Security policies enforcement using finite and pushdown edit automata

Abstract

Edit automata have been introduced by J.Ligatti et al. as a model for security enforcement mechanisms which work at run time. In a distributed interacting system, they play a role of a monitor that runs in parallel with a target program and transforms its execution sequence into a sequence that obeys the security property. In this paper, we characterize security properties which are enforceable by finite edit automata (i.e. edit automata with a finite set of states) and deterministic context-free edit automata (i.e. finite edit automata extended with a stack). We prove that the properties enforceable by finite edit automata are a sub-class of regular sets. Moreover, given a regular set \(P\), one can decide in time \(O(n^2)\), whether \(P\) is enforceable by a finite edit automaton (where \(n\) is the number of states of the finite automaton recognizing \(P\)) and we give an algorithm to synthesize the controller. Moreover, we prove that safety policies are always enforced by a deterministic context-free edit automaton. We also prove that it is possible to check if a policy is a safety policy in \(O(n^4)\). Finally, we give a topological condition on the deterministic automaton expressing a regular policy enforceable by a deterministic context-free edit automaton.

Appendix

Proof of Theorem 1

Let \(P\) be a regular security policy recognized by a simple pruned deterministic automaton \(A\). Here are the steps of the proof:

1. 1.

   we build an edit automaton \(\mathbf E (A)\)

2. 2.

   we prove that \(\mathbf E (A)\) is transparent

3. 3.

   we prove that \(\mathbf E (A)\) is sound

1. Let us first describe informally the behavior of this controller. Let an input \(u_1u_2\ldots u_k\) in \(P\) which has \(k+1\) prefixes in \(P\), namely \(\epsilon , u_1,u_1u_2,\ldots ,u_1u_2\ldots u_k\). The controller reads \(u_1\) except its last letter and memorizes it, then observes the last letter of \(u_1\) and writes \(u_1\), and finally reads the last letter of \(u_1\), the controller processes in the same way for \(u_2,\ldots ,u_k\). The reason why the controller does not read immediately the last letter of \(u_1\) is that after this reading, the output must be \(u_1\), so the controller must write entirely \(u_1\) before the end of the reading of \(u_1\). Sequences in \(P\) are processed in this way.

For any sequence \(\sigma \) not in \(P\), the behavior of the controller at the beginning is the same, but as soon as the automaton \(A\) cannot read a letter the controller stops the writing and reads the input up to the end. So, the output is the longest prefix of \(\sigma \) that is in \(P\).

We give now the precise definition of \(\mathbf E (A)\).

Let \(A=(Q,\mathcal A ,s,F,\delta )\) be a simple pruned deterministic finite automaton with \(n\) states recognizing \(P\). Edit automaton \(\mathbf E (A)=(\mathcal Q ,s,\Delta )\) is defined by

$$\begin{aligned}&\mathcal Q =F \cup (Q\times A^{\le n})\cup \{t\}\nonumber \\&\Delta (q_F,a) = ((q^{\prime },a),\epsilon ) \ \mathrm{for }\quad q_F\in F\mathrm{\ if\ }\delta (q_F,a)\nonumber \\&\quad =q^{\prime }\not \in F\end{aligned}$$

(1)

$$\begin{aligned}&\Delta (q_F,a) = ( (q^{\prime }_F,\epsilon ),a) \quad \mathrm{for }\quad q_F\in F \quad \mathrm{if } \ \delta (q_F,a)\nonumber \\&\quad =q^{\prime }_F\in F\end{aligned}$$

(2)

$$\begin{aligned}&\Delta (q_F,a) = (t,\epsilon ) \ \mathrm{for }\nonumber \\&\quad q_F\in F\mathrm{\ if\ there\ is\ no\ transition\ }\delta (q_F,a)\end{aligned}$$

(3)

$$\begin{aligned}&\Delta ((q,\alpha ),a)= ((q^{\prime },\alpha a),\epsilon ) \mathrm{\ for\ }q\not \in F\mathrm{\ if\ }\delta (q,a)\nonumber \\&\quad =q^{\prime }\not \in F\end{aligned}$$

(4)

$$\begin{aligned}&\Delta ((q,b \alpha ),a)= ((q^{\prime }_F,\alpha a),b)\mathrm{\ for\ }q \not \in F\mathrm{\ if\ }\delta (q,a)\nonumber \\&\quad =q^{\prime }_F\in F \end{aligned}$$

(5)

$$\begin{aligned}&\Delta ((q_F,b \alpha a ),a)= ((q_F,\alpha a),b)\mathrm{\ for\ }q_F\in F\end{aligned}$$

(6)

$$\begin{aligned}&\Delta ((q_F, a ),a)= ((q_F,\epsilon ),a)\mathrm{\ for\ }q_F\in F\end{aligned}$$

(7)

$$\begin{aligned}&\Delta ((q_F, \epsilon ),a)=(q_F,\epsilon )\mathrm{\ for\ }q_F\in F\end{aligned}$$

(8)

$$\begin{aligned}&\Delta ((q,\alpha ),a)= (t,\epsilon ) \mathrm{\ if\ there\ is\ no\ transition\ }\delta (q,a) \end{aligned}$$

(9)

$$\begin{aligned}&\Delta (t,a)= (t,\epsilon ) \end{aligned}$$

(10)

Now, we are to prove that edit automaton \(\mathbf E (A)\) effectively enforces regular set \(P\).

2. we prove transparency.

Let \(\sigma \in P\). There is a computation in \(A\) from initial state \(s\) to a final location \(q_F\) labeled by \(\sigma \). In this computation, let \(q_{0_F}=s, q_{1_F}, \ldots , q_{k_F}=q_F\) be all successive occurrences of final locations. Then \(\sigma =u_1u_2\ldots u_k\) where \(u_i\) is the label of computation from \(q_{i-1}\) to \(q_i\) for \(1\le i\le k\) and we have \(u_1, u_1u_2, \ldots , u_1u_2\ldots u_k \in P\).

Let \(u_i=v_ia_i\) where \(a_i\in \mathcal A \) is the last letter of \(u_i\). If \(v_i\not = \epsilon \) we denote by \(q_i\) the state of \(A\) after computation of \(u_1\ldots u_{i-1}v_i\), that is the previous state of state \(q_{i_F}\).

We now discuss two cases: \(v_1\not =\epsilon \) and \(v_1 =\epsilon \).

\(\bullet \) If \(v_1\not =\epsilon \) edit automaton \(\mathbf E (A)\) then behaves as follows according to its definition.

It begins with suppressions and no insertion (see transitions 1, 4):

$$\begin{aligned} (\sigma ,s)\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(a_1 u_2\ldots u_k, (q_1,v_1)) \end{aligned}$$

Then, since we have transition \(\delta (q_1,a_1)=q_{1_F}\) in \(A\), there are consecutive insertions until state \((q_{1_F},\epsilon )\) (see transitions 5, 6, 7):

$$\begin{aligned}&(a_1 u_2\ldots u_k, (q_1,v_1))\stackrel{\scriptstyle v_1}{\,\longmapsto _*\,}(a_1 u_2\ldots u_k , (q_{1_F},a_1))\\&\quad \stackrel{\scriptstyle a_1}{\,\longmapsto \,}(a_1 u_2\ldots u_k,(q_{1_F},\epsilon )) \end{aligned}$$

It is followed by one suppression (see transition 8):

$$\begin{aligned} (a_1 u_2\ldots u_k,(q_{1_F},\epsilon ))\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(u_2\ldots u_k,q_{1_F}) \end{aligned}$$

So, we had the following computation:

$$\begin{aligned} (u_1u_2\ldots u_k,s)\stackrel{\scriptstyle u_1}{\,\longmapsto _*\,}(u_2\ldots u_k,q_{1_F}) \end{aligned}$$

\(\bullet \) If \(v_1=\epsilon \) then \(u_1=a_1\in P\) and there is a transition \(\delta (s,a_1)=q_{1_F}\) in \(A\); so edit automaton \(\mathbf E (A)\) performs a insertion (see transition 2)

$$\begin{aligned} (a_1 u_2\ldots u_k,s)\stackrel{\scriptstyle a_1}{\,\longmapsto \,}(a_1 u_2\ldots u_k,(q_{1_F},\epsilon )) \end{aligned}$$

Then again, it is followed by one suppression (see transition 8):

$$\begin{aligned} (a_1 u_2\ldots u_k,(q_{1_F},\epsilon ))\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(u_2\ldots u_k,q_{1_F}) \end{aligned}$$

Eventually in both cases, we have the following computation:

$$\begin{aligned} (u_1u_2\ldots u_k,s)\stackrel{\scriptstyle u_1}{\,\longmapsto _*\,}(u_2\ldots u_k,q_{1_F}) \end{aligned}$$

We can clearly go on, and in the end, we obtain computation

$$\begin{aligned} (u_1u_2\ldots u_k,s)\stackrel{\scriptstyle \sigma }{\,\longmapsto _*\,}(\epsilon ,q_F) \end{aligned}$$

which proves transparency.

3. Now, we prove soundness.

Let \(\sigma \not \in P\). \(\sigma \) has a longest prefix in \(P\), say \(\sigma =ua_1\ldots a_k\) with \(a_i\in \mathcal A , 1\le i\le k\) such that \(u\in P\) and \(ua_1\ldots a_i\not \in P\) for \(1\le i\le k\).

In automaton \(A\), there is a computation from initial state \(s\) to a final location \(q_F\) labeled by \(u\) then we have, as previously, this computation in edit automaton \(\mathbf E (A)\):

$$\begin{aligned} (ua_1a_2\ldots a_k,s)\stackrel{\scriptstyle u}{\,\longmapsto _*\,}(a_1a_2\ldots a_k,q_F) \end{aligned}$$

Now, from state \(q_F\) in \(A\), two cases can occur:

1. (a)

   there is a transition \(\delta (q_F,a_1)\)

2. (b)

   there is no transition \(\delta (q_F,a_1)\)

(a) In the first case, because automaton \(A\) is pruned and \(\sigma \not \in P\), there is a computation that reaches a state \(q_i\) for an integer \(i, 1\le i\le k-1\) which does not contain any final state and such that there is no transition \(\delta (q_i,a_{i+1})\):

$$\begin{aligned} q_F\stackrel{\scriptstyle a_1}{\,\longrightarrow \,}q_1\stackrel{\scriptstyle a_2}{\,\longrightarrow \,}q_2\ldots \stackrel{\scriptstyle a_i}{\,\longrightarrow \,}q_i \end{aligned}$$

Therefore, in edit automaton \(\mathbf E (A)\), we have computation (see transitions 1 and 4)

$$\begin{aligned}&(a_1a_2\ldots a_k,q_F)\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(a_2\ldots \\&a_k,(q_1,a_1))\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(a_{i+1}\ldots a_k,(q_i,a_1a_2\ldots a_i)) \end{aligned}$$

It goes on with computation (see transitions 9 and 10)

$$\begin{aligned} (a_{i+1}\ldots a_k,(q_i,a_1a_2\ldots a_i))\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(a_{i+1}\ldots a_k,t)\\ \stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(\epsilon ,t) \end{aligned}$$

(b) In the second case, in edit automaton \(\mathbf E (A)\), we have computation (see transitions 3 and 10) :

$$\begin{aligned} (a_1a_2\ldots a_k,q_F)\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(a_2\ldots a_k,t)\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(\epsilon ,t) \end{aligned}$$

Finally, in both cases, we have

$$\begin{aligned} (ua_1a_2\ldots a_k,s)\stackrel{\scriptstyle u}{\,\longmapsto _*\,}(\epsilon ,t) \end{aligned}$$

which proves soundness.

Proof of Theorem 4

We must prove

1. 1.

   \(\mathtt{PreIm}(\sigma )\) is finite for any \(\sigma \in P\)

2. 2.

   \(P\) cannot be enforced by a deterministic context-free edit automaton.

1. For the first point, it is straightforward that for any \(n\le m\in \mathbb N \), we have

• \(\mathtt{PreIm}(0^n)=\{0^n1^{n-1}\}\)

• \(\mathtt{PreIm}(0^n1^m)=\emptyset \)

2. For the second point, we will proceed using a proof by contradiction. From a deterministic context-free edit automaton \(\mathbf A \) that enforces \(P\), we will define a non-deterministic pushdown automaton \(B\) in Definition 9. Then, in Lemma 6, we will compute the language recognized by \(B\) and finally reach a contradiction by proving that this language is not context-free.

We suppose that \(P\) can be enforced by a deterministic context-free edit automaton \(\mathbf A =(\mathcal Q ,i,\delta )\) with \(\mathcal Q =\Gamma ^*\times Q \) where \(Q\) is the set of locations and \(\Gamma \) is the stack alphabet with \(Z_0\) as stack bottom special symbol.

We construct a non-deterministic pushdown automaton \(B\) in the following definition:

Definition 9

Let \(\mathbf A =(\mathcal Q ,i,\delta )\) be a deterministic context-free edit automaton that enforces \(P\).

Non-deterministic pushdown automaton \(B=(\hat{Q},\hat{q}_0, \{0,1,2\}, \hat{\Gamma }, \hat{Z}_0, \hat{\delta },F)\) is defined by

• \(\hat{Q}=Q\times (init_0,init_1,init_2,init_3,init_4)\cup \{end\}\) is the set of locations

• \(\hat{q}_0=(q_0,init_0)\) is the initial location

• \(\{0,1,2\}\) is the input alphabet

• \(\hat{\Gamma }=\Gamma \) is the stack alphabet

• \(\hat{Z}_0=Z_0\) is the special symbol for stack bottom

• \(\hat{\delta }:(\hat{\Gamma }\times \hat{Q})\times \{0,1,2\}\rightarrow 2^{({\hat{Q}}\times \hat{\Gamma }^*)}\) is the transition function

• \(F=\{end\}\) is the set of final locations.

Its transition function \(\hat{\delta }\) is

$$\begin{aligned}&((q^{\prime },init_1),\gamma ^{\prime })\in \hat{\delta }((c,q,init_0),0) \mathrm{\ if\ } \delta ((\gamma c,q),0)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),0)\end{aligned}$$

(11)

$$\begin{aligned}&((q^{\prime },init_0),\gamma ^{\prime })\in \hat{\delta }((c,q,init_1),2)\mathrm{\ if\ } \delta ((\gamma c,q),0)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),\epsilon )\end{aligned}$$

(12)

$$\begin{aligned}&((q^{\prime },init_2),\gamma ^{\prime })\in \hat{\delta }((c,q,init_0),2) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),\epsilon )\end{aligned}$$

(13)

$$\begin{aligned}&((q^{\prime },init_2),\gamma ^{\prime })\in \hat{\delta }((c,q,init_2),2) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),\epsilon )\end{aligned}$$

(14)

$$\begin{aligned}&((q^{\prime },init_3),\gamma ^{\prime })\in \hat{\delta }((c,q,init_0),1) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),1)\end{aligned}$$

(15)

$$\begin{aligned}&((q^{\prime },init_3),\gamma ^{\prime })\in \hat{\delta }((c,q,init_2),1) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),1)\end{aligned}$$

(16)

$$\begin{aligned}&((q^{\prime },init_3),\gamma ^{\prime })\in \hat{\delta }((c,q,init_3),1) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),1)\end{aligned}$$

(17)

$$\begin{aligned}&((q^{\prime },init_4),\gamma ^{\prime })\in \hat{\delta }((c,q,init_3),2) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),\epsilon )\end{aligned}$$

(18)

$$\begin{aligned}&((q^{\prime },init_4),\gamma ^{\prime })\in \hat{\delta }((c,q,init_4),2) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),\epsilon )\end{aligned}$$

(19)

$$\begin{aligned}&(end,\gamma ^{\prime })\in \hat{\delta }((c,q,init_4),1) \mathrm{\ if\ } \delta ((\gamma c,q),1)\nonumber \\&\quad =((\gamma \gamma ^{\prime },q^{\prime }),1) \end{aligned}$$

(20)

The automaton \(B\) proceeds as follows with the input alphabet:

• \(B\) reads symbol 2 when \(\mathbf A \) performs a suppression (see transitions 12, 13, 14, 18, 19)

• \(B\) reads symbol 1 when \(\mathbf A \) performs a insertion of symbol 1 (see transitions 15, 16, 17)

• \(B\) reads symbol 0 when \(\mathbf A \) performs a insertion of symbol 0 (see transition 11)

\(B\) proceeds as follows with its locations:

• a location \((\cdot ,init_1)\) is reached from location \((\cdot ,init_0)\) when there is a insertion of 0 (see transition 11)

• a location \((\cdot ,init_0)\) is reached from location \((\cdot ,init_1)\) when there is a suppression of 0 (see transition 12)

• a location \((\cdot ,init_2)\) is reached from location \((\cdot ,init_0)\) with the first suppression of 1 and it holds as long as there is a suppression of 1 (see transitions 13 and 14)

• a location \((\cdot ,init_3)\) is reached from location \((\cdot ,init_2)\) or location \((\cdot ,init_0)\) with the first insertion of 1 and it holds as long as there is an insertion of 1 (see transitions 15, 16 and 17)

• a location \((\cdot ,init_4)\) is reached from location \((\cdot ,init_3)\) with the first suppression of 1 and it holds as long as there is a suppression of 1 (see transitions 18 and 19)

• location \(end\) is reached from location \((\cdot ,init_4)\) with the first insertion of 1 (see transition 20)

The global behavior of \(B\) is shown in Fig. 4.

Fig. 4

Automaton \(B\)

It is clear that the language recognized by \(B\) is a subset of

$$\begin{aligned} \{(02)^p2^q1^r2^s1|p,q\ge 0,r,s\ge 1\} \end{aligned}$$

Let us suppose that the language recognized by \(B\) is exactly the language

$$\begin{aligned} L=\{(02)^n 2^{k_n} 1^n 2^{n-k_n} 1|n\in \mathbb N , k_n<n\} \end{aligned}$$

and we will prove this claim afterward.

Now to reach a contradiction we prove that language \(L\) is not context-free.

With this aim in view, we recall the following result known as the pumping lemma.

If \(L\) is context-free, then there exists \(p\in \mathbb N \) such that for any sequence \(x\in L\) with length \(|x|\ge p\), there exists a factorization \(x=u\alpha v \beta w\) such that \(|\alpha v \beta |<p, |\alpha \beta |> 0\) and for any \(i\in \mathbb N , u\alpha ^i v \beta ^i w\in L\).

Consider then \(x=(02)^n 2^{k_n} 1^n 2^{n-k_n} 1\in L\) with \(n>2p\). Necessarily, we have either \(k_n>p\) either \(n-k_n>p\).

If \(x=u\alpha v \beta w\) with \(|\alpha v \beta |<p\), then we can have the following cases:

• \(\alpha v \beta \) is a factor of \((02)^n\)

• \(\alpha v \beta \) is a factor of \((02)^n 2^{k_n}\)

• \(\alpha v \beta \) is a factor of \(2^{k_n}\)

• \(\alpha v \beta \) is a factor of \(2^{k_n} 1^n\)

• \(\alpha v \beta \) is a factor of \(1^n\)

• \(\alpha v \beta \) is a factor of \(1^n 2^{n-k_n}\)

• \(\alpha v \beta \) is a factor of \(2^{n-k_n}\)

• \(\alpha v \beta \) is a factor of \(2^{n-k_n}1\)

All cases clearly lead to a contradiction.

Hence, to have the proof completed, it is sufficient to prove the following lemma.

lemma 6

Automaton \(B\) recognizes the language

$$\begin{aligned} L=\{(02)^n 2^{k_n} 1^n 2^{n-k_n} 1|n\in \mathbb N , k_n<n\} \end{aligned}$$

Proof

As aforementioned, the language recognized by \(B\) is a subset of

$$\begin{aligned} \{(02)^n2^p1^q2^r1|n,p\ge 0,q,r\ge 1\}. \end{aligned}$$

We will prove that

1. 1.

   \(B\) recognizes any sequence in \(L\),

2. 2.

   any sequence \((02)^n 2^p 1^q2^r1\) that \(B\) recognizes is such that \(q=n, p+r=n\) and \(p<n\).

We prove the claim 1.

Let \(u\!=\!(02)^n 2^{k_n} 1^n 2^{n-k_n} 1\) be a sequence in \(L\) with \(k_n\!<\!n\).

To prove that \(B\) recognizes sequence \(u\) we consider the behavior of \(\mathbf A \) with inputs \(0^n, 0^n1^n\) and \(0^n1^{n+1}\) in order to compute a path in \(B\) label of which is \(u\).

\(\bullet \) For input \(0^n\in P, \mathbf A \) must output \(0^n\). More precisely, \(0, 0^2, \ldots , 0^{n-1}, 0^n \in P\) therefore computation of \(0^n\) in \(\mathbf A \) is

$$\begin{aligned}&(0^n,(\gamma _0,q_0))\stackrel{\scriptstyle 0}{\,\longmapsto \,}(0^n,(\gamma _1,q_1))\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(0^{n-1}, (\gamma ^{\prime }_1,q^{\prime }_1))\stackrel{\scriptstyle 0}{\,\longmapsto \,}\\&\quad (0^{n-1}, (\gamma _2,q_2))\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(0^{n-2}, (\gamma ^{\prime }_2,q^{\prime }_2))\stackrel{\scriptstyle 0}{\,\longmapsto \,}\ldots \\&\quad (0,(\gamma ^{\prime }_{n-1},q^{\prime }_{n-1}))\stackrel{\scriptstyle 0}{\,\longmapsto \,}(0, (\gamma _n,q_n))\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(\epsilon , (\gamma ^{\prime }_n,q^{\prime }_n)). \end{aligned}$$

Therefore, following these \(n\) consecutive insertion-suppression of \(0\) in \(\mathbf A \), there is a path in \(B\) from state \((q_0,init_0)\) to state \((q_0,init_0)\) labeled by \((02)^n\).

\(\bullet \) For input \(0^n1^n\in P, \mathbf A \) must output \(0^n1^n\). More precisely, the whole computation of \(0^n1^n\) begins as computation of \(0^n\) because \(\mathbf A \) is deterministic. So, we have in \(\mathbf A \)

$$\begin{aligned} (0^n1^n,(\gamma _0,q_0))\stackrel{\scriptstyle 0^n}{\,\longmapsto _*\,}(1^n,(\gamma ^{\prime }_n,q^{\prime }_n)) \end{aligned}$$

From this last location, \(\mathbf A \) cannot suppress all \(1\) because output would be \(0^n\) instead of \(0^n1^n\). Therefore, \(\mathbf A \) can only perform \(k_n\) suppressions of \(1\) with \(0\le k_n<n\). Consider then the first insertion following those \(k_n\) suppressions. Clearly, this insertion is a \(1\)-insertion. Now on, if \(\mathbf A \) performs less than \(n\) consecutive \(1\)-insertions, say \(j\) insertions with \(1\le j<n\), then, there is a suppression following these insertions. Hence, for input \(0^n1^{k_n+1}\), there would be the following path

$$\begin{aligned}&(0^n1^{k_n+1},(\gamma _0,q_0))\stackrel{\scriptstyle 0^n}{\,\longmapsto _*\,}(1^{k_n+1},(\gamma ^{\prime }_n,q^{\prime }_n)) \stackrel{\scriptstyle }{\,\longmapsto _*\,}(1,(\gamma ^{\prime },q^{\prime }))\\&\quad \stackrel{\scriptstyle 1^j}{\,\longmapsto _*\,}(1,(\gamma ^{\prime \prime },q^{\prime \prime }))\stackrel{\scriptstyle }{\,\longmapsto \,}(\epsilon ,(\gamma ^{\prime \prime \prime },q^{\prime \prime \prime })) \end{aligned}$$

and output would be \(0^n1^j\) that is not in \(P\).

Thus, \(\mathbf A \) must do \(n\) consecutive \(1\)-insertions after the \(k_n\) suppressions. These insertions are necessarily followed by \(n-k_n\) suppressions so that output be \(0^n1^n\).

So, in \(\mathbf A \), there is the path \((0^n1^n,(\gamma _0,q_0))\stackrel{\scriptstyle 0^n}{\,\longmapsto _*\,}(1^n, (\gamma ^{\prime }_n,q^{\prime }_n))\stackrel{\scriptstyle 1^n}{\,\longmapsto _*\,}(\epsilon ,(\gamma ^{\prime \prime \prime },q^{\prime \prime \prime }))\) in which there are successively

• alternatively insertion of a \(0\), suppression of a \(0\)

• \(k_n\) suppressions of \(1\)

• \(n\) consecutive insertions of \(1\)

• \((n-k_n)\) suppressions of \(1\)

It follows that in \(B\), there is a path from state \((q_0,init_0)\) to a state \((q,init_4)\) labeled by \((02)^n2^{k_n}1^n2^{n-k_n}\).

\(\bullet \) For input \(0^n1^{n+1}\in P\), \(\mathbf A \) must output \(0^n1^{n+1}\). Reminding \(\mathbf A \) is deterministic, the path \((0^n1^{n+1},(\gamma _0,q_0))\stackrel{\scriptstyle 0^n1^n}{\,\longmapsto _*\,} (1,(\gamma ^{\prime \prime \prime },q^{\prime \prime \prime }))\) is necessarily followed by an insertion of \(1\) so that output be \(0^n1^{n+1}\). Then, in \(B\), the previous path is followed by a transition to state \(end\) labeled by 1. Hence, \(B\) recognizes \(u\).

We now prove the claim 2.

Let \(v=(02)^n 2^p 1^q 2^r1\) be a sequence recognized by \(B\) with \(p>0\).

From the behavior of \(B\), when recognizing sequence \(v\), we deduce behavior of \(\mathbf A \) with input \(0^n1^{p+r}1\).

We have the following cases :

• when \(B\) reads \(0\) from location \((\cdot ,init_0), \mathbf A \) observes \(0\) from the input and inserts \(0\) (see transition 11)

• when \(B\) reads 2 from location \((\cdot ,init_1), \mathbf A \) suppresses \(0\) from the input (see transition 12)

• when \(B\) reads 2 from locations \((\cdot ,init_0),(\cdot ,init_2), (\cdot ,init_3),(\cdot ,init_4), \mathbf A \) suppresses a \(1\) from the input therefore \(\mathbf A \) performs exactly \((p+r)\) 1-suppressions (see transitions 13, 14, 18 and 19),

• when \(B\) reads \(1\) from locations \((\cdot ,init_2),(\cdot ,init_3)\), \(\mathbf A \) observes 1 from the input and inserts 1 (see transition 16 and 17),

• finally when \(B\) reads 1 from location \((\cdot ,init_4), \mathbf A \) observes 1 from the input and inserts 1 (see transition 20)

There must be the following computation in \(\mathbf A \) :

$$\begin{aligned}&(0^n1^{p+r+1},(\gamma _0,q_0))\stackrel{\scriptstyle 0^n}{\,\longmapsto _*\,}(1^{p+r+1},(\gamma _1,q_1))\\&\quad \stackrel{\scriptstyle }{\,\longmapsto _*\,}(1^{r+1},(\gamma ^{\prime }_1,q^{\prime }_1))\\&\quad \stackrel{\scriptstyle 1^q}{\,\longmapsto _*\,}(1^{r+1},(\gamma _2,q_2))\stackrel{\scriptstyle }{\,\longmapsto _*\,}(1,(\gamma ^{\prime }_2,q^{\prime }_2))\\&\quad \stackrel{\scriptstyle 1}{\,\longmapsto \,}(1,(\gamma _3,q_3)) \end{aligned}$$

As for input \(0^n1^{n+1}\), there exists \(k_n<n\) such that there exists the computation \((0^n1^{n+1},(\gamma _0,q_0))\stackrel{\scriptstyle 0^n}{\,\longmapsto _*\,} (1^{n+1}, (\gamma ,q))\stackrel{\scriptstyle }{\,\longmapsto _*\,} (1^{n+1-k_n},(\gamma ^{\prime },q^{\prime }))\) \(\stackrel{\scriptstyle 1^n}{\,\longmapsto _*\,}(1^{n+1-k_n}, (\gamma ^{\prime \prime },q^{\prime \prime })) \stackrel{\scriptstyle }{\,\longmapsto _*\,}(1,(\gamma ^{\prime \prime \prime },q^{\prime \prime \prime }))\)

Since \(\mathbf A \) is deterministic, we must have \((\gamma _1,q_1)=(\gamma ,q), p=k_n\) and \((\gamma ^{\prime }_1,q^{\prime }_1)=(\gamma ^{\prime },q^{\prime })\).

Then, there must be \((\gamma _2,q_2)=(\gamma ^{\prime \prime },q^{\prime \prime })\) and \(q=n\). And following \((\gamma ^{\prime \prime \prime },q^{\prime \prime \prime })=(\gamma ^{\prime }_2,q^{\prime }_2)\) with \(r=n-k_n\).

We have necessarily \(v=(02)^n2^{k_n}1^n2^{n-k_n}1\).

The case \(v=(02)^n1^q2^{r}1\) is handled in the same way using notably transition 15.\(\square \)

Proof of Theorem 7

\(\star \) Firstly, we prove the if part. Let \(P\) be a weakly simple regular policy. We define below in a first step a deterministic context-free edit automaton, and then in a second step, we prove that its enforces \(P\).

1. Let \(A=(Q,i,\delta , F)\) be a pruned deterministic weakly simple finite automaton that recognizes \(P\). Let \(G\subset Q\) be the set of states that belong to a cycle containing no final states. Let denote by \(C_q\) the elementary cycle starting in \(q\) in automaton \(A\) and \(w_q\) the sequence which is the label of \(C_q\).

Deterministic context-free edit automaton \(\mathbf E (A)=(\Gamma ^*\times \mathcal Q ,s,\Delta )\) is defined by

• \(\mathcal Q =Q\cup Q_1\cup Q_2\cup Q_3\cup Q_4\cup \{t\}\) is the set of locations where \(Q_1= Q\times A^{\le n}, Q_2= Q\times A^{\le n}\times A^{\le n}, Q_3=\bar{Q}\times A^{\le n}\times A^{\le n},\) and \(Q_4= Q\times A^{\le n}\times Q \times A^{\le n}\)

• \(\Gamma = Q\) is the stack alphabet

• \(s=(i,i)\) is the initial location

Transition function \(\Delta :\Gamma ^*\times \mathcal Q \times \mathcal A \rightarrow \Gamma ^*\times \mathcal Q \times (\mathcal A \cup \{\epsilon \})\) is defined by

$$\begin{aligned}&\Delta ((\gamma ,q),a)=((\gamma ,(q^{\prime },a)),\epsilon )\nonumber \\&\text{ if } q\in F \text{ and } \delta (q,a)=q^{\prime }\not \in F\end{aligned}$$

(21)

$$\begin{aligned}&\Delta ((\gamma ,(q,u)),a)=((\gamma ,(q^{\prime },ua)),\epsilon )\nonumber \\&\text{ if } \delta (q,a)=q^{\prime }, q,q^{\prime }\not \in F\cup G\end{aligned}$$

(22)

$$\begin{aligned}&\Delta ((\gamma ,(q,u)),a)=((\gamma ,(q^{\prime },ua,q^{\prime },\epsilon )),\epsilon )\nonumber \\&\text{ if } \delta (q,a)=q^{\prime }\in G, q\not \in F\cup G\end{aligned}$$

(23)

$$\begin{aligned}&\Delta ((\gamma ,(q,u,q,v)),a)=((\gamma ,(q^{\prime },u,q,va)),\epsilon )\nonumber \\&\text{ if } \delta (q,a)=q^{\prime }, q,q^{\prime }\in C_q\end{aligned}$$

(24)

$$\begin{aligned}&\Delta ((\gamma ,(q^{\prime \prime },u,q,v)),a)=((\gamma ,(q^{\prime },u,va)),\epsilon ) \nonumber \\&\text{ if } \delta (q^{\prime \prime },a)=q^{\prime }\not \in C_q\cup F, q^{\prime \prime }\in C_q\end{aligned}$$

(25)

$$\begin{aligned}&\Delta ((\gamma ,(q,u,v)),a)=((\gamma ,(q^{\prime },u,va)),\epsilon ) \nonumber \\&\text{ if } \delta (q,a)=q^{\prime }, q,q^{\prime }\not \in G\cup F\end{aligned}$$

(26)

$$\begin{aligned}&\Delta ((\gamma ,(q^{\prime },u,q,v)),a)=((\gamma q,(q,u,q,\epsilon )),\epsilon )\nonumber \\&\text{ if } \delta (q^{\prime },a)=q, q^{\prime }\in C_q, va=w_q\end{aligned}$$

(27)

$$\begin{aligned}&\Delta ((\gamma ,(q,\epsilon )),a)=((\gamma ,q),\epsilon )\nonumber \\&\text{ if } \ q\in F\end{aligned}$$

(28)

$$\begin{aligned}&\Delta ((\gamma ,q),a)=((\gamma ,t),\epsilon )\nonumber \\&\text{ if } q\in F\text{ and } \delta (q,a) \text{ is } \text{ not } \text{ defined }\end{aligned}$$

(29)

$$\begin{aligned}&\Delta ((\gamma ,(q,u)),a)=((\gamma ,t),\epsilon ) \text{ if } q\not \in F\cup G\nonumber \\&\text{ and } \delta (q,a) \text{ is } \text{ not } \text{ defined }\end{aligned}$$

(30)

$$\begin{aligned}&\Delta ((\gamma ,(q^{\prime },u,q,v)),a)=((\gamma ,t),\epsilon )\nonumber \\&\text{ if } \ \delta (q,a) \text{ is } \text{ not } \text{ defined } \end{aligned}$$

(31)

$$\begin{aligned}&\Delta ((\gamma ,(q,u,v)),a)=((\gamma ,t),\epsilon )\nonumber \\&\text{ if } \delta (q,a) \text{ is } \text{ not } \text{ defined }\end{aligned}$$

(32)

$$\begin{aligned}&\Delta ((\gamma ,t),a)=((\gamma ,t),\epsilon )\end{aligned}$$

(33)

$$\begin{aligned}&\Delta ((\gamma ,(q,bu)),a)=((\gamma ,(q^{\prime },ua)),b)\nonumber \\&\text{ if } \delta (q,a)=q^{\prime }\in F, q\not \in F\cup G\end{aligned}$$

(34)

$$\begin{aligned}&\Delta ((\gamma ,(q,bua)),a)=((\gamma ,(q,ua)),b)\nonumber \\&\text{ if } q\in F\end{aligned}$$

(35)

$$\begin{aligned}&\Delta ((\gamma ,q),a)=((\gamma ,(q^{\prime },\epsilon )),a)\nonumber \\&\text{ if } q\in F \text{ and } \delta (q,a)=q^{\prime }\in F\end{aligned}$$

(36)

$$\begin{aligned}&\Delta ((\gamma ,(q,a),a)=((\gamma ,(q,\epsilon )),a) \text{ if } q\in F\end{aligned}$$

(37)

$$\begin{aligned}&\Delta ((\gamma ,(q,bu,v),a)=((\gamma ,(q^{\prime },u,va)),b)\nonumber \\&\text{ if } q\not \in F \text{ and } \delta (q,a)=q^{\prime }\in F\end{aligned}$$

(38)

$$\begin{aligned}&\Delta ((\gamma ,(q,bu,va),a)=((\gamma ,(q,u,va)),b) \text{ if } q\in F\end{aligned}$$

(39)

$$\begin{aligned}&\Delta ((\gamma ^{\prime }q,(q^{\prime },\epsilon ,va),a)=((\gamma ^{\prime }q,(\bar{q}^{\prime },b,va)),b)\nonumber \\&\text{ if } q^{\prime }\in F \text{ and } w_q=bw^{\prime }\end{aligned}$$

(40)

$$\begin{aligned}&\Delta ((\gamma ^{\prime }q,(q^{\prime },u,va)),a)=((\gamma ^{\prime }q,(\bar{q}^{\prime },ub,va)),b)\nonumber \\&\text{ if } q^{\prime }\in F \text{ and } w_q=ubw^{\prime }\end{aligned}$$

(41)

$$\begin{aligned}&\Delta ((\gamma ^{\prime }q,(\bar{q^{\prime }},u,va)),a)=((\gamma ^{\prime },(q^{\prime },\epsilon ,va)),b)\nonumber \\&\text{ if } q^{\prime }\in F \text{ and } w_q=ub\end{aligned}$$

(42)

$$\begin{aligned}&\Delta ((\epsilon ,(q,\epsilon ,bva)),a)=((\epsilon ,(q,\epsilon ,va),b)\nonumber \\&\text{ if } q\in F\end{aligned}$$

(43)

$$\begin{aligned}&\Delta ((\epsilon ,(q,\epsilon ,a)),a)=((\epsilon ,(q,\epsilon )),a)\nonumber \\&\text{ if } q\in F \end{aligned}$$

(44)

2. Now we prove that

1. (a)

   if \(\sigma \in P\) then \(\mathcal T _\mathbf{E (A)}(\sigma )=\sigma \)

2. (b)

   \(\mathcal T _\mathbf{E (A)}(\sigma )\in P\) for any \(\sigma \in \mathcal A ^*\)

(a) Let \(\sigma \in P\). Let \(u_1, u_1u_2,\ldots , u_1u_2\ldots u_k=\sigma \) be all the prefixes of \(\sigma \) which belong to \(P\).

We are going to prove that in edit automaton \(\mathbf E (A)\), there is a computation

$$\begin{aligned}&(u_1\ldots u_k,(\epsilon ,i))\stackrel{\scriptstyle u_1}{\,\longmapsto _*\,}(u_2\ldots u_k,(\gamma _{1},\mathbf q_1 ))\stackrel{\scriptstyle u_2}{\,\longmapsto _*\,}\ldots \\&\quad \stackrel{\scriptstyle u_k}{\,\longmapsto _*\,}(\epsilon ,(\gamma _k,\mathbf q_k )) \end{aligned}$$

To compute such a run we consider behavior of automata \(A\) with input \(\sigma \); there is a computation \(q_0=i\stackrel{\scriptstyle u_1}{\,\longrightarrow _*\,}q_1\stackrel{\scriptstyle u_2}{\,\longrightarrow _*\,}q_2 \ldots \stackrel{\scriptstyle u_k}{\,\longrightarrow _*\,}q_k\) where \(q_i, 0\le i\le k\) are the only final states of \(A\).

Between two consecutive such final states - say \(q_{i-1},q_{i}\) - there is at most one elementary cycle in \(A\); then we denote by \(p\) the first state of such a cycle encountered in the computation from \(q_{i-1}\) to \(q_{i}\) and by \(p^{\prime }\) its last state. Therefore, in \(A\) the computation between \(q_{i-1},q_{i}\) is of the form

\(q_{i-1}\stackrel{\scriptstyle u}{\,\longrightarrow _*\,}p\stackrel{\scriptstyle w_p^k}{\,\longrightarrow _*\,}p\stackrel{\scriptstyle w^{\prime }}{\,\longrightarrow _*\,}p^{\prime }\stackrel{\scriptstyle u^{\prime }}{\,\longrightarrow _*\,}q\stackrel{\scriptstyle a}{\,\longrightarrow \,}q_{i}\) where \(u_{i}=u w_p^k w^{\prime } u^{\prime }a\).

(Let note that in this computation \(w^{\prime }\) is a proper prefix (maybe empty) of \(w_p\)).

Therefore, the global behavior of \(\mathbf E (A)\) can be described as follows :

• \(\mathbf E (A)\) performs suppressions and memorizes prefix \(u\) in states in \(Q_1\),

• then \(\mathbf E (A)\) goes on with suppressions and memorizes first state \(p\) of \(G\) and label of \(C_p\) in states in \(Q_4\),

• when \(A\) reaches again \(p\), then this loop is memorized in the stack of \(\mathbf E (A)\) where \(p\) is pushed on,

• further on, when \(A\) leaves state in \(G\) then \(\mathbf E (A)\) goes with suppressions and memorizes suppressed letters with states in \(Q_2\)

• \(\mathbf E (A)\) begins insertions when \(A\) reaches final state \(q_i\).

• \(\mathbf E (A)\) inserts sequence \(u\) and memorizes last action \(a\) in state in \(Q_2\),

• then \(\mathbf E (A)\) inserts sequence \(w_p\) using states in \(Q_2\) and in \(Q_3\) and pops up one \(p\) from the stack for one output \(w_p\),

• \(\mathbf E (A)\) goes on with insertion of \(u^{\prime }a\) when the stack is empty.

More precisely, successive computations in edit automaton \(\mathbf E (A)\) are shown below:

• according to transitions 21, 22 and 23 we have

  $$\begin{aligned} (u_i,(\epsilon ,q_{i-1}))\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(w_p^k w^{\prime } u^{\prime },(\epsilon ,(p,u,p,\epsilon ))) \end{aligned}$$

• according to transitions 24 and 27 we have

  $$\begin{aligned}&(w_p^k w^{\prime } u^{\prime }a,(\epsilon ,(p,u,p,\epsilon )))\\&\quad \stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(w_p^{k-1} w^{\prime } u^{\prime }a,(p,(p,u ,p,\epsilon )))\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}\ldots \\&\quad \stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(w^{\prime }u^{\prime }a,(p^k,(p,u ,p,\epsilon ))) \end{aligned}$$

• according to transition 24 we have

  $$\begin{aligned}&(w^{\prime }ua^{\prime },(p^k,(p,u ,p,\epsilon )))\\&\quad \stackrel{\scriptstyle \!}{\,\longmapsto _*\,}{\epsilon }(u^{\prime }a,(p^k,(p^{\prime },u ,p,w^{\prime }))) \end{aligned}$$

• according to transitions 25 and 26 we have

  $$\begin{aligned} (u^{\prime }a,(p^k,(p^{\prime },u ,p,w^{\prime })))\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(a,(p^k,(q,u,w^{\prime }u^{\prime }))) \end{aligned}$$

• according to transitions 38 and 39 we have

  $$\begin{aligned} (a,(p^k,(q,u,w^{\prime }u^{\prime })))\stackrel{\scriptstyle u}{\,\longmapsto _*\,}(a,(p^k,(q_i,\epsilon ,w^{\prime }u^{\prime }a)) \end{aligned}$$

• according to transitions 40, 41 and 42 we have

  $$\begin{aligned}&(a,(p^k,(q_i,\epsilon ,w^{\prime }u^{\prime }a))\stackrel{\scriptstyle w_p}{\,\longmapsto _*\,}(a,(p^{k-1},\\&(q_i,\epsilon ,w^{\prime }u^{\prime }a)))\stackrel{\scriptstyle w_p^{k-1}}{\,\longmapsto _*\,}(a,(\epsilon ,(q_i, \epsilon ,w^{\prime }u^{\prime }a))) \end{aligned}$$

• according to transitions 43 and 44 we have

  $$\begin{aligned}&(a,(\epsilon ,(q_i,\epsilon ,w^{\prime }u^{\prime }a)))\stackrel{\scriptstyle w^{\prime }u^{\prime }}{\,\longmapsto _*\,}\\&(a,(\epsilon ,(q_i,\epsilon ,a)))\stackrel{\scriptstyle a}{\,\longmapsto _*\,}(a,(\epsilon ,(q_i,\epsilon ))) \end{aligned}$$

• finally according to transition 28 we have

  $$\begin{aligned} (a,(\epsilon ,(q_i,\epsilon )))\stackrel{\scriptstyle \epsilon }{\,\longmapsto \,}(\epsilon ,(\epsilon ,q_i)) \end{aligned}$$

We have proved the more general case where \(u_i\) contains an iterating factor. Should the opposite occur, edit automaton \(\mathbf E (A)\) would use transitions 34, 35, 36,37 and 28 to achieve insertions.

(b) Let \(\sigma \) be a sequence that is not in \(P\) and let \(\sigma _P\) be its longest prefix in \(P\) with \(\sigma =\sigma _Pa\sigma ^{\prime }\). We are to prove that \(\mathcal T _\mathbf{E (A)}(\sigma )= \sigma _P\).

As shown above there are a computation in \(\mathbf E (A)\): \((\sigma ,(\epsilon ,i))\stackrel{\scriptstyle \sigma _P}{\,\longmapsto _*\,}(a\sigma ^{\prime },(\epsilon ,q))\) and a computation in \(A\): \(i\stackrel{\scriptstyle \sigma _P}{\,\longrightarrow _*\,}q\) where \(q\in F\).

Since \(A\) is pruned and \(\sigma \not \in P\), there is no computation in \(A\) from \(q\) with input \(a\) that can reach a final state: then according to transitions 21, 22, 23, 24, 25, 26,  27, 29, 30, 31, 32, 33, we have computation \((a\sigma ^{\prime },(\epsilon ,q))\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}(\epsilon ,(\epsilon ,t))\) in \(\mathbf E (A)\).

Therefore \(\mathcal T _\mathbf{E (A)}(\sigma )=\sigma _P\).

\(\star \) Now for the only if part we will proceed using a proof by contradiction. We consider a regular policy \(P\) which is enforceable by a deterministic push-down edit automaton \(\mathbf A =(\mathcal Q ,i,\delta )\) but such that \(P\) is not weakly simple.

Here are the steps we will follow:

1. 1.

   we define a subset \(P^{\prime }\) of policy \(P\) making use of the fact that \(P\) is not weakly simple

2. 2.

   we construct a deterministic push-down edit automaton \(\mathbf A^{\prime } \) that enforces \(P^{\prime }\)

3. 3.

   from \(\mathbf A^{\prime } \) we construct a deterministic push-down automaton \(A^{\prime \prime }\)

4. 4.

   we compute the set recognized by \(A^{\prime \prime }\)

5. 5.

   we prove this set is not context-free to reach a contradiction

1. Let \(B\) be a deterministic pruned finite automaton which recognizes \(P\). Since \(P\) is not weakly simple, when considering the graph induced by non-final states in \(B\), there exist two elementary cycles in the same connected component.

More precisely, there exist two final states \(t\) and \(t^{\prime }\), two non-final states \(q\) and \(q^{\prime }\) and a computation \(r\) from initial state \(i\) in \(B\) of the form :

$$\begin{aligned} i\stackrel{\scriptstyle \alpha }{\,\longrightarrow _*\,}t\stackrel{\scriptstyle \beta }{\,\longrightarrow _*\,}q\stackrel{\scriptstyle u}{\,\longrightarrow _*\,}q\stackrel{\scriptstyle \theta }{\,\longrightarrow _*\,}q^{\prime }\stackrel{\scriptstyle v}{\,\longrightarrow _*\,}q^{\prime }\stackrel{\scriptstyle \eta }{\,\longrightarrow _*\,}t^{\prime } \end{aligned}$$

such that:

• there is no final state between \(t\) and \(t^{\prime }\),

• sequences \(\beta ,u,v,\eta \) are not empty,

• \(q\stackrel{\scriptstyle u}{\,\longrightarrow _*\,}q\) and \(q^{\prime }\stackrel{\scriptstyle v}{\,\longrightarrow _*\,}q^{\prime }\) are two elementary cycles \(C_q\) and \(C_{q^{\prime }}\), respectively, which are different (up to a circular permutation),

• the first edge of \(q\stackrel{\scriptstyle \theta v}{\,\longrightarrow _*\,}q^{\prime }\) does not belong to \(C_q\), and the first edge of \(q^{\prime }\stackrel{\scriptstyle \eta }{\,\longrightarrow _*\,}t^{\prime }\) does not belong to \(C_{q^{\prime }}\).

Let \(P^{\prime }\) be the set \(P^{\prime }=\alpha \beta u^*\theta v^* \eta \cup \{\alpha \}\). \(P^{\prime }\) corresponds to a set of paths in \(B\) obtained from \(r\) by iterating cycles \(C_q\) and \(C_{q^{\prime }}\).

2. Now we use the deterministic push-down edit automaton \(\mathbf A \) to construct another deterministic push-down edit automaton \(\mathbf A^{\prime } \) that enforces \(P^{\prime }\).

\(\mathbf A^{\prime } \) has the same set of states than \(\mathbf A \).

Transitions of \(\mathbf A^{\prime } \) are some partly modified transitions of \(\mathbf A \): simply, as soon as a sequence has a prefix which is no longer a prefix of \(P^{\prime }\), then the push-down edit automaton \(\mathbf A^{\prime } \) consumes the input and produces nothing more on the output.

In order to simplify notations, we will denote by \(Q\) the set of locations of \(\mathbf A^{\prime } , \Gamma \) its stack alphabet and \(\delta \) its transition function.

3. Now we build a push-down automaton \(A^{\prime \prime }\) from edit automaton \(\mathbf A^{\prime } \). To define the set of states of \(A^{\prime \prime }\), we need to analyze the behavior of \(\mathbf A^{\prime } \) on sequences of the form \(w=\alpha \beta u^n\theta v^p \eta \).

A first question is what is \(\mathcal T _\mathbf{A^{\prime } }(\alpha \beta u^n\theta v^p)\). Let \(a\) be the last symbol of \(\eta \) : \(\eta =\eta _1 a\). Both sequences \(\alpha \beta u^n\theta v^p\eta _1\) and \(\alpha \beta u^n\theta v^{p+1}\eta _1\) belong to PreIm(\(\alpha \)). So, by Lemma 3, \(\mathcal T _\mathbf{A^{\prime } }(\alpha \beta u^n\theta v^p)=\alpha \) for every \(n, p\).

Secondly, in \(\mathbf A^{\prime } \) with input \(w\), there are four steps of computation:

• first step: It is the treatment of \(\alpha \) up to the suppression of the last symbol of \(\alpha \), the output is \(\alpha \); let \((q_{\alpha },\sigma _{\alpha })\) be the state of \(\mathbf A^{\prime } \) at the end of this step;

• second step: The automaton \(\mathbf A^{\prime } \) suppresses all the symbols of \(\beta u^n\theta v^p\) and some proper prefix of \(\eta \), that depends only on \(n\) and \(p\) and that we denote \(\eta (n,p)\)

• third step: \(\mathbf A^{\prime } \) produces on the output the rest of \(w\), namely \(\beta u^n\theta v^p\eta \),

• forth step: \(\mathbf A^{\prime } \) suppresses the end of \(\eta \), let \(a(n,p)\) be the first symbol suppressed by \(\mathbf A^{\prime } \) at this step.

Finally, the set \(\beta u^*\theta v^*\eta \) is regular and is then recognized by a pruned deterministic finite automaton \(R=(Q_R,i_R,\delta _R,T_R)\).

We can now give the definition of push-down automaton \(A^{\prime \prime }\).

$$\begin{aligned} A^{\prime \prime }=(\hat{Q}, \hat{q},\mathcal{A}\cup \bar{\mathcal{A}}, {\Gamma },\sigma _{\alpha }, \hat{\delta },F^{\prime \prime }) \end{aligned}$$

where

• \(\hat{Q}=Q\times Q_R\cup Q\cup \{end\}\) is the set of locations,

• \(\hat{q}=(q_{\alpha },i_R)\) is the initial location, \(\sigma _{\alpha }\) is the initial stack

• \(\hat{\delta }:({\Gamma }\times \hat{Q})\times (\mathcal{A}\cup \bar{\mathcal{A}})\rightarrow 2^{({\hat{Q}}\times {\Gamma }^*)}\) is the transition function,

• \(F^{\prime \prime }=\{end\}\) is the set of final locations.

Transition function \(\hat{\delta }\) is defined by :

• \(\hat{\delta }((y,q,q_R),\bar{x})=((q^{\prime }, q^{\prime }_R),\gamma ^{\prime })\) (1) if \(\delta ((\gamma y,q),x)=((\gamma \gamma ^{\prime },q^{\prime }),\epsilon )\) for \(\gamma \in \Gamma ^*\) and \(\delta _R(q_R,x)=q^{\prime }_R\) and \(q^{\prime }_R\not \in T_R\)

• \(\hat{\delta }((y,q,q_R),{x})=(q^{\prime },\gamma ^{\prime })\) (2) if \(\delta ((\gamma y,q),z)=((\gamma \gamma ^{\prime },q^{\prime },x)\) and \(\delta _R(i_R,x)=q^{\prime }_R\), for \(q^{\prime }_R\in Q_R, \gamma \in \Gamma ^*\) and some \(z\in \mathcal A \) (note that \(z\) exists and is the symbol \(a(n,p)\))

• \(\hat{\delta }((y,q),x)=(q^{\prime },\gamma ^{\prime })\)(3) if \(\delta ((\gamma y,q),z)=((\gamma \gamma ^{\prime },q^{\prime },x)\) for \(\gamma \in \Gamma ^*\) and some \(z\in \mathcal A \) (note that \(z\) exists and is the symbol \(a(n,p)\))

• \(\hat{\delta }((y,q),\epsilon )=(end,y)\)(4) if \(\delta ((\gamma y,q),z)=((\gamma \gamma ^{\prime },q^{\prime }),\epsilon )\) for \(\gamma \in \Gamma ^*\) and some \(z\in \mathcal A \) (note that \(z\) exists and is the symbol \(a(n,p)\))

\(A^{\prime \prime }\) proceeds as follows with the input alphabet:

• \(A^{\prime \prime }\) reads \(\bar{x}\) when \(\mathbf A^{\prime } \) suppresses a symbol \(x\) for every \(x\in \mathcal{A}\) (see transition (1)),

• \(A^{\prime \prime }\) reads \({x}\) when \(\mathbf A^{\prime } \) inserts a symbol \(x\) for every \(x\in \mathcal{A}\) (see transitions (2), (3))

\(A^{\prime \prime }\) proceeds as follows with its locations:

• a location \((\cdot )\) is reached from location \((\cdot ,\cdot )\) when there is an insertion in \(\mathbf A^{\prime } \) (see transition (2)),

• location \(end\) is reached from location \((\cdot )\) when there is a suppression in \(\mathbf A^{\prime } \) (see transition (4)).

Behavior of automaton \(A^{\prime \prime }\) is shown in Fig. 5

Fig. 5

Automaton \(A^{\prime \prime }\)

4. We are to prove that automaton \(A^{\prime \prime }\) recognizes language

$$\begin{aligned} \{\bar{\beta } \bar{u}^n\bar{\theta } \bar{v}^p\overline{\eta (n,p)}\beta u^n\theta v^p \eta ,\ n,p\in N\}. \end{aligned}$$

Indeed, it is clear that every sequence \(\bar{\beta } \bar{u}^n\bar{\theta } \bar{v}^p\overline{\eta (n,p)} \beta u^n\theta v^p \eta \) is recognized by \(A^{\prime \prime }\) for every \(n,p\in \mathbb N \).

Reciprocally we have to prove that no other sequence is recognized by \(A^{\prime \prime }\). Let then \(\bar{\lambda }\mu \) be a sequence that \(A^{\prime \prime }\) recognizes, with \(\lambda \in \mathcal{A}^+, \mu \in \mathcal{A}^+\).

According to transition (1), since automaton \(R\) is pruned and recognizes set \(\beta u^*\theta v^*\eta , \lambda \) is a prefix of a sequence in \(\beta u^*\theta v^*\eta \). More precisely, it is a proper prefix of some \(\beta u^n\theta v^p \eta \) because the last symbol in \(\bar{\mathcal{A }}\) that \(A^{\prime \prime }\) reads does not allow automaton \(R\) to reach a final location (see transition (1)). Let \(\beta u^n\theta v^p \eta =\lambda z\lambda ^{\prime }\) for some \(n,p\) and \(z\in \mathcal A ,\lambda ^{\prime }\in \mathcal A ^*\).

Considering the behavior of \(A^{\prime \prime }\) recognizing sequence \(\bar{\lambda }\mu \), we have in edit automaton \(\mathbf A^{\prime } \) with the input \(\alpha \lambda z\lambda ^{\prime }\) the following computation:

$$\begin{aligned}&(\alpha \lambda z\lambda ^{\prime },(q_0,Z_0))\stackrel{\scriptstyle \alpha }{\,\longmapsto _*\,} (\lambda z\lambda ^{\prime },(q_{\alpha },\sigma _{\alpha }))\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,}\\&\quad (z\lambda ^{\prime },(q^{\prime },\gamma ^{\prime }))\stackrel{\scriptstyle \mu }{\,\longmapsto _*\,}\\&(z\lambda ^{\prime },(q^{\prime \prime },\gamma ^{\prime \prime }))\stackrel{\scriptstyle \epsilon }{\,\longmapsto _*\,} (\epsilon ,(q^{\prime \prime \prime },\gamma ^{\prime \prime \prime })). \end{aligned}$$

Thus \(\mathcal T _\mathbf{A^{\prime } }(\alpha \lambda z)=\alpha \mu \in P^{\prime }\). It means there exist \(n, p\) such that \(\mu =\beta u^n\theta v^p \eta \). Moreover, \(\alpha \lambda \in \mathtt PreIm (P^{\prime })\) otherwise \(\mu \) would not be output after the reading of \(\alpha \lambda \). Since \(\mathbf A^{\prime } \) writes \(\mu \) on the output, it means that \(\lambda =\beta u^n\theta v^p \eta (n,p)\) and \(z=a(n,p)\). Indeed, if \(z\not =a(n,p)\), then \(\mu \) would not be written by \(\mathbf A^{\prime } \).

Thus, the language recognized by \(A^{\prime \prime }\) is \(\{\bar{\beta } \bar{u}^n\bar{\theta } \bar{v}^p\overline{ \eta (n,p)} \beta u^n\theta v^p \eta \;|\; n,p \ge 0\}.\)

5. Clearly, this language is not context-free, by a simple application of the pumping lemma. \(\square \)