systems for the Ambient Calculus [5]. Buyer | Thief L}(cid:3)2(Person[NoWallet](cid:3)| NoWallet) Consider the system of locking and mobility types for the Am- = 2CrimeScene bient Calculus [5], recast for the calculus of this paper. The assump- Using the rules (2(cid:3)L}) $(cid:3)L}(cid:3)%(cid:3)(cid:253) 2$(cid:3)L}(cid:3)2%, and (2(cid:3)4) (cid:253) 22$(cid:3)L}(cid:3)2$, tion p:Amb•[S] ensures that ambients named p are locked, that is, we derive: they cannot be dissolved by an open. We can prove that if E, 2(Buyer | Thief) L}(cid:3)22CrimeScene p:Amb•[S], E’(cid:3)L} P : T, then P (cid:159) 4((cid:151)(p[T](cid:211)) (cid:222) 4(cid:151)(p[T](cid:211))). This ex- 22CrimeScene L}(cid:3)2CrimeScene presses that in a well-typed process, once a locked ambient named p As before, we can derive (2$)(cid:3)| %(cid:3)L}(cid:3)2($(cid:3)| %); therefore: somewhere comes into being, ever after there will somewhere be an (2Buyer) | Thief L}(cid:3)2(Buyer | Thief) ambient named p. and, by transitivity from above: Moreover, the assumption q:Amb•[RS’] ensures that ambients 9 (2Buyer) | Thief L}(cid:3)2CrimeScene Next, we define our model checking algorithm, and state its then, by weakening (W-L): correctness property, Proposition 5-4, together with the main lem- (Looker | Thief) (cid:217) ((2Buyer) | Thief) L}(cid:3)2CrimeScene mas used in its proof. Now let’s consider the system Shopper | Thief. By the distribution of Checking Whether Process P Satisfies Closed Formula $ | over (cid:217) (( | (cid:217) ), from section 4.2.2) we have: Check(P, T) $ T Shopper | Thief = (Looker (cid:217) 2Buyer) | Thief Check(P, (cid:216) $) $ (cid:216) Check(P, $) L} (Looker | Thief) (cid:217) ((2Buyer) | Thief) Check(P, $ (cid:218) %) $ Check(P, $) (cid:218) Check(P, %) and finally, by transitivity from above, we obtain: Check(P, 0) $ if Norm(P) = [] then T else F Shopper | Thief L}(cid:3)2CrimeScene Check(P, n[$]) $ if Norm(P) = [n[Q]] for some Q, then Check(Q, $), else F 5 A Decidable Sublogic Check(P, $ | %) $ A model checker is an algorithm that determines the truth of an as- let Norm(P) = [p , ..., p ] 1 k sertion P (cid:159) $, given process P and formula $ as input. We describe in (cid:211)I,J. I¨ J=1..k (cid:217) I˙ J=(cid:212) (cid:217) a model checker for the case where P is replication-free and $(cid:3)is '- Check(P i—I p i, $) (cid:217) Check(P i—J p i, %) free. The model checker depends on putting any replication-free Check(P, (cid:210)x.$) $ process into a normal form, given by a finite product of prime pro- let {m , ..., m}= fn(P)¨ fn($) and m (cid:209){m , ..., m} cesses: 1 k 0 1 k in (cid:210)i—0..k. Check(P, ${x‹ m}) i Products, Primes, and Normal Forms Check(P, 2$) $ P i—1..k Pi $ P1 | ... | Pk | 0 product let [P1, ..., Pk] = Reachable(P) in (cid:211)i—1..k. Check(Pi, $) p ::= M[P] @ n.P @ in M.P @ out M.P @ open M.P prime process Check(P, (cid:151)$) $ @ (n).P @ jMk let [P , ..., P] = SubLocations(P) in (cid:211)i—1..k. Check(P, $) 1 k i P i—1..k p i normal form Check(P, $@n) $ Check(n[P], $) The following recursive algorithm maps any replication-free 5-3 Lemmas process to a list of prime processes representing a normal form struc- (1) For all replication-free processes P and Q, and all replication- turally congruent to the original process. We write lists of processes free primes p 1, ..., p k, P | Q (cid:27)(cid:3)P i—1..k p i if and only if there are sets in the notation [P1, ..., Pk]. I and J such that I¨ J = 1..k, I˙ J = (cid:212), P (cid:27)(cid:3)P i—I p i, and Q (cid:27)(cid:3)P i—J p i. Normal Form for a Replication-Free Process (2) For all replication-free processes P, and all replication-free Norm(0) $ [] primes p 1, ..., p k, n[P] (cid:27)(cid:3)P i—1..k p i if and only if k = 1 and there is Q with p = n[Q] and P (cid:27) Q. Norm(P | P’) $ [p , ..., p , p ’ , ..., p ’ ] 1 1 k 1 k’ (3) For all replication-free processes P and '-free closed formulas if Norm(P) = [p , ..., p ] and Norm(P’) = [p ’ , ..., p ’ ] 1 k 1 k’ (cid:210)x.$, if {m , ..., m} = fn(P)¨ fn($) and m (cid:209){m , ..., m}, then: P Norm(M[P]) $ [M[P]] (cid:159) (cid:210)x.$ if an1d onlyk if (cid:210)i—0..k. P (cid:159) ${x‹ m0}. 1 k Norm(M.P) $ [M.P] if M —(cid:3){n, in N, out N, open N} 1 i Norm(e .P) $ Norm(P) Norm((M.N).P) $ Norm(M.(N.P)) 5-4 Proposition Norm((n).P) $ [(n).P] For all replication-free processes P and '-free closed formulas $, P (cid:159) $ if and only if Check(P, $) = T. Norm(jMk) $ [jMk] 1 Since all the recursive calls are on subformulas of the original 5-1 Lemma If Norm(P) = [p 1, ..., p k] then P (cid:27)(cid:3)P i—1..k p i. fCohrmecukl(aP, , $th e| %a)l gwoirtihth Nmo rmal(wPa)y =s [pter,m ..i.n, ap te]s .t heWreh aerne 2cko dmifpfuetrienngt 1 1 k subsets of 1..k, and so 2k different choices of the sets I and J. There- To check the sometime and somewhere modalities, we depend fore, in general the time complexity of Check(P, $) is at least expo- on two routines Reachable and SubLocations that given a process P nential in the size of P. (The practical performance of this algorithm compute a representation of the sets of processes Q such that P xyyz* can be greatly improved by special-casing and heuristics.) Q and P (cid:139)* Q, respectively. We omit the straightforward definitions Examples: define an n $ n[T](cid:211), and p parents q $ p[q[T](cid:211)](cid:211), of these routines. Instead, we state their desired properties, which are and let P = a[p[out a. in b. jmk]] | b[open p. (x). x[]], as in Section proved using techniques developed previously [12]. 2.2. The algorithm returns the following results on various example 5-2 Lemma formulas: If Reachable(P) = [P , ..., P] then for all i—1..k, P xyyz* P, and for 1 k i Check(P, an a) = T Check(P, 2(cid:151)an m) = T all Q, if P xyyz* Q then Q (cid:27)(cid:3)P for some i—1..k. i Check(P, an b) = T Check(P, a parents p) = T If SubLocations(P) = [P , ..., P] then for all i—1..k, P (cid:139)* P, and 1 k i Check(P, an p) = F Check(P, b parents p) = F for all Q, if P (cid:139)* Q then Q (cid:27)(cid:3)P for some i—1..k. i Check(P, (cid:151)an p) = T Check(P, 2b parents p) = T 1 In summary, Proposition 5-4 shows that the model checking problem for the sublogic without ' and the subcalculus without ! is 10
Description: