Bounded-memory runtime enforcement with probabilistic and performance analysis

Abstract

Runtime Enforcement (RE) is a technique aimed at monitoring the executions of a system at runtime and ensure its compliance against a set of formal requirements (properties). RE employs an enforcer (a safety wrapper for the system) which modifies the (untrustworthy) output by performing actions such as delaying (by storing/buffering) and suppressing events, when needed. In this paper, to handle practical applications with memory constraints, we propose a new RE paradigm where the memory of the enforcer is bounded/finite. Besides the property to be enforced, the user specifies a bound on the enforcer memory. Bounding the memory poses various challenges such as how to handle the situation when the memory is full, how to optimally discard events from the buffer to accommodate new events and let the enforcer continue operating. We define the bounded-memory RE problem and develop a framework for any regular property. All of our results are formalized and proved. We also analyze probabilistically how much memory is required on an average case for a given regular property, such that the output of the bounded enforcer is equal to that of the unbounded enforcer up to a fixed probability. The proposed framework is implemented and a case study is worked out to show the practicability and usefulness of the bounded enforcer in the real-world and to show the usage of the aforementioned probabilistic analysis on them. The performance is evaluated via some examples from application scenarios and it indicates linear changes in the execution time of the enforcers in response to increases in trace length, property complexity, and buffer sizes.

Proofs

This appendix provides the proofs of the propositions given in the paper.

Lemma 1\( \forall \sigma , \sigma ' \in \Sigma ^{*}: \sigma \cdot \sigma ' \in \mathcal {L}(A) \Longleftrightarrow (\sigma ' \in L(A, \delta (q_{0}, \sigma ))) \)

Lemma 1 states that given any two words \( \sigma , \sigma ' \in \Sigma ^{*} \), the word obtained by concatenating them (\( \sigma \cdot \sigma ' \)) belongs to the language of A if and only if the word \( \sigma ' \) belongs to the language accepted by A starting from the state reached by reading \( \sigma \) in A (i.e., from \( \delta (q_{0},\sigma ) \)).

Proof of Lemma 1 is straightforward from the definitions of the language of an automaton and the language of an automaton starting from a specific state.

Lemma 2 If \(\varphi \) is defined by a deterministic and minimal automaton with transition function \(\delta \) and initial state \(q_0\):   \( \sigma \sim _\varphi \sigma ' \Leftrightarrow \delta (q_0, \sigma ) = \delta (q_0, \sigma '). \)

Proof of Lemma 2 is straightforward from the above definition of equivalence and the definition of transition function \(\delta \) extended to words.

Lemma 3 introduces some properties of the enforcement function (Definition  3).

Lemma 3

For all \(\sigma , \sigma _s, \sigma _c \in \Sigma ^*\), we have;

1. 1.

   \(\sigma \in \textrm{pref}(\varphi ) \wedge \textrm{store}^{\varphi }(\sigma ) = (\sigma _{s}, \sigma _{c}) \implies \sigma = \sigma _s \cdot \sigma _c\)

2. 2.

   \(\sigma \not \in \textrm{pref}(\varphi ) \wedge \textrm{store}^{\varphi }(\sigma ) = (\sigma _{s}, \sigma _{c}) \implies \sigma _s \cdot \sigma _c \triangleleft \sigma \).

Property 1 of Lemma 3 states that for any input sequence \(\sigma \in \Sigma ^*\), if \(\exists \) a continuation of \(\sigma \) satisfying \(\varphi \) and if \(\textrm{store}^{\varphi }(\sigma ) = (\sigma _{s}, \sigma _{c})\), then their concatenation \(\sigma _{s}\cdot \sigma _{c}\) will be equal to \(\sigma \).

Property 2 of Lemma 3 states that for any input sequence \(\sigma \in \Sigma ^*\), if \(\not \exists \) a continuation of \(\sigma \) satisfying \(\varphi \) and if \(\textrm{store}^{\varphi }(\sigma ) = (\sigma _{s}, \sigma _{c})\), then their concatenation \(\sigma _{s}\cdot \sigma _{c}\) will be a subsequence of \(\sigma \) (i.e., some events from \(\sigma \) will be suppressed/discarded).

From the definition of the enforcement function (Definition  3), it is straightforward to follow that the above properties hold. These properties are useful in proving Proposition 1.

1.1 Proof (of Proposition 1)

We show here the proof of Proposition 1, i.e., the enforcement function \(E^\varphi \) as per Definition  3 is an enforcer as per Definition  2. Let us prove this using induction on the input sequence \( \sigma \).

Induction basis. If \(\sigma =\epsilon \), from definition of the enforcement function (Definition  3), \(E^{\varphi }(\epsilon )=\epsilon \). Since \(E^{\varphi }(\epsilon )=\epsilon \), Proposition 1 trivially holds for \(\sigma =\epsilon \).

Induction step. Assume that the Proposition holds for every \( \sigma \in \Sigma ^{*}\) of some length \(k \in \mathbb {N}\). We now prove that the Proposition holds for \(\sigma \cdot a \) for any \( a\in \Sigma \). \(E^{\varphi }(\sigma \cdot a)=\Pi _{1}(\textrm{store}^{\varphi }(\sigma \cdot a))\) and from Definition  3, we have following cases where \(\sigma _{s}\) corresponds to the output of the enforcement function; it is a prefix of (a subsequence of) the input that satisfies property \(\varphi \); and \(\sigma _{c}\) is a suffix of (a subsequence of) the input that the enforcer cannot output yet. It corresponds to the buffer of the enforcer.

• Case: \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \):

  As per Definition  3\(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \cdot \sigma _{c}\cdot a\). The constraint (Snd) is satisfied since \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \). Also, \(\sigma \preccurlyeq \sigma \cdot a\) and \(E^{\varphi }(\sigma )=\sigma _{s}\), thus \(E^{\varphi }(\sigma )\preccurlyeq E^{\varphi }(\sigma \cdot a)\). Thus (Mo) is satisfied.

  Regarding constraints (Tr1), (Tr2) and (Opts) we consider the following sub-cases based on whether \(\sigma \in \textrm{pref}(\varphi )\) or not.

  • Case \(\sigma \in \textrm{pref}(\varphi )\): Since \(\sigma \in \textrm{pref}(\varphi )\), from the induction hypothesis we have \(E^{\varphi }(\sigma ) \preccurlyeq \sigma \) which is equal to \(\sigma _s\), and from Lemma 3, we have \(\sigma = \sigma _s \cdot \sigma _c\). Since \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \), we have \(\sigma _s \cdot \sigma _c \cdot a \in \textrm{pref}(\varphi )\). Thus (Tr1) trivially holds. Since in this case \(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \cdot \sigma _{c}\cdot a \preccurlyeq \sigma \cdot a\), (Tr2) holds. Constraint (Opts) also holds trivially in this case since \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \), and from Lemma 3, we have \(\sigma \cdot a \in \varphi \), and thus \(\sigma \cdot a \in \textrm{pref}(\varphi )\).

  • Case \(\sigma \not \in \textrm{pref}(\varphi )\):

    Since \(\sigma \not \in \textrm{pref}(\varphi )\) we also have \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\). From the induction hypothesis and from Lemma 3, we have \(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \cdot \sigma _{c}\cdot a \triangleleft \sigma \cdot a\), and thus constraint (Tr1) holds. Since \(\sigma \not \in \textrm{pref}(\varphi )\) constraint (Tr2) trivially holds. Constraint (Opts) also holds trivially in this case since \(\sigma \not \in \textrm{pref}(\varphi )\).

• Case \(\sigma _{s} \cdot \sigma _{c} \cdot a \not \in \varphi \):

  As per Definition  3\(E^{\varphi }(\sigma \cdot a)=\sigma _{s}\), which is equal to \(E^{\varphi }(\sigma )\). Thus from the induction hypothesis (Snd) also holds for \(\sigma \cdot a\) in this case.

  Also, \(\sigma \preccurlyeq \sigma \cdot a\), \(E^{\varphi }(\sigma )=\sigma _{s}\) and in this case \(E^{\varphi }(\sigma \cdot a)=\sigma _{s}\), thus (Mo) is satisfied since \(E^{\varphi }(\sigma )\preccurlyeq E^{\varphi }(\sigma \cdot a)\).

  Regarding constraints (Tr1), (Tr2) and (Opts) we consider the following sub-cases based on whether \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \textrm{pref}(\varphi )\) or not.

  • Case \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \textrm{pref}(\varphi )\):

    We consider the following two sub-cases further based on whether \(\sigma \in \textrm{pref}(\varphi )\) or not.

    • \(*\) Case \(\sigma \in \textrm{pref}(\varphi )\): Since \(\sigma \in \textrm{pref}(\varphi )\), from the induction hypothesis we have \(E^{\varphi }(\sigma ) \preccurlyeq \sigma \) which is equal to \(\sigma _s\), and from Lemma 3, we have \(\sigma = \sigma _s \cdot \sigma _c\). We have \(\sigma _s \cdot \sigma _c \cdot a \in \textrm{pref}(\varphi )\) in this case. Thus (Tr1) trivially holds. Since in this case \(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \preccurlyeq \sigma _{s} \cdot \sigma _{c}\cdot a \preccurlyeq \sigma \cdot a\), (Tr2) holds. Constraint (Opts) also holds trivially in this case since \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \textrm{pref}(\varphi )\), and from Lemma 3, we have \(\sigma \cdot a \in \textrm{pref}(\varphi )\).

    • \(*\) Case \(\sigma \not \in \textrm{pref}(\varphi )\): Since \(\sigma \not \in \textrm{pref}(\varphi )\) we also have \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\). From the induction hypothesis and from Lemma 3, we have \(E^{\varphi }(\sigma )=\sigma _{s} \triangleleft \sigma \), and since \(E^{\varphi }(\sigma \cdot a)=\sigma _{s}\), we have \(E^{\varphi }(\sigma \cdot a) \triangleleft \sigma \cdot a\) thus constraint (Tr1) holds. Since \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\) constraint (Tr2) trivially holds. Constraint (Opts) also holds trivially in this case since \(\sigma \not \in \textrm{pref}(\varphi )\).

  • Case \(\sigma _{s} \cdot \sigma _{c} \cdot a \not \in \textrm{pref}(\varphi )\):

    We consider the following two sub-cases further based on whether \(\sigma \in \textrm{pref}(\varphi )\) or not.

    • \(*\) Case \(\sigma \in \textrm{pref}(\varphi )\):

      Since \(\sigma \in \textrm{pref}(\varphi )\), from the induction hypothesis we have \(E^{\varphi }(\sigma ) \preccurlyeq \sigma \) which is equal to \(\sigma _s\), and from Lemma 3, we have \(\sigma = \sigma _s \cdot \sigma _c\). We have \(\sigma _s \cdot \sigma _c \cdot a \not \in \textrm{pref}(\varphi )\) in this case.

      Regarding constraint (Tr1), since in this case \(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \preccurlyeq \sigma \) (from the induction hypothesis and Lemma 3), we have \(E^{\varphi }(\sigma \cdot a) \triangleleft \sigma \cdot a\). Thus, (Tr1) holds in this case.

      Regarding constraint (Tr2), since \(\sigma = \sigma _s\cdot \sigma _c\) in this case, we have \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\) in this case, and thus (Tr2) trivially holds in this case.

      As per Definition  3, since \(\sigma _{s}\) and \(\sigma _{c}\) are left untouched and event a is suppressed in this case, thus \(E^{\varphi }(\sigma \cdot a) = E^{\varphi }(\sigma )\), and for any \(\sigma _{\textrm{con}}\in \Sigma ^*\), \(E^{\varphi }(\sigma \cdot a \cdot \sigma _{\textrm{con}}) = E^{\varphi }(\sigma \cdot \sigma _{\textrm{con}})\), satisfying (Opts).

    • \(*\) Case \(\sigma \not \in \textrm{pref}(\varphi )\):

      Since \(\sigma \not \in \textrm{pref}(\varphi )\) we also have \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\). From the induction hypothesis and from Lemma 3, we have \(E^{\varphi }(\sigma )=\sigma _{s} \triangleleft \sigma \), and since \(E^{\varphi }(\sigma \cdot a)=\sigma _{s}\), we have \(E^{\varphi }(\sigma \cdot a)\triangleleft \sigma \cdot a\) thus constraint (Tr1) holds. Since \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\) constraint (Tr2) trivially holds. Constraint (Opts) also holds trivially in this case since \(\sigma \not \in \textrm{pref}(\varphi )\).

The following Lemma introduces some properties of the bounded enforcement function (Definition  5).

Lemma 4

For all \(\sigma , \sigma _s, \sigma _c \in \Sigma ^*\), \(mode \in \{\top , \bot \}\) and buffer size \(k \in \mathbb {N}\), we have;

1. 1.

   \(\sigma \in \textrm{pref}(\varphi ) \wedge \textrm{store}^{\varphi , k}(\sigma ) = (\sigma _{s}, \sigma _{c}, \top ) \implies \sigma = \sigma _s \cdot \sigma _c\)

2. 2.

   \( \sigma \not \in \textrm{pref}(\varphi ) \wedge \textrm{store}^{\varphi , k}(\sigma ) = (\sigma _{s}, \sigma _{c}, mode) \implies \sigma _s \cdot \sigma _c \triangleleft \sigma \wedge mode = \bot \).

3. 3.

   \( \textrm{store}^{\varphi , k}(\sigma ) = (\sigma _{s}, \sigma _{c}, \bot ) \implies \sigma _s \cdot \sigma _c \triangleleft \sigma \)

Property 1 of Lemma 4 states that for any input sequence \(\sigma \in \Sigma ^*\), if \(\exists \) a continuation of \(\sigma \) satisfying \(\varphi \) and if \(\textrm{store}^{\varphi , k}(\sigma ) = (\sigma _{s}, \sigma _{c}, \top )\), then the concatenation \(\sigma _{s}\cdot \sigma _{c}\) will be equal to \(\sigma \). If the mode is \(\top \), this indicates that none of the elements from \(\sigma \) are suppressed.

Property 2 of Lemma 3 states that for any input sequence \(\sigma \in \Sigma ^*\), if \(\not \exists \) a continuation of \(\sigma \) satisfying \(\varphi \) and if \(\textrm{store}^{\varphi , k}(\sigma ) = (\sigma _{s}, \sigma _{c}, mode)\), then the mode should be \(\bot \), and some events from \(\sigma \) must be suppressed, and thus \(\sigma _{s}\cdot \sigma _{c}\) will be a subsequence of \(\sigma \).

Property 3 of Lemma 3 states that for any input sequence \(\sigma \in \Sigma ^*\), if \(\textrm{store}^{\varphi , k}(\sigma ) = (\sigma _{s}, \sigma _{c}, \bot )\), if the mode is \(\bot \), this indicates that some events from \(\sigma \) were suppressed (this may also be because of situations when the buffer is full and it has been cleaned), and thus \(\sigma _{s}\cdot \sigma _{c}\) will be a subsequence of \(\sigma \).

From the definition of the enforcement function (Definition  5), it is straightforward/intuitive to follow that the above properties hold. These properties are useful in proving Proposition 2.

1.2 Proof (of Proposition 2)

We show here the proof of Proposition 2. Let us prove this using induction on the input sequence \( \sigma \).

Induction basis. If \(\sigma =\epsilon \), from definition of the enforcement function (Definition  5), \(E^{\varphi ,k}(\epsilon )=(\epsilon , \top )\). Since \(E^{\varphi ,k}(\epsilon )=(\epsilon , \top )\), Proposition 2 trivially holds for \(\sigma =\epsilon \).

Induction step. Assume that for any \( \sigma \in \Sigma ^{*},\) Proposition 2 holds. Let \(E^{\varphi ,k}_{\textrm{out}}(\sigma ) = \sigma _s\), and let \(E^{\varphi ,k}_{\textrm{mode}}(\sigma )\) be denoted as \(\textrm{mode}\). We now prove that for any \( a\in \Sigma \), Proposition 2 holds for \( \sigma \cdot a \). As per Definition  5, we have \(E^{\varphi ,k}(\sigma \cdot a)=(\Pi _{1}(\textrm{store}^{\varphi ,k}(\sigma \cdot a)),\Pi _{3}(\textrm{store}^{\varphi ,k}(\sigma \cdot a)))\) and from Definition  5, we have following cases where \(\sigma _{s}\) corresponds to the output of the enforcement function (\(E^{\varphi ,k}_{\textrm{out}}\)) which is a prefix of (a subsequence of) the input that satisfies property \(\varphi \); and \(\sigma _{c}\) is a suffix of (a subsequence of) the input that the enforcer cannot output yet. It corresponds to the buffer of the enforcer.

1. 1.

   Case \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \):

   As per Definition  5\(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=\sigma _{s} \cdot \sigma _{c}\cdot a\) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a)=\textrm{mode} =E^{\varphi ,k}_{\textrm{mode}}(\sigma )\).

   The constraint (SndB) is satisfied since \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \).

   Also, \(\sigma \preccurlyeq \sigma \cdot a\), \(E^{\varphi ,k}_{\textrm{out}}(\sigma )=\sigma _{s}\) and \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=\sigma _{s} \cdot \sigma _{c}\cdot a\). Since \(E^{\varphi ,k}_{\textrm{out}}(\sigma )\preccurlyeq E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)\), thus (MoB) is satisfied.

   Since, \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \), then \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \textrm{pref}(\varphi )\) or \(\sigma \cdot a \in \textrm{pref}(\varphi )\).

   Regarding constraints (Tr1B), (Tr2B), (OptsB), and (OptmB) we consider the following sub-cases based on whether \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \) or not.

   1. (a)

      Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \):

      (Tr1B) trivially holds.

      Since, \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \), meaning no event (including “a") is suppressed, thus \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)\preccurlyeq \sigma \cdot a\). (Tr2B) is satisfied.

      Since, \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \) or \(\sigma \cdot a \in \varphi \), then \(\sigma \cdot a \in \textrm{pref}(\varphi )\), thus (OptsB) holds.

      Since, \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \) and \(\sigma \cdot a \in \varphi \) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = mode=\top \), hence (OptmB) holds.

   2. (b)

      Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \):

      Since, \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \), thus, necessarily some events have been suppressed from \(\sigma \), and thus \(E^{\varphi ,k}_{\textrm{out}}(\sigma )=\sigma _{s}\triangleleft \sigma \). Consecutively, \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=\sigma _{s}\cdot \sigma _c \cdot a\triangleleft \sigma \cdot a\). Thus, (Tr1B) holds.

      (Tr2B), (OptsB) trivially holds, since \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \).

      Since, \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = mode=\bot \), thus, (OptmB) holds.

2. 2.

   Case \(\sigma _{s} \cdot \sigma _{c} \cdot a \not \in \varphi \) but \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \textrm{pref}(\varphi )\):

   1. (a)

      Case \( \vert \sigma _c \cdot a \vert \le k \):

      In this case, event “a" is buffered. \(\sigma _s\) does not change and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = mode\).

      \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=E^{\varphi ,k}_{\textrm{out}}(\sigma )= \sigma _{s}\). And \( \sigma _{s}\) already satisfied (SndB) and (MoB), thus they remain satisfied.

      Regarding constraints (Tr1B), (Tr2B), (OptsB), and (OptmB) we consider the following sub-cases based on whether \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \) or not.

      1. (i)

         Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \):

         (Tr1B) holds trivially.

         Same as case (a) of case (1), (Tr2B) holds.

         Since, \(\sigma \cdot a \in \textrm{pref}(\varphi )\), (OptsB) holds trivially.

         \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \) and \( \vert \sigma _c \cdot a \vert \le k \) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = mode=\top \), hence (OptmB) holds.

      2. (ii)

         Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \):

         Same as case (b) of case (1), (Tr1B) holds.

         (Tr2B), (OptsB), and (OptmB) hold trivially.

   2. (b)

      Case \( \vert \sigma _c \cdot a \vert > k \):

      In this case, the buffer is cleaned (some events are suppressed from buffer), \(\sigma _s\) does not change, and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = \bot \).

      \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=E^{\varphi ,k}_{\textrm{out}}(\sigma )= \sigma _{s}\). And \( \sigma _{s}\) already satisfied (SndB) and (MoB), thus they remain satisfied.

      Regarding constraints (Tr1B), (Tr2B), (OptsB), and (OptmB) we consider the following sub-cases based on whether \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \) or not.

      1. (i)

         Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \):

         \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)= E^{\varphi ,k}_{\textrm{out}}(\sigma )=\sigma _{s}\) and \( \sigma _s \preccurlyeq \sigma \), and \( \sigma _s \preccurlyeq \sigma \cdot a\), thus (Tr2B) is satisfied.

         (Tr1B) and (OptsB) hold trivially.

         \( \vert \sigma _c \cdot a \vert > k \) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) =\bot \), thus (OptmB) holds.

      2. (ii)

         Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \):

         Same as case (b) of case (1), (Tr1B), (Tr2B), (OptsB), and (OptmB) hold.

3. 3.

   Case \(\sigma _{s} \cdot \sigma _{c} \cdot a \not \in \varphi \) and \(\sigma _{s} \cdot \sigma _{c} \cdot a \not \in \textrm{pref}(\varphi )\):

   In this case, the event “a" is suppressed. Both \(\sigma _{s} \) and \( \sigma _{c}\) remain unchanged. \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)= \sigma _{s}\) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = \bot \).

   Since \( \sigma _{s}\) already satisfied (SndB) and (MoB), thus, they remain satisfied, since the output does not change.

   Since \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\) and event “a" is suppressed, thus, \( E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)\triangleleft \sigma \cdot a\), (Tr1B) is satisfied.

   (Tr2B) holds trivially since \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\).

   Regarding constraints (OptsB), and (OptmB) we consider the following sub-cases based on whether \(\sigma \in \textrm{pref}(\varphi )\) or not.

   1. (a)

      Case \(\sigma \in \textrm{pref}(\varphi )\):

      1. (i)

         Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \top \):

         Since event “a" is suppressed, (OptsB) holds.

         Since, \(\sigma \cdot a \not \in \textrm{pref}(\varphi )\) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = \bot \), thus, (OptmB) holds.

      2. (ii)

         Case \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \):

         (OptsB) holds trivially.

         Since, \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \) and \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = \bot \), thus, (OptmB) holds.

   2. (b)

      Case \(\sigma \not \in \textrm{pref}(\varphi )\):

      (OptsB) holds trivially.

      \(\sigma \not \in \textrm{pref}(\varphi )\) thus, necessarily \(E^{\varphi ,k}_{\textrm{mode}}(\sigma ) = \bot \). \(E^{\varphi ,k}_{\textrm{mode}}(\sigma \cdot a) = \bot \), thus (OptmB) holds.

1.3 Proof (of Proposition 3)

Proposition 3 states that when the bound on memory k is considered to be infinite, for any word \(\sigma \), the output produced by the bounded enforcer for \(\sigma \) is equal to the output produced by the ideal enforcer (as per Definition  3).

When we compare the definitions of the ideal enforcer Definition  3 and the bounded enforcer Definition  5, we can intuitively understand that the proposition holds. This is because when \(k=\infty \) the condition of the third case in Definition  5 will never hold, and the remaining three cases have a matching case in the Definition  3 w.r.t how the output and the buffer content changes.

We also provide a detailed proof of Proposition 3 here. Let us prove this using induction on the input sequence \( \sigma \). Let us consider \(k=\infty \) for \(E^{\varphi ,k}\).

Induction basis. If \(\sigma =\epsilon \), from Definition  5, \(E^{\varphi ,\infty }_{\textrm{out}}(\epsilon )=\epsilon \) and from Definition  3, \(E^{\varphi }(\epsilon )=\epsilon \); thus Proposition 3 trivially holds for \(\sigma =\epsilon \).

Induction step. Assume that for every \( \sigma \in \Sigma ^{*},\) Proposition 3 holds. We now prove that for any \( a\in \Sigma \), Proposition 3 holds for \( \sigma \cdot a \).

\(E^{\varphi }(\sigma \cdot a)=\Pi _{1}(\textrm{store}^{\varphi }(\sigma \cdot a))\) and \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=\Pi _{1}(\textrm{store}^{\varphi ,k}(\sigma \cdot a))\). Let us consider following cases where \(\sigma _{s}\) corresponds to the output of the enforcement function; it is a prefix of (a subsequence of) the input that satisfies property \(\varphi \); and \(\sigma _{c}\) is a suffix of (a subsequence of) the input that the enforcer cannot output yet. It corresponds to the buffer of the enforcer.

• Case \(\sigma _{s} \cdot \sigma _{c} \cdot a \in \varphi \):

  In this case, \(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \cdot \sigma _{c} \cdot a \) and \(E^{\varphi ,\infty }_{\textrm{out}}(\sigma \cdot a)=\sigma _{s} \cdot \sigma _{c} \cdot a \). Since, \(E^{\varphi ,\infty }_{\textrm{out}} (\sigma \cdot a) = E^{\varphi }(\sigma \cdot a)\), thus Proposition 3 holds.

• Case \( \sigma _{s} \cdot \sigma _{c} \cdot a \not \in \varphi \wedge \sigma _{s} \cdot \sigma _{c}\cdot a \in \textrm{pref}(\varphi ) \wedge \vert \sigma _{c}\cdot a \vert \le k \):

  In this case, \(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \) and \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=\sigma _{s}\) with event a appended to buffer \(\sigma _{c}\). Since, \(E^{\varphi ,\infty }_{\textrm{out}} (\sigma \cdot a) = E^{\varphi }(\sigma \cdot a)\), thus Proposition 3 holds.

• Case \( \sigma _{s} \cdot \sigma _{c} \cdot a \not \in \varphi \wedge \sigma _{s} \cdot \sigma _{c}\cdot a \in \textrm{pref}(\varphi ) \wedge \vert \sigma _{c}\cdot a \vert > k \):

  Since \(k = \infty \), the condition of this case will never hold for \(E^{\varphi ,\infty }\). When \( \sigma _{s} \cdot \sigma _{c} \cdot a \not \in \varphi \wedge \sigma _{s} \cdot \sigma _{c}\cdot a \in \textrm{pref}(\varphi )\), the previous case always holds since \( \vert \sigma _{c}\cdot a \vert \le \infty \), and we have already discussed that the Proposition 3 holds in the previous case.

• Case \( \sigma _{s} \cdot \sigma _{c} \cdot a \not \in \varphi \wedge \sigma _{s} \cdot \sigma _{c}\cdot a \not \in \textrm{pref}(\varphi )\):

  In this case, \(E^{\varphi }(\sigma \cdot a)=\sigma _{s} \), \(E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)=\sigma _{s}\) and event a is suppressed by both \(E^{\varphi }\) and \(E^{\varphi ,k}\). Since, \(E^{\varphi ,\infty }_{\textrm{out}} (\sigma \cdot a) = E^{\varphi }(\sigma \cdot a)\), thus Proposition 3 holds.

1.4 Proof (of Proposition 4)

We provide a proof of Proposition 4, that we recall below.

Consider any bounded enforcer \(F^{\varphi ,k}\) (Definition  4). We have: \(\forall \sigma \in \Sigma ^*, \forall a \in \Sigma :\)

$$\begin{aligned} \begin{array}{ll} \left( E^{\varphi ,k}_{\textrm{out}}(\sigma )\cdot \textrm{buff}(E^{\varphi ,k}(\sigma )) = F^{\varphi ,k}_{\textrm{out}}(\sigma ) \cdot \textrm{buff}(F^{\varphi ,k}(\sigma ))\right) ~~\wedge \\ ~~~~~~~~~~~ \Big \vert E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) \cdot \textrm{buff}(E^{\varphi ,k}(\sigma \cdot a)) \Big \vert < \Big \vert F^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) \cdot \textrm{buff}(F^{\varphi ,k}(\sigma \cdot a))\Big \vert \\ \implies \lnot (\infty \text {-compatible}(F^{\varphi ,k})) \end{array} \end{aligned}$$

Let us denote \(E^{\varphi ,k}_{\textrm{out}}(\sigma )\) as \(\sigma _{eo}\) and \(\textrm{buff}(E^{\varphi ,k}(\sigma ))\) as \(\sigma _{eb}\). Similarly we denote \(F^{\varphi ,k}_{\textrm{out}}(\sigma )\) as \(\sigma _{fo}\) and \(\textrm{buff}(F^{\varphi ,k}(\sigma ))\) as \(\sigma _{fb}\).

From the condition \((E^{\varphi ,k}_{\textrm{out}}(\sigma )\cdot \textrm{buff}(E^{\varphi ,k}(\sigma )) = F^{\varphi ,k}_{\textrm{out}}(\sigma ) \cdot \textrm{buff}(F^{\varphi ,k}(\sigma )) )\) from the left-hand side of the implication of Proposition 4, we have \(\sigma _{eo} \cdot \sigma _{eb} = \sigma _{fo} \cdot \sigma _{fb} \).

As per the Definition of Definition  5, when considering another new event a;

• If the condition of the first case of function \(\mathrm {store^{\varphi ,k}}\) in Definition  5 holds, then \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) = \sigma _{eo} \cdot \sigma _{eb} \cdot a\), and \(\textrm{buff}(E^{\varphi ,k}(\sigma \cdot a)) = \epsilon \), thus we have \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)\cdot \textrm{buff}(E^{\varphi ,k}(\sigma \cdot a)) = \sigma _{eo} \cdot \sigma _{eb} \cdot a\). Thus \( \vert F^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) \cdot \textrm{buff}(F^{\varphi ,k}(\sigma \cdot a)) \vert \) cannot be greater than \( \vert \sigma _{eo} \cdot \sigma _{eb} \cdot a \vert \). Indeed if it is greater, then \(F^{\varphi ,k}\) has to insert/add other events in addition to a which violates the constraints as per Definition  4 and thus \(F^{\varphi ,k}\) is not a bounded enforcer. Since, the left-hand side of the implication of the proposition is false, the proposition holds.

• If the condition of the second case of function \(\mathrm {store^{\varphi ,k}}\) in Definition  5 holds, then \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) = \sigma _{eo}\) and \(\textrm{buff}(E^{\varphi ,k}(\sigma )) = \sigma _{eb} \cdot a\). Thus we have \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)\cdot \textrm{buff}(E^{\varphi ,k}(\sigma \cdot a)) = \sigma _{eo} \cdot \sigma _{eb} \cdot a\). Similar to the previous case, \( \vert F^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) \cdot \textrm{buff}(F^{\varphi ,k}(\sigma \cdot a)) \vert \) cannot be greater than \( \vert \sigma _{eo} \cdot \sigma _{eb} \cdot a \vert \), and thus the proposition also holds in this case.

• If the condition of the third case of function \(\mathrm {store^{\varphi ,k}}\) in Definition  5 holds, then \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) = \sigma _{eo}\), and \(\textrm{buff}(E^{\varphi ,k}(\sigma )) = \sigma '_{eb}\), where \(\sigma '_{eb}\) is a subsequence of \(\sigma _{eb} \cdot a\). As per the definitions of maxC and \(\mathrm {clean^{\varphi ,k}}\) in Definition  5, \(\sigma '_{eb}\) is maximal since least number of events are removed from the input word to form the subsequence \(\sigma '_{eb}\) that preserves \(\sim _\varphi \) with \(\sigma _{eb}\). We have \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)\cdot \textrm{buff}(E^{\varphi ,k}(\sigma \cdot a)) = \sigma _{eo} \cdot \sigma '_{eb}\).

  Let \(\textrm{buff}(F^{\varphi ,k}(\sigma \cdot a))\) be denoted as \(\sigma '_{fb}\) which should be a subsequence of \(\sigma _{fb} \cdot a\). Let us consider that \( \vert F^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) \cdot \textrm{buff}(F^{\varphi ,k}(\sigma \cdot a)) \vert \) which is \( \vert \sigma _{fo} \cdot \sigma '_{fb} \vert \) is greater than \( \vert \sigma _{eo} \cdot \sigma '_{eb} \vert \). This can only happen if the elements of \(\sigma '_{fb}\) are chosen by ignoring the \(\sim _\varphi \) with \(\sigma _{fb}\). Thus, \(F^{\varphi ,k}\) is not \( \infty \text {-compatible}(F^{\varphi ,k})\).

• If the condition of the fourth case of function \(\mathrm {store^{\varphi ,k}}\) in Definition  5 holds, then \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) = \sigma _{eo}\) and \(\textrm{buff}(E^{\varphi ,k}(\sigma )) = \sigma _{eb}\). Thus we have \((E^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a)\cdot \textrm{buff}(E^{\varphi ,k}(\sigma \cdot a)) = \sigma _{eo} \cdot \sigma _{eb}\). Since we have \(\sigma _{eo} \cdot \sigma _{eb} = \sigma _{fo} \cdot \sigma _{fb}\), thus \( \vert F^{\varphi ,k}_{\textrm{out}}(\sigma \cdot a) \cdot \textrm{buff}(F^{\varphi ,k}(\sigma \cdot a)) \vert \) cannot be greater than \( \vert \sigma _{eo} \cdot \sigma _{eb} \vert \) in this case. If the new element a is not discarded or if other elements are inserted, then \(F^{\varphi ,k}\) is not a bounded enforcer as per Definition  4. Since, the left-hand side of the implication of the proposition is false, the proposition holds in this case.