From the types of failures that CFI aims at (seeSection 5.2.2) we can conclude that they all share the property that an ordinary transition t in a control flow graph Gcfcannot fire though it is token-enabled: either because already the preconditions of its associated operation (or service) are not satisfied (i.e., the second condition required to enable t does not hold) or because exec(f u(t)) = fail. In this section we start by viewing this problem merely from a structural point of view in the control flow. Treatment from a
semantic point of view to achieve a semantically equivalent execution is postponed for
Section 5.4.
If transition t cannot fire and having the basic idea of CFI in mind – where we aim at forward-handling this case – then one needs to modify Gcf so as to get an alternative execution. We see two possibilities of how such a modification can be done:
1. Rebind t to another service or operation that qualifies as an alternative to the orig- inal one.
2. Replace a subflow Gcfe E Gcf that starts with t by a different control flow Grcf that qualifies as a replacement for Gecf.4
Rebinding transition t is done by modifying the mapping f u for t so that f u(t)maps to an operation or service different from the original one. The second way of modifying a service can be seen as a cut-and-replace approach. By saying that Gcfe starts with t we mean that t is preceded by the initial place of Gecf; that is, •t = {pei}. The reason is obvious: Gcfe need not include preceding transitions on a path from the initial place piof Gcfto t since they all have been executed successfully already (otherwise token-enabling would not have reached t).
Considering the second option is more general because it allows even for structural changes to the original control flow Gcf(i.e., rebinding t does not change the structure of Gcf). This is also motivated by the observation that in some application domains having the possibility for rebinding only might not be sufficient: rebinding t may imply the need to replace other subsequent transitions as well if they are functionally dependent. The important property of a replacement Gcfr from a structural point of view in the control flow is that Grcf seamlessly fits into Gcf. By this we mean that the substitution of Gcfe by Grcf is control flow graph preserving. Second, that Gecf and Gcfr are connected to the remaining part of Gcf through and only through their interface (i.e., their initial and final place). This implies the following property. If t is a starting transition in Gcfe (i.e., pei ∈ •t) then any marking that token-enables t will also token-enable a starting transition t0in Gcfr.
We are now defining such structural substitutions formally that ensures these prop- erties.
Definition 5.1 (Structural Substitution). Let Gecf and Gcf be control flow graphs such that Gcfe E Gcf. Gcfe can be structurally substituted by a another control flow graph Grcf if the following holds:
(1) Te∩Tr =∅; in words, the transitions in both Gecfand Grcf are different.
(2) Pe ∩Pr = {pi, pf}; in words, Gecf and Gcfr coincide in their initial and final place pi, pf and the set of places are otherwise disjoint.
If Gcfe can be structurally substituted by Gcfr then Gcfr is called a replacement for Gecf. We write G0cf = Gcf[Gcfe/Grcf] to denote the modified control flow graph Gcf0 that is obtained by substituting Gecfwith Grcfin Gcf.
4The superscript e and r are used to indicate the error (or exceptional situation) and the replacement context.
Given a control flow graph Gcf, let G0cf = Gcf[Gecf/Gcfr ]. More precisely, Gcf0 = (P0, T0, F0, M00, f u0)where P0 = (P∪Pr) \Pe T0 = (T∪Tr) \Te F0 = (F∪Fr) \Fe M00 = M0 f u0(t) = ( f ur(t) if t∈ Tr f u(t) otherwise. (5.1)
Clearly,Definition 5.1 implies that Grcf E Gcf0 and Gecf 6EGcf0 . Moreover, it is not difficult to see that Gcf0 is also a control flow graph; hence, it is sound, which can be proved as follows. Suppose G is the union of Gcf and Gcfr . Then the initial and final place in which Gcfe and Gcfr coincide are a split and a join place, respectively. Since Gcfe and Gcfr have disjoint transitions and except for the initial and final place also disjoint places, their flow relations are also disjoint (i.e., their control flows are completely independent). Consequently, there is a choice between either of them in G and therefore also G is a control flow graph. Finally, G can be reduced to Gcf0 by removing Gcfe, which can be done by successively applying one of the soundness-preserving reduction rules, as mentioned onPage 84. This allows us to formulate the following theorem.
Theorem 5.2. Given a control flow graph Gcf and a replacement control flow graph Grcf, then replacing any subflow Gcfe E Gcf by Gcfr as given byEquation (5.1) yields a sound control flow graph G0cf.
We classify substitutions into three types, characterized by an increasing level of alteration; n, m are the number of transitions (i.e., n= |Te|, m= |Tr|):
1. One-to-one(1:1): A single transition is replaced by another transition. 2. One-to-many(1:n): A single transition is replaced by another subflow. 3. Many-to-many(n:m): A subflow is replaced by another subflow.
Examples for these three types of substitutions are graphically depicted in Figure 5.3. Clearly, a one-to-one substitution is the most simple form of alteration, which actually preserves the structure. In fact, a one-to-one substitution can equally be seen as a rebind- ing of a transition because the associated service or operation is what actually changes. It is also easily seen that a one-to-one substitution is a special case of a one-to-many substitution, and so is a one-to-many substitution a special case of a many-to-many substitution.