Comparing controlled system synthesis and suppression enforcement

Runtime enforcement and control system synthesis are two verification techniques that automate the process of transforming an erroneous system into a valid one. As both techniques can modify the behaviour of a system to prevent erroneous executions, they are both ideal for ensuring safety. In this paper, we investigate the interplay between these two techniques and identify control system synthesis as being the static counterpart to suppression-based runtime enforcement, in the context of safety properties.

using techniques such as model checking (MC) [3,13], or post-deployment (dynamically), as per runtime verification (RV) [12,21,27]. In both cases, any error discovered during the verification serves as guidance for identifying the invalid parts of the system that require adjustment.
Other post-deployment techniques, such as runtime enforcement (RE), additionally attempt to automatically transform the invalid system into a valid one. Runtime enforcement [6,16,26,28] adopts an intrusive monitoring approach by which every observable action executed by the SuS is scrutinised and modified as necessary by a monitor at runtime. Monitors in RE may be described in various ways, such as: transducers [6,9,32], shields [26] and security automata [18,28,34]. They may opt to replace the invalid actions by valid ones, or completely suppress them, thus rendering them immaterial to the environment interacting with the SuS; in certain cases, monitors can even insert actions that may directly affect the environment. Different enforcement strategies are applied depending on the property that needs to be enforced.
A great deal of effort [7,14,[23][24][25] has been devoted to studying the interplay between static and dynamic techniques, particularly to understand how the two can be used in unison to minimise their respective weaknesses. It is well established that runtime verification is the dynamic counterpart of model checking, which means that a subset of the properties verifiable using MC can also be verified dynamically via RV. In fact, multi-pronged verification approaches often use RV in conjunction with MC. For instance, system verification based on MC is often carried out with respect to a model of the environment in which the studied system operates. This makes the sole use of model-checking techniques problematic in settings, such as mobile robotics, where the precise conditions in which systems operate are often known only at runtime and may change over time. Here, RV can be used to check post-deployment the environmental conditions used to validate systems at design time [14]. Sometimes, MC is used to statically verify the parts of the SuS which cannot be verified dynamically (e.g. due to inaccessible code or high impact on the performance of the SuS), while RV is then used to verify other parts dynamically in order to minimise the state explosion problem inherent to MC.
A natural question to ask is which technique can be considered as the static counterpart to runtime enforcement, i.e. a technique that can statically achieve the same (or equivalent) results as per runtime enforcement. Identifying such a technique is quite desirable as it would allow for properties to be enforced statically when dynamic verification is not ideal, e.g. when the monitor's runtime overheads are infeasible, and vice versa, e.g. to mitigate state explosions during static analysis. Such a technique therefore enables the possibility of adopting a multi-pronged enforcement approach that is similar to the one used for verification with RV and MC, but from an enforcement perspective. One promising static technique that has several aspects in common with runtime enforcement is controlled system synthesis (CSS) [10,15,30,35]. This approach analyses the state space of the SuS and reformulates it pre-deployment to remove the system's ability of executing erroneous behaviour. As a result, a restricted (yet valid) version of the SuS is produced; this is known as a controlled system.
The primary aim of both RE and CSS is to force the resulting monitored/controlled system to adhere to the respective property-this is known as soundness in RE and validity in CSS. Further guarantees are also generally required to ensure minimal disruption to valid systems-this is ensured via transparency in RE and maximal permissiveness in CSS. As both techniques may adjust systems by omitting their invalid behaviours, they are ideal for ensuring safety. These observations, along with other commonalities, hint at the existence of a relationship between runtime enforcement and controlled system synthesis, in the context of safety properties.
In this paper, we conduct a preliminary investigation on the interplay between the above-mentioned two techniques with the aim of establishing a static counterpart for runtime enforcement. We intend to identify a set of properties that can be enforced either dynamically, via runtime enforcement, or statically via controlled system synthesis. In this first attempt, we, however, limit ourselves to study this relationship in the context of safety properties. As a vehicle for this comparison, we choose the recent work on CSS by van Hulst et al. [35] and compare it to our previous work, presented in [6], on enforc-ing safety properties via action suppressions. We chose these two bodies of work as they are accurate representations of the two techniques. Moreover, they share a number of commonalities including their choice of specification language, modelling of systems, etc. To further simplify our comparison, we formulate both techniques in a core common setting and show that there are subtle differences between them even in that scenario. Specifically, we identify a common core within the work presented in [6,35] by: -working with respect to the Safe Hennessy Milner Logic with invariance (sHML inv ), that is, the intersection of the logics used by both works, namely, the Safe Hennessy Milner Logic with recursion (sHML) in [6] and the Hennessy Milner Logic with invariance and reachability (HML reach inv ) in [35], -removing constructs and aspects that are supported by one technique and not by the other, and by -taking into account the assumptions considered in both bodies of work.
To our knowledge, no one has yet attempted to identify a static counterpart to RE, and an insightful comparison of RE and CSS has not yet been conducted. As part of our investigation, we offer the following contributions: (i) We prove that the monitored system obtained from instrumenting a suppression monitor derived from a formula, and the controlled version of the same system (by the same formula) are trace (language) equivalent, that is, they can execute the same set of traces, Theorem 2. (ii) When restricted to safety properties, controlled system synthesis is the static counterpart (Definition 3) to runtime enforcement, Theorem 3. (iii) In spite of (i) and (ii), both of the obtained systems need not be observationally equivalent, Theorem 4.
Although (i) suffices to deduce (ii) since it is well known that trace equivalent systems satisfy the exact same set of safety properties, Theorem 1, (iii) entails that a very powerful external observer can, at least in principle, tell the difference between these two resultant systems [1].
Structure of the paper. This article is an extended version of [8]; it includes improved and more expanded explanations and examples, along with the complete proofs for our theorems. The rest of the paper is structured as follows. Section 2 provides the necessary preliminary material describing how we model systems as labelled transition systems and properties via the chosen logic. In Sect. 3 we give an overview of the simplified versions of the enforcement model presented in [6] and the controlled system synthesis rules of [35]. In Sect. 4, we then present our first set of contributions consisting of a mapping function that derives enforcement monitors from logic formulas, and the proof that the obtained monitored and controlled versions of a given system are trace equivalent. Section 5 then presents a deeper comparison of the differences and similarities between the two models, followed by our second contribution which disproves the observational equivalence of the two techniques. This allows us to establish that controlled system synthesis is the static counterpart to enforcement when it comes to safety properties. Section 6 overviews related work, and Sect. 7 concludes.

Preliminaries
The model We assume systems described as labelled transition systems (LTSs), which are triples Sys, (Act∪{τ }), → defining a set of system states, s, r , q ∈ Sys, a finite set of observable actions, α, β ∈ Act, and a distinguished silent action τ / ∈ Act, along with a transition relation, −→ ⊆ (Sys × Act ∪ {τ } × Sys). We let μ ∈ Act ∪ {τ } and write s μ − →r in lieu of (s, μ, r ) ∈ →. We use s α ⇒ r to denote weak transitions representing s( τ − →) * · α − → r and refer to r as an α-derivative of s. Traces t, u ∈ Act * range over (finite) sequences of observable actions, and we write s t ⇒ r for a sequence of weak transitions s . . , α n for some n ≥ 0; when n = 0, t is the empty trace ε and s ε ⇒r means s τ − →*r . For each μ ∈ Act ∪ {τ }, the notationμ stands for ε if μ = τ and for μ otherwise. We write traces(s) for the set of traces executable from system state s, that is, t ∈ traces(s) iff s t ⇒r for some r . We use the syntax of the regular fragment of CCS [29] to concisely describe LTSs in our examples. We also assume the classic notions for trace (language) equivalence and observational equivalence, that is, weak bisimilarity [29,33].
Definition 1 (Trace Equivalence) Two LTS system states s and r are trace equivalent iff they produce the same set of traces, i.e. traces(s) = traces(r ).

Definition 2 (Observational Equivalence)
A relation R over a set of system states is a weak bisimulation iff whenever (s, r ) ∈ R the following transfer properties are satisfied, for every action μ: s μ − →s' implies there exists a transition rμ ⇒r ' such that (s , r ) ∈ R; and r μ − →r ' implies there exists a transition sμ ⇒s' such that (s , r ) ∈ R.
Two system states s and r are observationally equivalent, denoted by s ≈ r , iff there exists a weak bisimulation that relates them. The Logic The safety logic sHML [2,3] is defined as the set of formulas generated by the grammar of Fig. 1. It assumes a countably infinite set of logical variables X , Y ∈ LVar and provides the standard constructs of truth, tt, falsehood, ff, and conjunctions, ϕ∧ψ. As a shorthand, we occasionally denote conjunctions as i∈I ϕ i , where I is a finite set of indices, and when I = ∅, i∈∅ ϕ i stands for tt. The logic is also equipped with the necessity (universal) modality, [α]ϕ, and allows for defining recursive properties using greatest fixpoints, max X .ϕ, which bind free occurrences of X in ϕ. We additionally encode the invariance operator, ϕ , requiring ϕ to be satisfied by every reachable system state, as the recursive property, max X .ϕ ∧ β∈Act [β]X , where X is not free in ϕ.
Formulas in sHML are interpreted over the system powerset domain where S∈P(Sys). The semantic definition of Fig. 1, ϕ, ρ , is given for both open and closed formulas. It employs a valuation from logical variables to sets of states, ρ ∈ (LVar → P(Sys)), which permits an inductive definition on the structure of the formulas. In that definition, ρ = ρ[X → S] denotes the valuation where ρ (X ) = S and ρ (Y ) = ρ(Y ) for all other Y = X . We assume closed formulas, i.e. without free logical variables, and write ϕ in lieu of ϕ, ρ since the interpretation of a closed formula ϕ is independent of the valuation ρ. A system (state) s satisfies formula ϕ whenever s ∈ ϕ .
Example 1 Consider two systems (a good system, s g , and a bad one, s b ) implementing a server that repeatedly accepts requests, answers them in response, and logs the serviced request.
It also terminates upon accepting a close request. Whereas s g outputs a single answer (ans) for every request (req), s b occasionally produces multiple answers for a given request (see the underlined branch in the description of s b below). Both systems terminate with cls .  We can specify that a request followed by two consecutive answers indicates invalid behaviour via the sHML formula ϕ 0 .
where Act def = {ans, req, cls}. The above formula defines an invariant property requiring that, at every reachable state, whenever the system produces an answer, it cannot produce a subsequent answer, i.e. [ans]ff. Using the semantics in Fig. 1, one can check that s g ∈ ϕ 0 , whereas s b / ∈ ϕ 0 since it exhibits . ., amongst others.

Controlled system synthesis and suppression enforcement
We present the simplified models for suppression enforcement and controlled system synthesis adapted from [6] and [35], respectively. Both models describe the composite behaviour attained by the respective techniques. In suppression enforcement, the composite behaviour describes the observable behaviour obtained when the monitor and the SuS interact at runtime, while in controlled system synthesis, it describes the structure of the resulting controlled system obtained statically prior to deployment.
To enable our comparison between both approaches, we standardise the logics used in both works and restrict ourselves to sHML inv , defined in Fig. 2. sHML inv is a strict subset of sHML which results from the intersection of sHML, used for suppression enforcement in [6], and HML reach inv , used for controlled system synthesis in [35]. Although the work on CSS in [35] assumes that systems do not perform internal τ actions and that output labels may be associated to system states, the work on RE assumes the converse. We therefore equalise the system models by working with respect to LTSs that do not associate labels to states, and do not perform τ actions. We, however, assume that the resulting monitored and controlled systems may still perform τ actions.
Since we do not focus on state-based properties, the removal of state labels is not a major limitation as we are only forgoing additional state information from the SuS. Although the removal of τ actions requires the SuS to be fully observable, this does not impose significant drawbacks as the work on CSS can easily be extended to allow such actions.
Despite the fact that controlled system synthesis differentiates between system actions that can be removed (controllable) and those which cannot (uncontrollable), the work on enforcement does not. This is also not a major limitation since enforcement models can easily be adapted to make such a distinction. However, in our first attempt at a comparison, we opt to simplify the models as much as possible, and so to enable our comparison we assume that every system action is controllable and can be removed and suppressed by the respective techniques.
Finally, since we do not liberally introduce constructs that are not present in the original models of [6,35], the simplified models are just restricted versions of the original ones. Hence, the results proven with respect to these simplified models should either apply to the original ones or can be extended easily to the more general setting.

A model for suppression enforcement
We use a simplified version of the operational model of enforcement presented in [6], which uses the transducers m, n ∈ TR N defined in Fig. 3. Transducers define transformation pairs, ⁅β, μ⁆, which intuitively state that β actions performed by the system should be transformed into μ actions. A transformation pair thus acts as a function that takes as input a system action α and transforms it into μ whenever α = β. As a shorthand, we sometimes write ⁅β⁆ in lieu of ⁅β, β⁆ to signify that actions equal to β will remain unmodified.
The transition rules in Fig. 3 yield an LTS with labels of the form α μ . Intuitively, a transition m α μ −−→ n denotes the fact that the transducer in state mtransforms the visible action α (produced by the system) into action μ and transitions into state n. In this sense, the transducer action α α denotes the identity transformation, while α τ encodes the suppression transformation of action α. The key transition rule is eTrn. It states that the transformation-prefix transducer ⁅α, μ⁆.m can transform action α into μ, as long as the specifying action α is the same as the action performed by the system. In this case, the transformed action is μ, and the transducer state that is reached is m.
The remaining rules eSel and eRec, respectively, define the standard selection and recursion operations. A sum of transducers i∈I m i (where I is a finite set) can reduce via eSel to some n j over some action α μ, whenever there exists a transducer m j in the summation that reduces to n j over the same action. Rule eRec enables a recursion transducer rec x.m to reduce to some n when its unfolded instance m{rec x.m/x} reduces to n as well. We encode the identity monitor, id, and the suppression monitor, sup, as rec x. β∈Act ⁅β⁆.x and rec x. β∈Act ⁅β, τ ⁆.x, respectively, i.e. as recursive monitors, respectively, defining an identity and suppression transformation for every possible action β ∈ Act that can be performed by the system. Figure 3 also describes an instrumentation relation, which composes the behaviour of the SuS s with the transformations of a transducer monitor mthat agrees with the (observable) actions Act of s . The term m[s] thus denotes the resulting monitored system whose transitions are labelled with actions in Act ∪ {τ } from the system's LTS. Concretely, rule iTrn states that when a system s transitions with an observable action α to s' and the transducer m can transform this action into μ and transition to n, the instrumented system m[s] transitions with action μ to n[s ] . Rule iDef is analogous to standard monitor instrumentation rules for premature termination of the transducer [5,19,20,22], and accounts for underspecification of transformations. Thus, if a system s transitions with an observable action α to s', and the transducer mdoes not specify how to transform that action (m α − →), the system is still allowed to transition, while the transducer defaults to acting like the identity monitor, id, from that point onwards.

Example 2
Consider the suppression transducer m s below: where sup recursively suppresses every action β ∈ Act that can be performed by the system from that point onwards. When instrumented with system s b from Example 1, the monitor prevents the monitored system m s [s b ] from answering twice in a row by suppressing the second answer and every When equipped with this dynamic action suppression mechanism, the resulting monitored system m s [s b ] never violates formula ϕ 0 at runtime-this is illustrated by the runtime execution graph in Fig. 4. Figure 5 presents a synthesis function that takes a system Sys, Act, → and a formula ϕ ∈ sHML and constructs a controlled version of the system that satisfies the formula.

Synthesising controlled systems
The new system is synthesised in two stages. In the first stage, a new transition relation − →⊆ (Sys×sHML)×Act×(Sys× sHML) is constructed over the state-formula product space, (Sys × sHML). Intuitively, a state (s, ϕ) represents a version of state s that is controlled according to the constraints required by ϕ. A μ-transition (s,ϕ) μ − →(s',ϕ') represents a reduction from one controlled state to another. The transition relation associates a sHML formula to the initial system state and defines how this changes when the system transitions to other subsequent states. The composite behaviour of the formula and the system is statically computed using the first five rules in Fig. 5.
cBool adds a transition from (s, b) when the formula is b ∈ tt, ff if that transition is possible in s . Rules cNec1 and cNec2 add a transition from [α]ϕ to ϕ when s has a transition over α , and to tt if it reduces over β = α. cAnd adds a transition for conjunct formulas, ϕ∧ψ, when both formulas can reduce independently to some ϕ and ψ , with the formula of the end state of the new transition being min(ϕ ∧ψ ). Finally, cMax adds a fixpoint max X .ϕ transition to min(ψ), when its unfolding can reduce to ψ. In both cAnd and cMax, min(ϕ) stands for a minimal logically equivalent formula of ϕ. This is an oversimplification of the syntactic manipulation techniques used in [35] to avoid synthesising an infinite LTS due to invariant formulas and conjunctions, see [35] for more details. Instead of defining a rule for fixpoints, the authors of [35] define a synthesis rule directly for invariance stating that when (s, ϕ) α − → (s , ϕ ), then (s, ϕ) α − →(s',min( ϕ∧ϕ )). We, however, opted to generalise this rule to fixpoints to simplify our comparison, while still limiting ourselves to sHML inv formulas. This is possible since by encoding ϕ as max X .ϕ ∧ β∈Act [β]X , we get that X )∧ϕ and min(ψ) is the encoded version of min( ϕ∧ϕ ).
The second stage of the synthesis involves using rule cTr to remove invalid transitions that lead to violating states; this yields the required transition function for the controlled system. This rule relies on the synthesizability test rules to tell whether a controlled state, (s,ϕ), is valid or not. Intuitively, the test rules fail whenever the current formula ϕ is semantically equivalent to ff, e.g. formulas max X .([α]X ∧ff) and ϕ∧ff both fail the synthesizability test rules as they are equiv-alent to ff. Concretely, the test is vacuously satisfied by truth, tt, logical variables, X , and guarded formulas, [α]ϕ, as none of them are logically equivalent to ff. Conjunct formulas, ψ 1 ∧ψ 2 , pass the test when both ψ 1 and ψ 2 pass independently. A fixpoint, max X .ϕ , is synthesisable if ϕ passes the test.
Transitions that lead to a state that fails the test are therefore removed, and transitions outgoing from failing states become redundant as they are unreachable. The resulting transition function is then used to construct the controlled LTS (Sys × sHML inv ), Act, → .

Example 4
From ϕ 0 and s b of Example 1, we can synthesise a controlled system in two stages. In the first stage, we compose them together using the composition rules of

Establishing a static counterpart to enforcement
To be able to establish whether CSS is a static counterpart to suppression enforcement, we must first formalise the meaning of a "static counterpart". We thus define it as Definition 3.

Definition 3 (Static Counterpart)
A static verification technique S is the static counterpart of suppression enforcement (in the context of safety properties) when, for every LTS Sys, Act, → , formula ϕ ∈ sHML inv and s ∈ Sys, there exists a transducer mso that m[s] ∈ ϕ iff S(s) ∈ ϕ (where S(s) is a statically reformulated version of s obtained from applying S).
Determining that CSS is the static counterpart of suppression enforcement (as stated by Definition 3) is inherently difficult as it requires showing that every sHML inv formula (of which there is an infinite amount) can be enforced using both techniques. Despite this, Examples 2 and 4 already provide the intuition that there exists some level of correspondence between these two techniques. In fact, from the monitored execution graph of Fig. 4 and the controlled LTS in Fig. 6 one can notice that they both execute the same set of traces, and are therefore trace equivalent. Since trace equivalent systems satisfy the same set of safety properties (Theorem 1), establishing trace equivalence suffices to conclude that the controlled LTS is statically achieving the same Fig. 6 The LTS obtained from controlling s b via ϕ 5 result obtained dynamically by the monitored one, and that it is therefore its static counterpart.
We thus begin by showing that trace equivalent systems satisfy the same set of safety properties. As the (recursionfree) subset of sHML characterises regular safety properties [22], this means that systems sharing the same traces also satisfy the same sHML formulas.

Theorem 1 Let s and r be system states in an LTS. Then, traces(s) = traces(r ) iff s and r satisfy exactly the same sHML formulas.
The proof for this theorem we present relies on the work on detection (runtime verification) monitors by Francalanza et al. in [22]. Detection monitors d in [22] can reject a trace t at runtime by issuing the verdict no whenever they detect that an sHML formula has been violated by t, i.e. Detection soundness states that if a system state s executes a trace t that gets rejected by a detection monitor d, then s violates ϕ. Completeness states the converse. Using this framework we can now easily prove Theorem 1 as follows.

Proof for Theorem 1 Assume that
traces(s) ⊆ traces(r ) and that (1) Knowing (2) and Detection Completeness from [22], we can infer that there exists a trace t, and detection monitor d, such that when s executes t, d rejects it for being invalid, i.e.d t ⇒no. Hence, since from (1) we know that the invalid trace t can also be executed by r , by Detection Soundness from [22] we can also conclude that r / ∈ ϕ as required, and we are done.
Hence, since trace equivalent systems satisfy the same set of safety properties (Theorem 1), it suffices to conclude that the controlled LTS can produce the same set of traces as that generated by a monitored one at runtime.  ((s, ϕ)).
The existential quantification on the monitor min Theorem 2 entails the need of using some sort of mapping that maps sHML inv formulas to suppression monitors. To be able to prove this result, we thus define a function that maps sHML inv formulas to enforcement transducers. We reduce the complexity of this mapping by defining it over the normalised sHML formulas instead.

Definition 4 (sHML normal form)
The set of normalised sHML formulas is defined as: In addition, a normalised sHML formula ϕ must satisfy the following conditions: 1. In each subformula of ϕ of the form i∈I [α i ]ϕ i , the α i 's are pairwise different, denoted as # i∈I α i , i.e. ∀i, j ∈ I · if i = j then α i = α j . 2. For every max X .ϕ we have X ∈ fv(ϕ).

Every logical variable is guarded by a modal necessity.
In previous work [4,6], we proved that, despite being a syntactic subset of sHML, sHML nf is semantically equivalent to sHML. Hence, since sHML inv is a (strict) subset of sHML, for every sHML inv formula we can always find an equivalent sHML nf formula. This means that by defining our mapping function in terms of sHML nf , we can still map every formula in sHML inv to the respective monitor.
We proceed to define our mapping function over normalised sHML formulas.

Definition 5
We inductively define the mapping function − : sHML nf → TR N as follows: The function is compositional. It assumes a bijective mapping between fixpoint variables and monitor recursion variables and converts logical variables X accordingly, whereas maximal fixpoints, max X .ϕ, are converted into the corresponding recursive monitor. The function also converts truth and falsehood formulas, tt and ff, into the identity monitor id and the suppression monitor sup, respectively. Normalised conjunctions, i ∈ I [α i ]ϕ i , are mapped into a summation of monitors, i∈I m i , where every branch m i can be either prefixed by an identity transformation when ϕ i = ff, or by a suppression transformation otherwise.
Notice that the requirement that ϕ i = ff in Definition 5 is in some sense analogous to the pruning of transitions applied by the CSS rule cTr of Fig. 5 to retain the valid transitions only. In this mapping function, this requirement is essential to ensure that only the actions that do not lead to violations of the input formula remain unsuppressed by the resulting monitor.

Example 5
Recall formula ϕ 0 from Example 1 which can be normalised as: Using the mapping function defined in Definition 5, we generate monitor which is identical to m s from Example 2.
With this mapping function in hand, we are able to prove Theorem 2 as a corollary of Proposition 1. ((s, ϕ)) where ϕ = m.

Proposition 1 For every LTS Sys, Act, → , sHML nf formula ϕ, s ∈ Sys and trace t, it holds that t ∈ traces(m[s]) iff t ∈ traces
In our proof, we rely on Lemma 1.

Lemma 1 For every system s and r , sHML nf formula ϕ and
The proof for this lemma is provided after that of Proposition 1. We now proceed to prove the if and only-if cases separately as follows.

Proof for the only-if case
We proceed by induction on the length of t. Case 1 (t =ε) This case holds vacuously since the empty trace can be executed by every system, that is, ε ∈ traces((s, ϕ)) as required.

Case 2 (t =α t')
Assume that αt ∈ traces( ϕ [s]) and so by the definition of traces we know that there exists a system r such that t ∈ traces(r ) (3) and that ϕ [s] α ⇒ r . Hence, by Lemma 1 we get that We now proceed by case analysis on ϕ.
ϕ ∈ {X , ff}: These cases do not apply since they contradict assumption (4), namely since m · X = m, and since ∀t ∈ Act · ff [s] t ⇒ where ff = sup. -ϕ = tt: Since tt = id, by rule iTrn, from (4) we get that and that r = id[s ] = tt [s ] which in conjunction with (3) and the inductive hypothesis we can deduce that t ∈ traces((s , tt)).
, we must explore the instrumentation rules that permit for the αreduction in (4).
-iTrn: By applying rule iTrn to (4), we have that and that so that by rules eSel and eTrn we know that Knowing (7), (9) and that ϕ j = ff we can synthesise the controlled transition Moreover, since the conjunct modal necessities are pairwise disjoint, from (9) we infer that for every i ∈ I \ { j}, α i = α and so we can synthesise the controlled transition (s, [α i ]ϕ i ) α − → (s , tt) which in conjunction with (11) can be synthesised as the transition since min(ϕ j ∧ i∈I \{ j} tt) = ϕ j . Finally, since by (3), (8), (10) and the inductive hypothesis we have that t ∈ traces((s , ϕ j )), from (12) we conclude that αt ∈ traces((s, i∈I [α i ]ϕ i )) as required. -iDef: By rule iDef we get that and that which we can infer that for every i ∈ I , α i = α. With this result, from (13) we can thus synthesise the controlled transition (s, i∈I [α i ]ϕ i ) α − → (s , tt) and so since tt = id and by (3), (14) and the inductive hypothesis we have that t ∈ traces ((s , tt)). Hence, we can conclude that αt ∈ traces((s, i∈I [α i ]ϕ i )) as required.
ϕ = max X .ϕ : Since X ∈ fv(ϕ ) we can deduce that ϕ / ∈ {tt, ff}, and also that ϕ = X since logical variables are required to be guarded in sHML nf . We can thus infer that ϕ adheres to a specific structure, that is, is an arbitrary number of fixpoint declarations, possibly none). Hence, since from (4) we can also infer that α − → r , and since fixpoint unfolding preserves semantics, we get that After reaching the point where we know (15), the proof proceeds as per the previous case (i.e. when ϕ = i∈I [α i ]ϕ i ). We thus skip this part of the proof and simply deduce that αt ∈ traces((s, i∈I [α i ]ϕ i {..})).
Hence, since unfolded recursive formulas are equivalent to their folded versions, and since ϕ is defined as max Y 0 ...Y n . i∈I [α i ]ϕ i , we can thus deduce that αt ∈ traces((s, max X .ϕ )) as required, and so we are done.

Proof for the if case
We again proceed by induction on the structure of t.
Case 3 (t =ε) This case holds vacuously since ε ∈ traces( ϕ [s]) as required. ∈ traces((s, ϕ)) and so by the definition of traces we know that there exists a system r such that

Case 4 (t =α t') Assume that αt
We proceed by case analysis on ϕ.
ϕ ∈ {ff, X }: These cases do not apply because state (s,ϕ) is invalid. , tt), this case holds trivially since r = (s , tt) and so by (17)  ϕ = i∈I [α i ]ϕ i and # i∈I α i : In this case we have that ∃ψ · r = (s , min(ψ)) (19) and so since the branches of the conjunction are disjoint, we only need to further investigate the following cases: -∀i ∈ I · α i = α: Hence, from (18) and by rule cNec2 we can infer that for every i ∈ I we have that 20) min(ψ) = tt (since ψ = i∈I tt).
Therefore, as we know (20) and that for every i ∈ I then α i = α, by rules eTrn and eSel we can infer that i∈I ⁅α i , α i ⁆. ϕ i if ϕ i = ff ⁅α i , τ ⁆. ff otherwise α − → and so by the definition of − and rule iDef we conclude that Finally, from (17), (19), (21) and by the inductive hypothesis we have that t ∈ traces( tt [s ]) and so from (22), we infer that αt ∈ traces( i∈I [α i ]ϕ i [s]). -∃ j ∈ I · η j = α but ∀i ∈ I \ { j} · α i = α: In this case, from the controlled synthesis rules and from (18) where ϕ j = ff, as otherwise, if ϕ j = ff the resulting state (s , min(ff)) would be invalid and thus removed by the synthesis along with any transitions leading to it (including (18)). Knowing that there exists j ∈ I so that α j = α and by rule eTrn we can also deduce that ⁅α j , α j ⁆. ϕ j α α − −− → ϕ j and so by rule eSel we have that This means that by (23), rule iTrn and the definition of − we conclude that Finally, since from (17), (19), (24) and the inductive hypothesis we know that t ∈ traces( ϕ j [s ]), from (25) we can infer that αt ∈ traces( i∈I [α i ]ϕ i [s]) as required.
ϕ = max X .ϕ and X ∈ fv(ϕ ): We now have that and so since ϕ can neither be X (since sHML nf requires fixpoint variables to be guarded) nor ff or tt (since X ∈ fv(ϕ )) we can deduce that ϕ must have the form max Y 0 ...Y n . i∈I [α i ]ϕ i and so since fixpoint unfolding preserves formula semantics, from (26) we can subsequently deduce that From this point onwards the proof proceeds as per the previous case (ϕ = i∈I [α i ]ϕ i ), we thus skip this part of the proof and safely conclude that Since fixpoint folding preserves semantics and ϕ = max Y 0 ...Y n . i∈I [α i ]ϕ i , from (27) we thus conclude that αt ∈ traces( max X .ϕ [s]) as required, and so we are done.
We now prove the auxiliary Lemma 1 as follows. The reader may safely skip the following proofs upon first reading and proceed from Page 11.
Proof for Lemma 1 We must prove that for every system state s and r , sHML nf formula ϕ and action α, Since we assume that the SuS s does not perform τ actions, by the rules in our enforcement model we know that the only case when a τ reduction is part of a monitored execution occurs when the monitor suppresses a (visible) action of s. We proceed by case analysis on ϕ.
Case 6 (ϕ =tt) Since tt = id cannot suppress any action, we deduce that the weak transition in ( tt , s) α ⇒ r is in fact a strong one and so that ( tt , s) α − → r as required.
From the weak reduction in (28), we infer that the system must perform some action β which is then suppressed by one of the monitor's branches, and so there must exist an index j ∈ I so that α j = β and ⁅α j , τ ⁆. ff β τ ⇒ ff . However, since ff = sup, we know that if any invalid action β were to be executed by s and, as a consequence, suppressed by the monitor, any subsequent action (including α) would also be suppressed by sup, in which case the instrumented system in (28) would be unable to eventually execute α and thus yield a contradiction. Therefore, the only way that transition (28) can happen is when the monitor does not suppress any action prior to executing α, which thus means that the weak reduction in (28) is in fact a strong one, i.e.
Case 8 (ϕ =max X .ϕ where X ∈fv(ϕ )) Assume that max X .ϕ [s] α ⇒ r and so since max X .ϕ is logically equivalent to ϕ {max X .ϕ /X } we can deduce that Since ϕ {max X .ϕ /X } ∈ sHML nf , by the restrictions imposed by sHML nf we know that ϕ cannot be X because (bound) logical variables are required to be guarded, and it also cannot be tt or ff since X is required to be defined in ϕ, i.e. X ∈ fv(ϕ ). Hence, we know that ϕ can only have the form of where max Y 0 . . . Y n . . . ., represents, an arbitrary number of fixpoint declarations, possibly none. Hence, since ϕ is logically equivalent to (29) and (30) we have that Having reached the point where we know (31), the proof becomes identical as per the previous case (ϕ = i∈I [α i ]ϕ i ), we thus skip this part of the proof and safely conclude that Hence, knowing (30) and that ϕ = i∈I [α i ]ϕ i {..} , from (29) and (30) we conclude that max X .ϕ [s] α − → r as required, and so we are done.
Having concluded the proof of Theorem 2 and knowing Theorem 1, we can finally obtain our main result with respect to Definition 3.

Theorem 3
Controlled system synthesis is the static counterpart of suppression enforcement in the context of safety properties.

Distinguishing between suppression enforcement and CSS
Despite concluding that CSS is the static counterpart to suppression enforcement, there are still a number of subtle differences between these two techniques. For one, since suppression enforcement is a dynamic technique, the monitor and the system still remain two separate entities, and the instrumentation between them is merely a way for the monitor to interact with the SuS. In general, the monitor does not affect the execution of the SuS itself, but rather modifies its observable trace of actions, such as its inputs and outputs. By contrast, when a controlled system is synthesised, an existing system is paired up with a formula and statically reconstructed into a new (correct) system that is incapable of executing the erroneous behaviour. By removing invalid transitions entirely, controlled system synthesis is more ideal to guarantee the property compliance of the internal (less observable) behaviour of a system. For example, this can be useful to ensure that the system does not use a shared resource before locking it. By contrast, the invalid actions are still executed by the system in suppression enforcement, but their effect is rendered invisible to any external observer. This makes suppression enforcement more suitable to ensure that the external (observable) behaviour of the system complies with a desired property. For instance, one can ensure that the system does not perform an output that is innocuous to the system itself, but may be providing harmful information to the external environment.
Moreover, it turns out that although both techniques produce composite systems that are trace equivalent to each other, an external observer may still be able to tell them apart by merely observing them. One way of formally assessing this is to use observational equivalence (characterised by weak bisimilarity) as a yardstick, thus: ∀ϕ ∈ sHML, s ∈ Sys, ∃m ∈ TR N · m[s] ≈ (s, ϕ).
We show by means of a counter example that (32) is in fact false and as a result prove Theorem 4.

Theorem 4 (Observational Difference)
There exist an sHML inv formula ϕ, an LTS Sys, Act, → and a system state s ∈ Sys such that for all monitors m ∈ TR N , m[s] ≈(s, ϕ).
Proof sketch Recall the controlled LTS with initial state (s b , ϕ 0 ) obtained in Example 4. To prove Theorem 4 we must show that for every action suppression monitor m(that can only apply suppression and identity transformations), one cannot find a weak bisimulation relation R so that (m[s b ], (s b , ϕ 0 )) ∈ R. An elegant way of showing this claim is by playing the weak bisimulation games [3] starting from the pair (m[s b ], (s b , ϕ 0 )), for every possible m. The game is played between two players, namely the attacker and the defender. The attacker wins the game by finding a sequence of moves from the monitored state m[s b ] (or the controlled state (s b , ϕ 0 )), which the defender cannot counter, i.e. the move sequence cannot be performed by the controlled state (s b , ϕ 0 ) (resp. monitored state m[s b ]). Note that the attacker is allowed to play a transition from either the current monitored state or the controlled state at each round of the game. A winning strategy for the attacker entails that the composite systems are not observationally equivalent.
We start playing the game from the initial pair (m[s b ], (s b , ϕ 0 )) for every monitor m. Pick any monitor that suppresses any action other than a second consecutive ans, same set of traces at runtime, Theorem 2. As trace equivalent systems satisfy the same safety properties, Theorem 1, this result was enough to reach our conclusion, Theorem 3. Using a counter-example we, however, deduced that these two techniques are different modulo observational equivalence, Theorem 4. An Abramsky-type external observer [1] can therefore tell the difference between a monitored and controlled system resulting from the same formula and SuS. To our knowledge this is the first formal comparison to be made between these two techniques. Future Work Having established a connection between suppression enforcement and control system synthesis with respect to safety properties, it is worth expanding this work at least along two directions and explore how: (i) runtime enforcement and controlled system synthesis are related with respect to properties other than those representing safety, and how (ii) suppression enforcement relates to other verification techniques such as supervisory control theory, reactive synthesis, etc.
Exploring (i) may entail looking into other work on enforcement and controlled system synthesis that explores a wider set of properties. It might be worth investigating how other enforcement transformations, such as action replacements and insertions, can be used to widen the set of enforceable properties, and how this relates to controlled system synthesis. The connection established by van Hulst et al. in [35] between control system synthesis and supervisory control, along with the other relationships reviewed in Sect. 6, may be a starting point for conducting our future investigations on (ii).