Formal modeling and automatic enforcement of Bring Your Own Device policies

Abstract

The emerging Bring Your Own Device (BYOD) paradigm is pushing the adoption of employees’ personal mobile devices (e.g., smartphones and tablets) inside organizations for professional usage. However, allowing private, general purpose devices to interact with proprietary, possibly critical infrastructures enables obvious threats. Unfortunately, current mobile OSes do not seem to provide adequate security support for dealing with them. In this paper, we present a formal modeling and assessment of the security of mobile applications. In particular, we propose a security framework for verifying and enforcing BYOD security policies on Android devices. Interestingly, our approach is non-invasive and only requires minor platform modifications at application level. Finally, we provide empirical evidence of the practical feasibility of the approach by means of a prototype which we used to validate a set of real Android applications.

Appendix: Proofs

Lemma 1

For each closed (i.e., without free variables) expression \(E\), environment \(\varGamma \), history expression \(H\), type \(\tau \) and trace \(\omega \), if \({\varGamma } \vdash {E} : {\tau } \triangleright {H}\) then either \(E\) is a value or \(\omega ,E \rightarrow _{} \omega ',E'\) (for some \(\omega ',E'\)).

Proof

By induction over the structure of \(E\).

• Case \(\mathtt{null }\), \(u\), \(x\). Trivial.

• Case \(\mathtt{new\,C }(\bar{E})\). If each \(E_i = v_i\) then \(E\) is a value and the property holds. Otherwise it suffices to apply the inductive hypothesis to the first \(E_i \ne v\).

• Case \(E'\mathtt{.f }\). If \(E' \ne v\) we apply the inductive hypothesis. Otherwise, by \(\mathtt{T{-}FLD }\) we know that \(E' = \mathtt{new }\,\mathtt{C }(\bar{v})\) and we can conclude by applying \(\mathtt{FLD }_\mathtt{2 }\).

• Case \(E'\mathtt{.m }(E'')\). If both \(E'=v'\) and \(E''=v''\) we assume the premises of \(\mathtt{T{-}METH }\) and we can apply \(\mathtt{METH }_\mathtt{3 }\). Instead if either \(E' \ne v'\) or \(E'' \ne v''\) we can directly apply the inductive hypothesis to \(\mathtt{METH }_\mathtt{1 }\) and \(\mathtt{METH }_\mathtt{2 }\).

• Case \(\mathtt{system }_\sigma \,E'\). If \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{SYS }_\mathtt{1 }\). Otherwise, by \(\mathtt{T{-}SYS }\) we know that \({\varGamma } \vdash {E'} : {\mathcal {U}} \triangleright {H'}\) and the only suitable value for \(E'\) is a resource \(u\). Thus, we conclude by applying \(\mathtt{SYS }_\mathtt{2 }\).

• Case \(\mathtt{icast }\,E'\) and \(\mathtt{ecast\,C }\,E'\). Similar to the previous step.

• Case \(I_\alpha (E')\). If \(E' = v\) then \(E\) is also a value. Instead, if \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{INT }\).

• Case \(E'\mathtt{.data }\). If \(E'\) is a value, by \(\mathtt{T{-}DATA }\) it must be \(E' = I_\alpha (v)\). Hence, we conclude by applying rule \(\mathtt{DATA }_\mathtt{2 }\). Otherwise, we simply apply the inductive hypothesis and rule \(\mathtt{DATA }_\mathtt{1 }\).

• Case \(\mathtt{if\, }(E' = E'')\mathtt{\,then\, }\{E_{ tt}\}\mathtt{\,else\, }\{E_{ ff}\}\). If one between \(E'\) and \(E''\) is not a value, we conclude by applying the inductive hypothesis. Otherwise, we can apply either \(\mathtt{IF }_\mathtt{3 }\) or \(\mathtt{IF }_\mathtt{4 }\). In both cases, the property holds.

• Case \(E';E''\). Here, we have two possibilities: either \(E'\) is a value or not. In both cases, \(E\) admits reduction (through \(\mathtt{SEQ }_\mathtt{1 }\) and \(\mathtt{SEQ }_\mathtt{2 }\), respectively).

• Case \(\mathtt{(C)E' }\). If \(E'\) is not a value, it suffices to apply the inductive hypothesis and rule \(\mathtt{CAST }_\mathtt{1 }\). On the other hand, by rule \(\mathtt{T{-}CAST }\) we know that \(E' = \mathtt{new\,D }(\cdots )\) and \(D \,\mathtt{<: }\, C\). Thus, we can apply \(\mathtt{CAST }_\mathtt{2 }\) and conclude.

• Case \(\mathtt{thread\, }\{E'\}\mathtt{\,in\, }\{E''\}\). Again, if either \(E'\) or \(E''\) are not values, we use the inductive hypothesis and rule \(\mathtt{PAR }_\mathtt{1 }\) or \(\mathtt{PAR }_\mathtt{2 }\). Instead, if \(E' = v'\) and \(E'' = v''\) we conclude by applying rule \(\mathtt{PAR }_\mathtt{3 }\).\(\square \)

Definition 4

$$\begin{aligned}{}[\![H ]\!]= \left\{ \omega \mid \exists H'. H \xrightarrow {\omega }{\!\!}^*H' \right\} \end{aligned}$$

Lemma 2

For each closed expression \(E\), environment \(\varGamma \), history expression \(H\), type \(\tau \) and trace \(\omega \), if \({\varGamma } \vdash {E} : {\tau } \triangleright {H}\) and \(\omega ,E \rightarrow _{}^*{\omega }',E'\) then \({\varGamma } \vdash {E'} : {\tau } \triangleright {H'}\) and for all \(\dot{\omega }' \in [\![H' ]\!]_{}^{}\) there exists \(\dot{\omega } \in [\![H ]\!]\) such that \(\omega \dot{\omega } = {\omega }'\dot{\omega }'\).

Proof

We first (1) prove the property for a single step and then we (2) extend it to arbitrary long derivations.

1. 1.

   By induction on the structure of \(E\).

   • Case \(\mathtt{null }\), \(u,\, x\). Trivial.

   • Case \(\mathtt{new\,C }(\bar{E})\). If each \(E_i = v_i\) then \(E\) is a value and the property holds. Otherwise we type \(E\) in this way

     $$\begin{aligned} \frac{{\varGamma } \vdash {E_i} : {\tau _i} \triangleright {H_i}}{{\varGamma } \vdash {\mathtt{new\,C }(\bar{E})} : {\tau } \triangleright {\varepsilon \cdots H_j \cdots }} \end{aligned}$$

     where \(E_j\) is the first non-value in \(\bar{E}\). Applying Lemma 1, we know that \(\omega , E_j \rightarrow _{} \omega ', E'_j\). Hence, we apply the inductive hypothesis obtaining \({\varGamma } \vdash {E'_j} : {\tau _j} \triangleright {H'_j}\) and \(\forall \omega '_j \in [\![H'_j ]\!]_{}^{}.\exists \omega _j \in [\![H_j ]\!]_{}^{}.\omega \omega _j = \omega '\omega '_j\). Then, by instantiating rule \(\mathtt{NEW }\), we have

     $$\begin{aligned} \omega , \mathtt{new\,C }(\bar{v}, E_j, \ldots ) \rightarrow _{} \omega ', \mathtt{new\,C }(\bar{v}, E'_j, \ldots ) \end{aligned}$$

     Since \(A \!\!=\!\! [\![\varepsilon \cdots H_j \cdots ]\!]_{}^{} \!\!=\!\! \{ \omega _j \omega _{j+1} \cdots \mid \omega _j \in [\![H_j ]\!]_{}^{} \wedge \omega _{j+1} \in [\![H_{j+1} ]\!]_{}^{} \wedge \cdots \}\) and \(B \!\!=\!\! [\![\varepsilon \cdots H'_j \cdots ]\!]_{}^{}= \{ \omega '_j \omega _{j+1} \cdots \mid \omega '_j \in [\![H'_j ]\!]_{}^{} \wedge \omega _{j+1} \in [\![H_{j+1} ]\!]_{}^{} \wedge \cdots \}\) (where the \(\cdots \) parts are equal) we can conclude by observing that \(\forall \dot{\omega }' = \omega '_j \cdots \in B\) we can find a trace \(\dot{\omega } = \omega _j \cdots \in B\) such that \(\omega \dot{\omega } = \omega '\dot{\omega }'\)

   • Case \(E'\mathtt{.f }\). If \(E' \ne v\), we just apply the inductive hypothesis. Otherwise, by \(\mathtt{T{-}FLD }\) we know that \(E' = \mathtt{new\,C }(\bar{v})\) and by applying \(\mathtt{FLD }_\mathtt{2 }\) we obtain \(\omega , \mathtt{new\,C }(\bar{v})\mathtt{.f } \rightarrow _{} \omega ,v_f\) which trivially satisfies the property.

   • Case \(E'\mathtt{.m }(E'')\). If either \(E'=v'\) or \(E''=v''\), we assume the premises of \(\mathtt{T{-}METH }\) and we can apply the inductive hypothesis and \(\mathtt{METH }_\mathtt{1 }/\mathtt{METH }_\mathtt{2 }\). Instead if both \(E' = \mathtt{new\, C }(\bar{v})\) and \(E'' = v'\), we apply \(\mathtt{METH }_\mathtt{3 }\) and we have

     $$\begin{aligned} \frac{mbody(\mathtt{m, C }) = \mathtt{x, }E_m }{\omega , \mathtt{(new\, C( }\bar{v}\mathtt{)).m( }v'\mathtt{) } \rightarrow _{} \omega ,E_m[{v'}/{x},{\mathtt{(new\, C( }\bar{v}\mathtt{)) }}/{\mathtt{this }}]} \end{aligned}$$

     However, typing the two sides of this transition we obtain the same history expression. Indeed, for each history expression \(H_m\) produced by typing the right side, we have for the left part \(\varepsilon \cdot \varepsilon \cdot H_m\) which is trivially equivalent.

   • Case \(\mathtt{system }_\sigma \,E'\). If \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{SYS }_\mathtt{1 }\). Otherwise, by \(\mathtt{SYS }_\mathtt{2 }\) we have \(\omega , \mathtt{system }_\sigma \,u \rightarrow _{} \omega \cdot \sigma (u), \mathtt{null }\). Also by \(\mathtt{T{-}SYS }\) we have \({\varGamma } \vdash {E} : {\mathbf{1}} \triangleright {\sigma (u)}\). Since \({\varGamma } \vdash {\mathtt{null }} : {\mathbf{1}} \triangleright {\varepsilon }\), we have to show that \(\exists \dot{\omega } \in \{\sigma (u)\}.\omega \sigma (u) = \omega \dot{\omega }\) which trivially holds.

   • Case \(\mathtt{icast }\,E'\). Similarly to the previous step, if \(E'\) is not a value, we can simply apply the inductive hypothesis. Otherwise, by \(\mathtt{T{-}IMPC }\) we must have \(E' = I_\alpha (u)\) and \(H = \alpha _?(u)\). Also, by \(\mathtt{IMPC }_\mathtt{2 }\), we have

     $$\begin{aligned} \frac{\mathtt{new\, }C(\bar{v}) \in receiver(\alpha )}{\omega , \mathtt{icast }\,I_\alpha (u) \rightarrow _{} \omega ,\mathtt{new\, }C(\bar{v}).\mathtt{receive( }I_\alpha (u)\mathtt{) }} \end{aligned}$$

     and we type \({\varGamma } \vdash {\mathtt{new\, }C(\bar{v}).\mathtt{receive }(I_\alpha (u))} : {\mathbf{1}} \triangleright {\tilde{H}}\). Hence, we must prove that \(\forall \dot{\omega }' \in [\![\tilde{H} ]\!]_{}^{}.\exists \dot{\omega } \in [\![\alpha _?(u) ]\!]_{}^{}\) such that \(\omega \dot{\omega } = \omega \dot{\omega }'\). However, by the semantics of history expressions we have

     $$\begin{aligned} \frac{\begin{array}{c}\alpha _?(u) \xrightarrow {\alpha _?(u)} \varepsilon \\ \dot{H} = \sum H'\{{\alpha _?(u)}/{h}\} s.t. \bar{\alpha }_C h.H' \in \rho (\alpha ) \, \hbox {and}\, \chi \succcurlyeq C \end{array}}{H \xrightarrow {\cdot } \dot{H}} \end{aligned}$$

     Then, by definition of \(\rho \), we have that \(\tilde{H} \sqsubseteq \dot{H}\) which suffices to conclude.

   • Case \(\mathtt{ecast\,C }\,E'\). Analogous to the previous case.

   • Case \(I_\alpha (E')\). If \(E' = v\) then \(E\) is also a value. Instead, if \(E'\) is not a value, we apply the inductive hypothesis and rule \(\mathtt{INT }\).

   • Case \(E'\mathtt{.data }\). If \(E'\) is a value, by \(\mathtt{T{-}DATA }\) it must be \(E' = I_\alpha (v)\). Hence, we conclude by applying rule \(\mathtt{DATA }_\mathtt{2 }\). Otherwise, we simply apply the inductive hypothesis and rule \(\mathtt{DATA }_\mathtt{1 }\).

   • Case \(\mathtt{if\, }(E' = E'')\mathtt{\,then\, }\{E_{ tt}\}\mathtt{\,else\, }\{E_{ ff}\}\). If either \(E'\) or \(E''\) are not values, we conclude by applying the inductive hypothesis. Otherwise, we can apply either \(\mathtt{IF }_\mathtt{3 }\) or \(\mathtt{IF }_\mathtt{4 }\) and the inductive hypothesis to \(E_{ tt}\) and \(E_{ ff}\), respectively.

   • Case \(E';E''\). Here, we have two possibilities: either \(E'\) is a value or not. In both cases, \(E\) admits reduction (through \(\mathtt{SEQ }_\mathtt{1 }\) and \(\mathtt{SEQ }_\mathtt{2 }\), respectively). The property holds by the inductive hypothesis.

   • Case \(\mathtt{(C)E' }\). If \(E'\) is not a value, it suffices to apply the inductive hypothesis and rule \(\mathtt{CAST }_\mathtt{1 }\). On the other hand, by rule \(\mathtt{T{-}CAST }\) we know that \(E' = \mathtt{new\,D }(\cdots )\) and \(D \,\mathtt{<: }\, C\). Thus, we can apply \(\mathtt{CAST }_\mathtt{2 }\) and conclude.

   • Case \(\mathtt{thread\, }\{E'\}\mathtt{\,in\, }\{E''\}\). If either \(E'\) or \(E''\) are not values, we use the inductive hypothesis and rule \(\mathtt{PAR }_\mathtt{1 }\) or \(\mathtt{PAR }_\mathtt{2 }\). Instead, if \(E' = v'\) and \(E'' = v''\) we conclude by applying rule \(\mathtt{PAR }_\mathtt{3 }\).

2. 2.

   By induction on the derivation length.

   • Base case. For zero-long derivations, the property is trivially satisfied by the identity \(\omega \dot{\omega } = \omega \dot{\omega }\).

   • Induction. We assume the property holds for \(n\)-long derivations and we apply (1) to prove that the property is preserved by a further step.

\(\square \)

Theorem 1

For each closed expression \(E\), history expression \(H\), type \(\tau \) and trace \(\omega \), if \({\emptyset } \vdash {E} : {\tau } \triangleright {H}\) and \(\cdot , E \rightarrow ^*\omega , E'\) then there exist \(H'\) and \(\omega '\) such that \(H \xrightarrow {\omega '}{\!\!}^*H'\), \({\emptyset } \vdash {E'} : {\tau } \triangleright {H'}\) and \(\omega = \omega '\).

Proof

A corollary of Lemma 2.\(\square \)

Theorem 2

\(H \models \varphi \Longleftrightarrow H \Vdash \varphi \)

Proof

We prove the two directions \(\Leftarrow \) (soundness) and \(\Rightarrow \) (completeness) separately.

(\(\Leftarrow \)):

By induction over the definition of \(\Vdash \).

• Case (true). Trivial.

• Case (\(\wedge \)). We simply assume the premises of the rule and apply the inductive hypothesis to them.

• Cases (\(\vee _L\)) and (\(\vee _R\)). In both cases, we assume the rule premise and apply the inductive hypothesis.

• Case (\(\langle u \rangle \)). We assume the premises of the rule and we apply the inductive hypothesis to \(H' \Vdash \varphi \). Hence, there exists \(H'\) such that \(H \xrightarrow {\sigma (u)} H'\) and \(H' \models \varphi \) which allows us to apply rule (c-diamond).

• Case (\(\langle x \rangle \)). We apply a similar reasoning and we obtain that there exist \(u\) and \(H'\) such that \(H \xrightarrow {\sigma (u)} H'\) and \(H' \models \varphi \{{u}/{x}\}\) so that we can apply (a-diamond) and conclude.

• Case (\([ u ]\)). We assume the premises of the rule and apply the inductive hypothesis to them. By definition, if \(H \xrightarrow {\sigma (u)} H'\) then \(H'\) appears in one of the premises of the rule. This suffices to conclude by applying (c-box).

• Case (\([ x ]\)). As in the previous step, we assume the premises and we apply to them the inductive hypothesis. Again, if we have \(H \xrightarrow {\sigma (u)} H'\) (for some \(u\) and \(H'\)), then \(H' \Vdash \varphi \{{u}/{x}\}\) is among the rule premises. Hence, we obtain the right-hand side of (a-box).

• Case (Rec). We assume the premise of the rule and apply the inductive hypothesis to obtain \(H \models \mathcal {D}(F)\). Also we can write \(H \models \mathcal {D}(F) = F\{{\mathcal {D}(F)}/{F}\}\). Then, by rule (identifier) we have \(H \models \bigvee _{n \geqslant 0} f^n({ ff})\) where

  $$\begin{aligned} f(\varphi ) = \mathcal {D}(F)\left\{ {\mathcal {D}(F)}/{F}\right\} \left\{ {\varphi }/{F}\right\} \end{aligned}$$

  We rewrite and we apply rule (identifier) to obtain \(H \models F\).

(\(\Rightarrow \)):

By induction over the definition of \(\models \).

• Case (true). Trivial.

• Case (conjunction). By inductive hypothesis, we have \(H \Vdash \varphi \) and \(H \Vdash \varphi '\) which suffice to apply rule \((\wedge )\).

• Case (disjunction). We have two symmetric cases. If \(H \models \varphi \), then we obtain \(H \Vdash \varphi \) and apply (\(\vee _L\)). Otherwise, we follow the same reasoning with \(\varphi '\).

• Case (c-diamond). \(\langle \sigma (u) \rangle .\varphi \) implies that \(\exists H'.H \xrightarrow {\sigma (u)} H'\) and \(H' \models \varphi \). Hence, we apply the inductive hypothesis and rule (\(\langle u \rangle \)).

• Case (a-diamond). We proceed similarly to the previous case. The only difference is that we apply the inductive hypothesis to \(\varphi \{{u}/{x}\}\) and we use rule (\(\langle x \rangle \)).

• Case (c-box). Here, we have that (*) \(\forall H' \cdot H \xrightarrow {\sigma (u)} H'\) implies \(H' \models \varphi \). We then consider the set \(\{H'\) s.t. \(H \xrightarrow {\sigma (u)} H'\}\) and its elements \(H_i\). Hence, the premise (*) can be applied to every \(H_i\) which suffices to apply the inductive hypothesis to all of them and conclude with (\([ u ]\)).

• Case (a-box). We proceed in a similar way. We build the set \(\{H' s.t. H \xrightarrow {\sigma (u)} H'\}\) and apply the inductive hypothesis to each of its elements \(H_i\). Then, we conclude by applying the inductive hypothesis and (\([ x ]\)).

• Case (identifier). We have \(H \models \bigvee \nolimits _{n \geqslant 0} f^n ({ ff})\,\,\) where \(f(\varphi ) = \mathcal {D}(F)\{{\varphi }/{F}\}\). This implies that there exists \(\varphi ^*\) such that \(H \models \varphi ^*\), \(\varphi ^*\) is equivalent to \(\mathcal {D}(F)\). Then, we apply the inductive hypothesis to \(\varphi ^*\) to obtain \(H \Vdash \varphi ^*\) and, by logical equivalence, \(H \Vdash \mathcal {D}(F)\). Thus, we conclude by applying (Rec).\(\square \)

Theorem 3

Proof

(\(\Rightarrow \)) By induction over the structure of \(\varphi \).

• Cases \({ tt}\) and \({ ff}\). Trivial.

• Case \(\varphi _1 \wedge \varphi _2\). By PMC rules, we have \(H \models {\varphi _1}_{//{H'}} \wedge {\varphi _2}_{//{H'}}\) then we apply the inductive hypothesis to both \(H \models {\varphi _1}_{//{H'}}\) and \(H \models {\varphi _2}_{//{H'}}\) so as to obtain \({H}\parallel {H'} \models \varphi _1\) and \({H}\parallel {H'} \models \varphi _2\) and, by rule (conjunction), \({H}\parallel {H'} \models \varphi _1 \wedge \varphi _2\).

• Case \(\varphi _1 \vee \varphi _2\). By PMC rules, we have \(H \models {\varphi _1}_{//{H'}} \vee {\varphi _2}_{//{H'}}\) and, by (disjunction), we can assume either \(H \models {\varphi _1}_{//{H'}}\) or \(H \models {\varphi _2}_{//{H'}}\). In both cases, we apply the inductive hypothesis and the (disjunction) rule.

• Case \(\langle \sigma (u) \rangle .\varphi \). By PMC rule, we have

  $$\begin{aligned} H \models \mathop {\overbrace{\langle \sigma (u) \rangle .{\varphi }_{//{H'}}}}\limits ^{A} \vee \mathop {\overbrace{\bigvee \limits _{H' \xrightarrow {\sigma (u)} H''} {\varphi }_{//{H''}}}}\limits ^{B} \end{aligned}$$

  If \(A\) holds then by (c-diamond) rule both \((i) \; H \xrightarrow {\sigma (u)} \dot{H}\) and \((ii)\;\dot{H} \models {\varphi }_{//{H'}}\) hold. Hence, by inductive hypothesis on \((ii)\) we have that \({\dot{H}}\parallel {H'} \models \varphi \) and by concurrency rule using \((i)\) premise we have that \({H}\parallel {H'} \xrightarrow {\sigma (u)} {\dot{H}}\parallel {H'}\). These two facts suffice to conclude that \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \). Instead, if \(B\) holds, there must exist at least one \(H''\) such that \(H' \xrightarrow {\sigma (u)} H''\) and \(H \models {\varphi }_{//{H''}}\). The latter implies (by inductive hypothesis) that \({H}\parallel {H''} \models \varphi \), the former implies \({H}\parallel {H'} \xrightarrow {\sigma (u)} {H}\parallel {H''}\). These two facts imply (c-diamond) \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \).

• Case \(\langle \sigma (x) \rangle . \varphi \). We proceed similarly to the previous case. Applying the PMC rule to \(H \models {(\langle \sigma (x) \rangle . \varphi )}_{//{H'}}\) we have

  $$\begin{aligned} H \models \mathop {\overbrace{\langle \sigma (x) \rangle .{\varphi }_{//{H'}}}}\limits ^{A} \vee \mathop {\overbrace{\bigvee \limits _{H' \xrightarrow {\sigma (u)} H''} {\varphi \{{x}/{u}\}}_{//{H''}}}}\limits ^{B} \end{aligned}$$

  If \(A\) holds then by a-diamond rule there exists \(u\) such that \((i) \; H \xrightarrow {\sigma (u)} \dot{H}\) and \((ii)\;\dot{H} \models {\varphi \{{x}/{u}\}}_{//{H'}}\). Hence, by inductive hypothesis on \((ii)\) we have that \({\dot{H}}\parallel {H'} \models \varphi \{{x}/{u}\}\) and by concurrency rule using \((i)\) premise we have that \({H}\parallel {H'} \xrightarrow {\sigma (u)} {\dot{H}}\parallel {H'}\). These two facts suffice to conclude that \({H}\parallel {H'} \models \langle \sigma (x) \rangle .\varphi \). Instead, if \(B\) holds, there exist \(H''\) and \(u\) such that \(H' \xrightarrow {\sigma (u)} H''\) and \(H \models {\varphi \{{x}/{u}\}}_{//{H''}}\). The latter implies (by inductive hypothesis) that \({H}\parallel {H''} \models \varphi \{{x}/{u}\}\), the former implies that \({H}\parallel {H'} \xrightarrow {\sigma (u)} {H}\parallel {H''}\). Applying (a-diamond) to these two facts, we obtain \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \), that is, the thesis.

• Case \([ \sigma (u) ].\varphi \). By PMC rule, we have

  $$\begin{aligned} H \models \mathop {\overbrace{[ \sigma (u) ].{\varphi }_{//{H'}}}}\limits ^{A} \wedge \mathop {\overbrace{\bigwedge \limits _{H' \xrightarrow {\sigma (u)} H''} {\varphi }_{//{H''}}}}\limits ^{B} \end{aligned}$$

  By rule (c-box), we must prove that \({H}\parallel {H'} \models [\sigma (u)].\varphi \) iff \(\forall H''.{H}\parallel {H'} \xrightarrow {\sigma (u)} H''\) implies \(H'' \models \varphi \). By history expressions semantics, we know that either \({H}\parallel {H'} \xrightarrow {\sigma (u)} {\dot{H}}\parallel {H'}\) or \({H}\parallel {H'} \xrightarrow {\sigma (u)} {H}\parallel {\dot{H}'}\). In the first case, we apply the inductive hypothesis so obtaining \({\dot{H}}\parallel {H'} \models \varphi \). In the second case, we use \(B\) to show that for each \(\dot{H}''\) such that \(H' \xrightarrow {\sigma (u)} \dot{H}''\) holds that \(H \models {\varphi }_{//{\dot{H}''}}\). By inductive hypothesis, this implies that for each \(\dot{H}''\) \({H}\parallel {\dot{H}''} \models \varphi \). By composing the two cases, we obtain that for each \(\sigma (u)\) transition \({H}\parallel {H'} \models \varphi \) which suffices to conclude.

• Case \(F\). Here, we have \(H \models {F}_{//{H'}}\). Hence, by rule identifier and PMC, we infer that \(H \models \bigvee \nolimits _{n \geqslant 0} f^n({ ff})\) with \(f(X) = {\mathcal {D}(F)}_{//{H'}} \{{X}/{F}\}\). However, we can easily check that \(F\) does not appear as a free identifier in \({\mathcal {D}(F)}_{//{H'}}\). Thus, we can say that \(H \models {\mathcal {D}(F)}_{//{H'}}\). By inductive hypothesis, \({H}\parallel {H'} \models \mathcal {D}(F)\) which is equivalent to \({H}\parallel {H'} \models F \{{F}/{\mathcal {D}(F)}\}\) and \({H}\parallel {H'} \models F\), that is, the thesis.

(\(\Leftarrow \)):

By induction over the structure of \(\varphi \).

• Cases \({ tt}\) and \({ ff}\). Trivial.

• Case \(\varphi _1 \wedge \varphi _2\). By (conjunction) rule, we have \({H}\parallel {H'} \models \varphi _1\) and \({H}\parallel {H'} \models \varphi _2\). Thus, by inductive hypothesis we have \(H \models {\varphi _1}_{//{H'}}\) and \(H \models {\varphi _2}_{//{H'}}\) which suffice to conclude.

• Case \(\varphi _1 \vee \varphi _2\). Similarly to the previous case, we apply (disjunction) and obtain that either \({H}\parallel {H'} \models \varphi _1\) or \({H}\parallel {H'} \models \varphi _2\) hold. In both cases, we apply the inductive hypothesis and conclude.

• Case \(\langle \sigma (u) \rangle .\varphi \). We have \({H}\parallel {H'} \models \langle \sigma (u) \rangle .\varphi \). By applying the rule for parallel history expressions and (c-diamond), we obtain that either

  $$\begin{aligned} (A) \exists \dot{H} . H \xrightarrow {\sigma (u)} \dot{H} \wedge {\dot{H}}\parallel {H'} \models \varphi \end{aligned}$$

  or

  $$\begin{aligned} (B) \exists \dot{H}' . H' \xrightarrow {\sigma (u)} \dot{H}' \wedge {H}\parallel {\dot{H}'} \models \varphi \end{aligned}$$

  If \((A)\) holds then by inductive hypothesis \(\exists \dot{H}.\dot{H} \models {\varphi }_{//{\dot{H}'}}\) and, by (c-diamond), \(H \models \langle \sigma (u) \rangle . {\varphi }_{//{H'}}\) Instead, if \((B)\) holds, \(\exists \dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}'\) and \(H \models {\varphi }_{//{\dot{H}'}}\). This implies that \(H \models \bigvee \nolimits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi }_{//{\dot{H}'}}\). Composing the two cases, we obtain the thesis.

• Case \(\langle \sigma (x) \rangle .\varphi \). The premise is \({H}\parallel {H'} \models \langle \sigma (x) \rangle .\varphi \). By applying the rule for parallel history expressions and (a-diamond), we obtain that either

  $$\begin{aligned} (A) \exists u,\dot{H} . H \xrightarrow {\sigma (u)} \dot{H} \wedge {\dot{H}}\parallel {H'} \models \varphi \{{u}/{x}\} \end{aligned}$$

  or

  $$\begin{aligned} (B) \exists u, \dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}' \wedge {H}\parallel {\dot{H}'} \models \varphi \{{u}/{x}\} \end{aligned}$$

  If \((A)\) holds, by inductive hypothesis we know that \(\exists u.\dot{H} \models {\varphi \{{u}/{x}\}}_{//{H'}}\) which implies \(H \models \langle \sigma (x) \rangle . {\varphi }_{//{H'}}\). Otherwise, applying the inductive hypothesis to \((B)\) we have that (there exist \(u\) and \(\dot{H}'\) s.t.) \(H \models {\varphi \{\{{u}/{x}\}\}}_{//{\dot{H}'}}\) which implies that \(H \models \bigvee \nolimits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi \{\{{u}/{x}\}\}}_{//{\dot{H}'}}\). Then, by rule (disjunction) we obtain the thesis.

• Case \([ \sigma (u) ].\varphi \). Here, we can assume that

  $$\begin{aligned} (A) \forall \dot{H}.H \xrightarrow {\sigma (u)} \dot{H} \Longrightarrow {\dot{H}}\parallel {H'} \models \varphi \end{aligned}$$

  and

  $$\begin{aligned} (B) \forall \dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}' \Longrightarrow {H}\parallel {\dot{H}'} \models \varphi \end{aligned}$$

  Applying the inductive hypothesis to \((A)\) we have that \(\dot{H} \models {\varphi }_{//{H'}}\) which implies \(H \models [\sigma (u)].{\varphi }_{//{H'}}\). From \((B)\), by inductive hypothesis, we have that (for each \(\dot{H}'\)) \(H \models {\varphi }_{//{\dot{H}'}}\). Hence, we can infer that \(H \models \bigwedge \nolimits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi }_{//{\dot{H}'}}\). We conclude by applying rule (conjunction) and the PMC definition.

• Case \([ \sigma (x) ].\varphi \). Here we can assume that

  $$\begin{aligned} (A) \forall u,\dot{H}.H \xrightarrow {\sigma (u)} \dot{H} \Longrightarrow {\dot{H}}\parallel {H'} \models \varphi \{{u}/{x}\} \end{aligned}$$

  and

  $$\begin{aligned} (B) \forall u,\dot{H}'.H' \xrightarrow {\sigma (u)} \dot{H}' \Longrightarrow {H}\parallel {\dot{H}'} \models \varphi \{{u}/{x}\} \end{aligned}$$

  Applying the inductive hypothesis to \((A)\) we have that \(\dot{H} \models {\varphi \{{u}/{x}\}}_{//{H'}}\) and then \(H \models [\sigma (x)].{\varphi }_{//{H'}}\). From \((B)\), by inductive hypothesis, we have that (for each \(u\) and \(\dot{H}'\)) \(H \models {\varphi \{{u}/{x}\}}_{//{\dot{H}'}}\). Then, we obtain that

  $$\begin{aligned} H \models \bigwedge \limits _{H' \xrightarrow {\sigma (u)} \dot{H}'} {\varphi \{{u}/{x}\}}_{//{\dot{H}'}} \end{aligned}$$

  By applying (conjunction), we reduce to the definition of PMC applied to abstract box.

• Case \(F\). In this case, we have \({H}\parallel {H'} \models F\) which implies \({H}\parallel {H'} \models \mathcal {D}(F)\). Then, we apply the inductive hypothesis and we obtain \({H}\parallel {H'} \models {\mathcal {D}(F)}_{//{H'}}\) which is by definition equivalent to \({H}\parallel {H'} \models F_{H'}\) where \(F_{H'} = {F}_{//{H'}}\).\(\square \)