Soundness proofs for the DSD type system

This paper presents the soundness proofs for the type system of the Dynamic Security Domains (DSD) language. Unless otherwise noted, the identifiers and indices used in the proofs directly refer the respective identifiers and indices used in the operational semantics and the typing rules. Also, σ and (s, h) shall refer to the same program state, equally σ1 = (s1, h1), σ′ = (s′, h′), etc. 1 Expression typing soundness In the following, we simplify notion and ignore the class information of objects. That is, given a heap h and a location a, h(a) shall refer directly to the field valuation. First, we observe an equality between the evaluation of a qualified field type (which is a label) and the interpretation of a field type of the same object. The lemma follows from their definitions. Lemma 1. In any state σ, it holds Jftπ(f)Kσ = Jft(f)KJπKσ . The following lemma states that the expression typing rules are sound. Lemma 2. If Γ ` e : `, then for all states σ and σ′ and all partial bijections β and domains k such that σ ∼β σ′, J`Kσ ≤ k implies JeKσ ∼β JeKσ′ . Proof. By induction over e. • e = n or e = > or e = ⊥. Then e is a constant and JeKσ ∼β JeKσ′ holds. • e = x. Then ` = Γ(x). If JΓ(x)Ks ≤ k, then by definition s(x) ∼β s′(x), hence JxKσ ∼β JxKσ′ . • e = π.f . Γ ` π : `π and ` = ftπ(f) t `π. Since J`Kσ ≤ k, we get J`πKσ ≤ k and by induction JπKσ ∼β JπKσ′ . We define a = JπKσ and a′ = JπKσ′ . From a ∼β a′ follows h(a) ∼β h′(a′). With lemma 1, we know Jft(f)Ka = Jftπ(f)Kσ, which is lower than k since J`Kσ ≤ k. With the definition of object equivalence, we have h(a)(f) ∼β h′(a′)(f) and thus Jπ.fKσ ∼β Jπ.fKσ′ .