A System-Level Semantics

Game semantics is a trace-like denotational semantics for programming languages where the notion of legal observable behaviour of a term is defined combinatorially, by means of rules of a game between the term (the “Proponent”) and its context (the “Opponent”). In general, the richer the computational features a language has, the less constrained the rules of the semantic game. In this paper we consider the consequences of taking this relaxation of rules to the limit, by granting the Opponent omnipotence, that is, permission to play any move without combinatorial restrictions. However, we impose an epistemic restriction by not granting Opponent omniscience, so that Proponent can have undisclosed secret moves. We introduce a basic C-like programming language and we define such a semantic model for it. We argue that the resulting semantics is an appealingly simple combination of operational and game semantics and we show how certain traces explain system-level attacks, i.e. plausible attacks that are realizable outside of the programming language itself. We also show how allowing Proponent to have secrets ensures that some desirable equivalences in the programming language are preserved.

💡 Research Summary

The paper proposes a novel “system‑level” game semantics that pushes the relaxation of game‑semantic rules to an extreme: the Opponent (the execution environment) is granted omnipotence, i.e., it may perform any move without combinatorial restrictions, while it is deliberately kept from being omniscient. This epistemic limitation allows the Proponent (the program) to retain secret moves that the Opponent cannot observe. The authors introduce a small C‑like imperative language featuring variables, pointers, dynamic allocation, and first‑class functions, and they define a two‑layer semantics for it.

The first layer is a conventional structural operational semantics that describes internal state transitions (stack, heap, registers). The second layer is a game‑semantic trace layer in which each interaction between Proponent and Opponent is recorded as a sequence of moves. Because the Opponent is omnipotent, it may inject arbitrary actions such as overwriting function pointers, reallocating memory blocks, or invoking code that was never mentioned in the source program. However, the Opponent lacks omniscience, so any secret information that the Proponent keeps internally—e.g., a private key, a nonce generated inside a function, or a hidden control flow branch—does not appear in the trace and cannot be guessed or manipulated by the Opponent.

The authors illustrate the expressive power of this model with concrete attack traces. In one example, the Opponent redefines a function pointer to point to malicious code, causing the Proponent’s intended call to execute the attacker’s routine. In another, the Opponent performs a heap‑spraying maneuver that reuses a freed block to read a secret value left by the Proponent. These traces capture system‑level attacks (code injection, pointer hijacking, privilege escalation) that are outside the reach of ordinary operational semantics, yet they are represented naturally as legal plays in the game.

A central technical contribution is the proof that, despite granting the Opponent such power, many desirable program equivalences are preserved because the Proponent’s secrets remain invisible. For instance, two functions that differ only by an inlineable call or by a dead‑code elimination are still observationally equivalent: the Opponent cannot distinguish them without access to the hidden moves. This shows that the model avoids the over‑discrimination problem typical of “omnipotent + omniscient” game semantics, where any extra internal detail becomes observable.

The paper also discusses the relationship between this system‑level semantics and traditional approaches. Compared with purely operational models, the new semantics requires only a single, simple rule granting the Opponent unrestricted moves, making the definition concise and implementation‑friendly. Compared with standard game semantics, the addition of secret moves is a minimal extension that restores language‑level reasoning while still allowing the representation of arbitrary external interference.

Potential applications are highlighted: the trace‑based view can be integrated into static analysis or model‑checking tools to simulate realistic attack scenarios, and the secret‑preserving property can be leveraged in formal verification of security protocols where secret keys must remain opaque to the environment. The authors argue that this hybrid semantics offers a clean, mathematically rigorous foundation for reasoning about both functional correctness and system‑level security.

In conclusion, by combining an omnipotent but not omniscient Opponent with a Proponent that can hide secret moves, the paper delivers a simple yet powerful semantics that captures realistic attacks, preserves key program equivalences, and bridges the gap between operational and game‑semantic techniques. This work opens a promising direction for formal methods that need to account for adversarial environments without sacrificing the elegance of denotational reasoning.