On the Decidability of Non Interference over Unbounded Petri Nets

Non-interference, in transitive or intransitive form, is defined here over unbounded (Place/Transition) Petri nets. The definitions are adaptations of similar, well-accepted definitions introduced earlier in the framework of labelled transition systems. The interpretation of intransitive non-interference which we propose for Petri nets is as follows. A Petri net represents the composition of a controlled and a controller systems, possibly sharing places and transitions. Low transitions represent local actions of the controlled system, high transitions represent local decisions of the controller, and downgrading transitions represent synchronized actions of both components. Intransitive non-interference means the impossibility for the controlled system to follow any local strategy that would force or dodge synchronized actions depending upon the decisions taken by the controller after the last synchronized action. The fact that both language equivalence and bisimulation equivalence are undecidable for unbounded labelled Petri nets might be seen as an indication that non-interference properties based on these equivalences cannot be decided. We prove the opposite, providing results of decidability of non-interference over a representative class of infinite state systems.

💡 Research Summary

The paper investigates the decidability of non‑interference properties for unbounded Place/Transition (P/T) Petri nets, a class of infinite‑state systems for which language equivalence and weak bisimulation are known to be undecidable. The authors first adapt the classic notions of non‑interference—originally defined for labelled transition systems—to the Petri‑net setting. They distinguish three kinds of transitions: low (L) actions belonging to the controlled component, high (H) actions belonging to the controller, and downgrading (D) actions that synchronize both components and serve as declassification points.

In the first technical part (Section 3) the paper defines two classical security properties: NDC (Non‑Deducibility on Compositions) and its bisimulation‑based counterpart BNDC. Both require that, for any high‑level net N′ that does not share low transitions, the low‑observable behaviour of the original net N is unchanged when N is composed with N′ and all high transitions are hidden. At first glance this seems to demand an infinite family of language‑equivalence or bisimulation checks, which would be impossible because those equivalences are undecidable for unbounded nets. The key insight is a reduction: NDC holds if and only if the original net N and the net obtained by deleting all high transitions, denoted N\H, are language‑equivalent. The same reduction works for BNDC with weak bisimilarity.

The reduction enables the use of known decidability results for Petri‑net languages. By Pelz’s theorem, the language of a (possibly infinite) Petri net is a semi‑linear set, and inclusion between two such languages is decidable. Consequently, checking whether L(N)⊆L(N\H) and L(N\H)⊆L(N) can be performed algorithmically, establishing the decidability of NDC (and BNDC).

Section 4 extends the analysis to intransitive non‑interference (INI), a more expressive security model that incorporates downgrading actions. INI requires that the controlled component cannot adopt a strategy that forces or avoids a synchronized (downgrading) action based on the controller’s decisions made after the last downgrading event. The authors formalize this by treating D‑transitions as observable, H‑transitions as hidden, and then applying the same reduction technique: the system satisfies INI precisely when the language of the net after hiding H‑transitions (but keeping D‑transitions observable) coincides with the language of the net where H‑transitions are completely removed. Again, this condition reduces to a language‑inclusion test between two semi‑linear sets, which is decidable.

The paper provides illustrative examples (Figures 1a and 1b) showing a net that violates INI and one that satisfies it, demonstrating the practical relevance for discrete‑event control systems where a plant (low component) and a supervisor (high component) interact.

In conclusion, despite the undecidability of general language equivalence and bisimulation for unbounded Petri nets, the specific non‑interference properties studied here are decidable because they can be expressed as equality of languages after a syntactic transformation (removing high transitions). The results rely on classical Petri‑net theory (reachability graphs, semi‑linear sets) and open the way for automated security analysis of infinite‑state discrete‑event systems. Future work may explore richer security policies, multiple security levels, and integration with real‑time constraints.