

# Formal Methods for Security Gate Patterns

Mathematical Foundations for CVE-Surface Reduction

Author: Euman Engineer

Contact: opsec.ee@pm.me

February 2025

License: CC BY-NC 4.0 — <https://github.com/opsec-ee/euman-scanner/blob/main/LICENSE>

---

## 1 Gate Predicate Logic

Let  $S$  be the set of all observable program states. Let  $\Omega = \{ 0, 1, X, Z \}$  be the 4-state gate output domain:

|                           |                                    |
|---------------------------|------------------------------------|
| $0 \equiv \text{PASS}$    | precondition satisfied             |
| $1 \equiv \text{FAIL}$    | violation detected                 |
| $X \equiv \text{UNKNOWN}$ | insufficient information to decide |
| $Z \equiv \text{INVALID}$ | gate inputs themselves are corrupt |

A gate  $G$  is a total function  $G : S \rightarrow \Omega$  satisfying the totality requirement  $\forall s \in S : G(s) \in \Omega$ . No gate may be partial. If the gate cannot evaluate, it returns  $X$  or  $Z$  — never  $\perp$ .

### GATE CLASS PREDICATES

Let  $\text{ptr} \in \text{Addr}$ ,  $\text{rc} \in \mathbb{N}$ ,  $\text{buf} \in \text{Byte}^*$ ,  $\tau \in \text{Type}$ ,  $t \in \text{Time}$ .

|                                       |                                                                                    |
|---------------------------------------|------------------------------------------------------------------------------------|
| $\phi_{\text{UAF}}(\text{ptr})$       | $\equiv \text{ptr} \in \text{Live} \wedge \text{rc}(\text{ptr}) > 0$               |
| $\phi_{\text{DF}}(\text{ptr})$        | $\equiv \text{ptr} \in \text{Live} \wedge \text{freed}(\text{ptr}) = \text{false}$ |
| $\phi_{\text{NUL}}(\text{ptr})$       | $\equiv \text{ptr} \neq 0x0 \wedge \text{page}(\text{ptr}) \in \text{Mapped}$      |
| $\phi_{\text{BOF}}(\text{buf}, i)$    | $\equiv 0 \leq i < \text{len}(\text{buf})$                                         |
| $\phi_{\text{TYP}}(\text{ptr}, \tau)$ | $\equiv \text{typeof}(\text{ptr}) \sqsubseteq \tau$                                |
| $\phi_{\text{RAC}}(r, t)$             | $\equiv \neg \exists t' \in (\text{t\_check}, \text{t\_use}) : \text{mut}(r, t')$  |
| $\phi_{\text{REF}}(\text{rc})$        | $\equiv \text{rc} < \text{RC\_MAX} \wedge \text{rc} \geq 0$                        |

Gate evaluation:

---

```


$$G(s) = \begin{cases} 0 & \text{if } \varphi(s) = \text{true} \\ 1 & \text{if } \varphi(s) = \text{false} \\ X & \text{if } \varphi(s) \text{ is undecidable at runtime} \\ Z & \text{if inputs to } \varphi \text{ are themselves corrupt} \end{cases}$$


```

### UNIVERSAL INVARIANT

For any function  $f$  protected by gate set  $\Gamma = \{G_1, \dots, G_n\}$ :

```

$$\text{pre}(f) \equiv \bigwedge_{i=1}^n (G_i(s) = 0)$$

```

Execution of  $f$  proceeds if and only if all gates pass.

### COMPOSITION ALGEBRA

Gate conjunction, where  $\triangleright$  denotes sequential check:

$$(G_1 \triangleright G_2)(s) = \begin{cases} G_1(s) & \text{if } G_1(s) \neq 0 \\ G_2(s) & \text{if } G_1(s) = 0 \end{cases}$$

Short-circuit:

$$\begin{aligned} G_1(s) = 1 \quad \square \quad (G_1 \triangleright G_2)(s) = 1 && \text{fail-fast} \\ G_1(s) = Z \quad \square \quad (G_1 \triangleright G_2)(s) = Z && \text{corruption propagates} \end{aligned}$$

Ordering on  $\Omega$  (failure lattice):  $Z > 1 > X > 0$ . For a gate vector  $\Gamma = \{G_1, \dots, G_n\}$ :

$$\Gamma(s) = \max(G_1(s), G_2(s), \dots, G_n(s))$$

The worst violation dominates.

---

## 2 Object Lifetime State Machine

Use-after-free and double-free are illegal transitions in the object lifecycle. Gates enforce transition guards.

### DEFINITION

---

```

M = (Q, Σ, δ, q₀, F)

Q = { A, R, D, F, ⊥ }
A = Allocated      memory obtained, not yet referenced
R = Referenced     at least one live reference exists
D = Dereferenced   all references released, rc = 0
F = Freed          memory returned to allocator
⊥ = Error          illegal state – vulnerability triggered

q₀ = A    initial state
F = { F } accepting states
⊥ absorbing: no transitions out

Σ = { alloc, ref, deref, free, access }

```

#### TRANSITION FUNCTION $\delta : Q \times \Sigma \rightarrow Q$

```

δ(A, ref)    = R
δ(A, free)   = F
δ(A, deref)  = ⊥
δ(A, access) = ⊥

δ(R, ref)    = R           rc ← rc + 1
δ(R, deref)  = R           if rc - 1 > 0
δ(R, deref)  = D           if rc - 1 = 0
δ(R, access) = R
δ(R, free)   = ⊥           UAF-001 / CWE-416

δ(D, free)   = F
δ(D, ref)    = ⊥
δ(D, deref)  = ⊥
δ(D, access) = ⊥           UAF-001 / CWE-416

δ(F, alloc)  = A'         reallocation
δ(F, ref)    = ⊥           UAF-001 / CWE-416
δ(F, access) = ⊥           UAF-001 / CWE-416
δ(F, free)   = ⊥           DF-001 / CWE-415

δ(⊥, σ)      = ⊥           ∀σ ∈ Σ

```

#### GATE AS TRANSITION GUARD

---

For any transition  $\delta(q, \sigma)$  where  $\delta(q, \sigma)$  could reach  $\perp$ :

```
δ_guarded(q, σ) = δ(q, σ)      if G_σ(s) = 0  
                      = q          if G_σ(s) ≠ 0      block and log
```

#### SAFETY THEOREM

If every transition into  $\perp$  is guarded by a gate  $G$  where  $G(s)$  is evaluated before  $\delta$ , then:  $\forall$  reachable states  $q : q \neq \perp$

*Proof.* By induction on transition sequences. Base case:  $q_0 = A \neq \perp$ . Inductive step: assume  $q_n \neq \perp$ . If  $\delta(q_n, \sigma) = \perp$ , then  $G_\sigma$  fires and the transition is blocked, so  $q_{n+1} = q_n \neq \perp$ .  $\square$

#### REFCOUNT INVARIANT

For any object  $\mathbf{o}$  with reference count  $rc(\mathbf{o})$ :

```
INV_REF(o) ≡ 0 ≤ rc(o) ≤ RC_MAX
```

where  $RC\_MAX = 2^{31} - 1$

REF-001 gate enforces:

```
pre(ref) : rc(o) < RC_MAX           overflow prevention  
pre(deref) : rc(o) > 0                underflow prevention  
pre(free) : rc(o) = 0 ∧ state(o) = D
```

#### BIJECTIVE CONTRACT

For a function  $f : X \rightarrow Y$  protected by gate  $\mathbf{G}$ :

```
{ G(s) = 0 } f(x) { G(s') = 0 }
```

If the gate passes before  $f$  and  $f$  preserves the invariant, then the gate passes after  $f$ . This is the gate stability property — correct code cannot cause a gate to spontaneously transition from PASS to FAIL.

---

## 3 TOCTOU / RACE-001 Temporal Logic

Race conditions require reasoning over time. We formalize using linear temporal logic over discrete execution steps.

#### TEMPORAL MODEL

---

Let  $T = \{t_0, t_1, t_2, \dots\}$  be a discrete timeline of execution steps across all threads. For resource  $r$ :

```
val(r, t) = value of r at time t  
mut(r, t) = true iff r is mutated at time t
```

### TOCTOU WINDOW

A check-use pair  $(c, u)$  on resource  $r$  defines:

```
W(c, u) = { t ∈ T : t_c < t < t_u }  
  
TOCTOU safety predicate:  
SAFE(r, c, u) ≡ ∀t ∈ W(c, u) : ¬mut(r, t)  
  
RACE-001 gate:  
φ_RAC(r, c, u) = SAFE(r, c, u)
```

### LTL SPECIFICATION

Let  $p$  = resource checked,  $q$  = resource used,  $m$  = resource mutated.

Safety property:

```
□(p → (¬m ∨ q))  
  
Globally, if r is checked, then r is not mutated until r is used.
```

Violation witness:

```
◊(p ∧ ◊(m ∧ ¬q ∧ ◊q))  
  
Eventually r is checked, then eventually mutated before use,  
and then used with stale data.
```

### WINDOW CONTRACTION THEOREM

$$P(\text{race}) \propto |W(c, u)| \times f_{\text{mut}}(r)$$

$|W(c, u)| = t_u - t_c$  window width in cycles  
 $f_{\text{mut}}(r) = \text{mutations/cycle}$  mutation frequency

To minimize  $P(\text{race})$ :

- Strategy 1: Minimize  $|W|$  check immediately before use
- Strategy 2: Lock  $r$  during  $W$  mutex eliminates  $f_{\text{mut}}$
- Strategy 3: REAR verification detect post-hoc

The REAR sidecar implements Strategy 3: REAR asserts  $\text{val}(r, t_c) = \text{val}(r, t_u)$ . If violated, RACE-001 fires retroactively.

### INTERLEAVING SEMANTICS

Let  $\theta = \{\theta_1, \theta_2, \dots, \theta_n\}$  be the set of active threads. RACE-001 is violated iff:

$$\begin{aligned} \exists \sigma \in \text{Interleavings}(\theta) : \\ \exists (c, u) \in \sigma | \theta_i, \exists m \in \sigma | \theta_j \quad (i \neq j) : \\ t_c < t_m < t_u \wedge \text{target}(m) = \text{target}(c) \end{aligned}$$

Gate coverage: a gate set  $\Gamma$  is RACE-COMPLETE for resource set  $R$  iff:

$$\forall r \in R, \forall (c, u) \text{ on } r : \exists G \in \Gamma : G \text{ validates } \text{SAFE}(r, c, u)$$

## 4 Overhead Cost Model

Security levels form a lattice. Gate activation is monotonic over this lattice. The compile-out property guarantees zero cost at the bottom.

### SECURITY LEVEL LATTICE

$$L = \{ \text{NONE}, \text{BASIC}, \text{STANDARD}, \text{PARANOID} \}$$

$$\text{NONE} \sqsubseteq \text{BASIC} \sqsubseteq \text{STANDARD} \sqsubseteq \text{PARANOID}$$

$L$  forms a total order (lattice with  $\sqcap = \min$ ,  $\sqcup = \max$ ).

### GATE ACTIVATION FUNCTION

Let  $\mathbb{G} = \{\text{UAF, DF, NULL, BOF, TYPE, RACE, REF}\}$  be all gate classes. Define activation  $\alpha : L \rightarrow \mathbb{G}(\mathbb{G})$ :

|                           |                                        |
|---------------------------|----------------------------------------|
| $\alpha(\text{NONE})$     | $= \emptyset$                          |
| $\alpha(\text{BASIC})$    | $= \{\text{REF, TYPE}\}$               |
| $\alpha(\text{STANDARD})$ | $= \{\text{REF, TYPE, BOF, NULL}\}$    |
| $\alpha(\text{PARANOID})$ | $= \mathbb{G}$ all gates plus canaries |

Monotonicity:  $l_1 \sqsubseteq l_2 \Rightarrow \alpha(l_1) \subseteq \alpha(l_2)$

## COST FUNCTION

$$\text{Cost}(f, l) = f_i \times \sum \{ c_j : G_j \in \Gamma_f \cap \alpha(l) \}$$

$$\text{Overhead}(l) = \sum_f \text{Cost}(f, l) / \text{Baseline}$$

Measured bounds:

|                    |                |                             |
|--------------------|----------------|-----------------------------|
| Overhead(NONE)     | = 0%           | proven below                |
| Overhead(BASIC)    | $\approx 5\%$  | REF + TYPE only             |
| Overhead(STANDARD) | $\approx 10\%$ | plus bounds checks          |
| Overhead(PARANOID) | $\approx 20\%$ | all gates + memory canaries |

## COMPILE-OUT THEOREM

Claim: Overhead(NONE) = 0 exactly.

*Proof.*  $\alpha(\text{NONE}) = \emptyset$  by definition.  $\Rightarrow \forall f : \Gamma_f \cap \alpha(\text{NONE}) = \emptyset$  (intersection with  $\emptyset$ ).  $\Rightarrow \forall f : \text{Cost}(f, \text{NONE}) = 0$  (empty sum).  $\Rightarrow \text{Overhead}(\text{NONE}) = 0/B = 0$ .  $\square$

Implementation: GATE\_CHECK(id, ...) expands to ((void)0) when SECURITY\_LEVEL = NONE. Any C++ optimizer with dead code elimination removes this entirely.

## COST ORDERING

$$l_1 \sqsubseteq l_2 \Rightarrow \text{Overhead}(l_1) \leq \text{Overhead}(l_2)$$

Cost is monotonically non-decreasing with security level. You pay strictly for what you enable.

## 5 Sidecar Composition

The three-thread sidecar model as a formal pipeline with verification completeness.

## PIPELINE MODEL

```
FRONT : S → S × Hint  
LEAD  : S × Hint → S'  
REAR  : S × S' → { ✓, ✗ }
```

Pipeline composition:

```
(h, s1) = FRONT(s0)      predict and prefetch  
s2       = LEAD(s1, h)      authoritative execution  
result    = REAR(s1, s2)    postcondition verification
```

FRONT is advisory:  $\forall h : \text{LEAD}(s, h) = \text{LEAD}(s, \perp)$

Hints improve performance, not correctness.

## REAR VERIFICATION SEMANTICS

REAR checks a set of postconditions  $\Pi = \{\pi_1, \dots, \pi_k\}$ :

```
REAR(s, s') =  $\Box \pi_i(s, s')$  for i = 1 to k  
  
 $\pi_{\text{UAF}}(s, s') \equiv \forall \text{ptr freed in } s \rightarrow s' : \text{rc(ptr, s)} = 0$   
 $\pi_{\text{BOF}}(s, s') \equiv \forall \text{write(buf, i) in } s \rightarrow s' : i < \text{len(buf, s)}$   
 $\pi_{\text{RAC}}(s, s') \equiv \forall (c, u) \text{ in } s \rightarrow s' : \text{val}(r, t_c) = \text{val}(r, t_u)$   
 $\pi_{\text{TYPE}}(s, s') \equiv \forall \text{cast(ptr, t) in } s \rightarrow s' : \text{typeof(ptr, s)} \sqsubseteq t$ 
```

## VERIFICATION COMPLETENESS

REAR is complete for gate set  $\square\square$  iff:

```
 $\forall G \in \square\square, \forall (s, s') :$   
  G would have returned 1 on some sub-state of  $s \rightarrow s'$   
   $\Box \text{REAR}(s, s') = x$ 
```

## DEFENSE IN DEPTH THEOREM

Let  $\Gamma_{\text{pre}}$  be gates checked before LEAD. Let  $\Pi_{\text{post}}$  be REAR postconditions. If  $\Pi_{\text{post}}$  is complete for  $\square\square$ , then:  $\forall$  vulnerability  $v \in \square\square : v$  is caught by  $\Gamma_{\text{pre}}$  (before damage)  $\vee v$  is caught by  $\Pi_{\text{post}}$  (after execution, before propagation). No vulnerability in the gate taxonomy escapes both layers.

## VIEWER-SPECIFIC MAPPING

|       |               |                         |                                        |
|-------|---------------|-------------------------|----------------------------------------|
| FRONT | $\rightarrow$ | Interest List / LOD     | $h = \text{prefetch\_hints}(s)$        |
| LEAD  | $\rightarrow$ | Main Loop (render, sim) | $s' = \text{execute}(s, h)$            |
| REAR  | $\rightarrow$ | (does not exist yet)    | $\text{result} = \text{verify}(s, s')$ |

Composition guarantee:

$$\text{REAR}(\text{LEAD}(s, \text{FRONT}(s))) \quad \square \quad \pi \in \Pi$$

When REAR returns  $\square$ : gate fires retroactively, state is rolled back or quarantined, and the violation is logged with full  $(s, s', \pi)$  context.

## Notation Reference

|                  |                 |                       |                      |
|------------------|-----------------|-----------------------|----------------------|
| $\forall$        | for all         | $\exists$             | there exists         |
| $\wedge$         | logical AND     | $\vee$                | logical OR           |
| $\neg$           | logical NOT     | $\square$             | implies              |
| $\square$        | if and only if  | $\in$                 | element of           |
| $\subseteq$      | subset of       | $\sqsubseteq$         | subtype of           |
| $\emptyset$      | empty set       | $\square\!\square(X)$ | power set of X       |
| $\sqcap$         | conjunction     | $\models$             | satisfies / models   |
| $\Box$           | always (LTL)    | $\diamond$            | eventually (LTL)     |
| $\mathbf{U}$     | until (LTL)     | $\perp$               | bottom / undefined   |
| $\circ$          | fn composition  | $\sqcup$              | parallel composition |
| $\triangleright$ | sequential gate | $\blacksquare$        | end of proof         |
| $\sqcap$         | lattice meet    | $\sqcup$              | lattice join         |
| $\mathbb{N}$     | natural numbers | $\Omega$              | gate output domain   |
| $\alpha$         | gate activation | $\delta$              | transition function  |
| $\sigma$         | execution trace | $\Theta$              | thread set           |
| $\Gamma$         | gate set        | $\Pi$                 | postcondition set    |
| $\varphi$        | gate predicate  | $\pi$                 | postcondition pred   |