Symbolic Equivalences for Open Systems

1
Symbolic Equivalences for Open Systems
FM seminar UIUC, 6 Dec. 2002

• Roberto Bruni (Pisa Illinois)
• Paolo Baldan (Pisa Venezia)
• Andrea Bracciali (Pisa)

• Research supported by
• IST Programme on FET-GC Projects AGILE, MYTHS,
  SOCS
• Italian MIUR Project COMETA
• CNR Fellowship on Information Sciences and
  Technologies

2
Outline
Ongoing Work!

1. Introduction Motivation
2. Example toy PC with ambients
3. Symbolic Bisimulation
4. Symbolic Transition Systems
5. Strict Symbolic Bisimilarity
6. Large Irredundant Bisimilarity
7. Bisimulation by Unification
8. Conclusions
9. ( Traces )
10. ( Duality, Related Work Future Work )

3
Open Systems

• Evolve autonomously, interact via interfaces,
  programmable,
• Ex. Web Services, WAN Computing, Mobile Code

p
q
CX1,X2,X3
r
Components
Coordinators
4
Interaction

• Components can be dynamically connected
• Ex. Access to Network Services

(Typed) Holes constrained dynamic binding
Cp,q,r
Boundaries access policies
5
The Problem

• Partially specified / partially known systems
• Behaviour defined via the possible instances
• Problem how to reuse ordinary specification /
  analysis / verification techniques developed for
  closed systems?

6
General Goal

• Methodology for the formal analysis of open
  systems
• Focus on Process Calculi
• Mathematical models of computation widely used
  for isolating and studying phenomena arising in
  concurrent languages (like ?-calculus for
  sequential computations)
• Algebraic representations of processes (terms)
• Components Closed Terms
• Coordinators Contexts (holed processes)
• Structural and Behavioural Equivalences
• Proposal
• Compact (Symbolic) LTS for open systems

7
Process Calculi Ingredients

• Structure (?,E)
• Signature Structural Axioms
• Operational Semantics LTS/RS
• (SOS) inference rules for transitions/rewrites
• Logic for expressing and proving properties
• Specification Verification

Mostly devised for components!
8
Abstraction

• Equivalence on Components p ? q
• Bisimulation, Traces, May/Must Testing

9
Abstraction

• Equivalence on Components p ? q
• Bisimulation, Traces, May/Must Testing
• Universal Equivalence on Coordinators
• CX ?univ DX iff ?p. Cp ? Dp
• (for simplicity, we consider one-holed contexts
  in most slides)
• needs universal quantification!

10
Bisimulation

• Focus on Bisimilarity (largest bisimulation)
• p ? q
• if p a? p then ? q a? q with p ? q
• (and vice versa)

11
Graphically
Components
p
q
12
Example Ambients Asynchronous CCS com.
p 0 a a.p np open n.p in n.p
out n.p pp
Assume AC1 parallel composition, a unique label ?
(omitted)
13
In Maude Notation I
fmod CCSAmb is protecting MACHINE-INT . sorts
Act Amb Proc . op n MachineInt -gt Amb . op a
MachineInt -gt Act . op 0 -gt Proc . op _
Act -gt Proc frozen . op _._ Act Proc -gt Proc
frozen . op __ Amb Proc -gt Proc . op
open(_)._ Amb Proc -gt Proc frozen . op
in(_)._ Amb Proc -gt Proc frozen . op
out(_)._ Amb Proc -gt Proc frozen . op __
Proc Proc -gt Proc assoc comm id0 .
14
In Maude Notation II
vars N M Amb . vars P Q R Proc . vars A
Act . rl (NP) (open(N) . Q) gt P Q
. rl (NP) (M(in(N) . Q) R) gt
NP (MQ R) . rl N(P (M(out(N)
. Q) R)) gt (NP) (M(Q R))
. rl N(A . P) (A ) Q gt NP Q
. endfm
15
A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
16
A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
17
A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
18
A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
19
A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
20
A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
21
A Problem on Components
na.0a -?? n0 -/? ??
? mb.0b -?? m0 -/?
22
A Problem on Coordinators
nX ?? mX
23
Symbolic Approach

• Bisimulation Without Instantiation
• Facilitate analysis verification of
  coordinators properties
• Distinguishing Features
• Symbolic LTS
• states are coordinators
• labels are spatial/modal formulae
• Avoids universal closure
• Allows for coalgebraic techniques
• Constructive definition for Algebraic SOS and
  GSOS specs
• (In general yields equivalences finer than ?univ )

24
Notation

• We start from a PC specified by
• Syntax Structural Equivalence (?,E)
• T?,E is the set of Components p,q,r,
• T?,E(X) is the set of Coordinators C, D,
• CX1,,Xn means var(C) ? X1,,Xn
• Labels ? ranged by a,b,
• LTS L (defined on T?,E ?)
• possibly defined via SOS inference rules

25
Symbolic Transition Systems

• Ordinary SOS approach
• Behavior of a coordinator can depend on
• The spatial structure of the components that are
  inserted/connected/substituted
• The behavior of those components
• Idea to borrow formulae from a suitable logic
  to express the most general class of components
  that can take part in the coordinators evolution

26
What Logic Do We Need?

• Formulae must express the minimal amount of
  information on components for enabling the step
• Most general active components needed for the
  step
• Assumptions not only on the structure of
  components, but also on their behavior
• Components not playing active role in the step

27
Spatial / Modal Formulae

• Logic L must include, as atomic formulae
• Place-holders (process variables) X q X
• Components p q p iff q ?E p
• We will also consider
• Spatial formulae (for operators f??)
• q f(?1,,?n) iff ?q1 ?1 ?qn ?n. q ?E
  f(q1,,qn)
• Modality ?a (for labels a??)
• q ?a.? iff ?p ?. q a? p

28
Symbolic Transitions
Coordinators

• CX ?(Y)?a DY
• intuitively whenever p ?(q),
• then Cp a? Dq
• ( q is to some extent the residual of p after
  satisfying ? )

Formula
Ordinary label
29
Symbolic Transitions Examples

• n X a a.Y?? nY
• for any p ?E a.q,
• n pa ?? nq
• X1 X2 ??.Y1,Y2?? Y1 Y2
• for any p1?? q1 and p2 ,
• p1p2 ?? q1p2

30
Correctness
CX ?(Y)?a DY
STS
?pi,qi. pi ?(qi)
Cp1 a? Dq1

• Cp a? Dq

Cp2 a? Dq2
LTS L
Cpn a? Dqn
components that, plugged in C, can perform a
31
Completeness
r ?E Cp a? q
LTS L
? ?,s,D. CX ?(Y)?a DY
STS
with p ?(s) and q ?E Ds
32
Strict Bisimilarity

• Strict Bisimilarity largest (strict)
  bisimulation s.t.
• CX ?(Y)?a CY
• ?strict ?strict
• DX ?(Y)?a DY
• THEOREM
• If the STS is correct complete, then
• ?strict ? ?univ

33
Strict Bisimilarity

• Strict Bisimilarity largest (strict)
  bisimulation s.t.
• CX ?(Y)?a CY
• ?strict ?strict
• DX ?(Y)?a DY
• THEOREM
• If the STS is correct complete, then
• ?strict ? ?univ

34
Strict Bisimilarity

• Strict Bisimilarity largest (strict)
  bisimulation s.t.
• CX ?(Y)?a CY
• ?strict ?strict
• DX ?(Y)?a DY
• THEOREM
• If the STS is correct complete, then
• ?strict ? ?univ

35
Strict Bisimilarity

• Strict Bisimilarity largest (strict)
  bisimulation s.t.
• CX ?(Y)?a CY
• ?strict ?strict
• DX ?(Y)?a DY
• THEOREM
• If the STS is correct complete, then
• ?strict ? ?univ

36
Strict Bisimilarity

• Strict Bisimilarity largest (strict)
  bisimulation s.t.
• CX ?(Y)?a CY
• ?strict ?strict
• DX ?(Y)?a DY
• THEOREM
• If the STS is correct complete, then
• ?strict ? ?univ

37
Back to the Open Problem
nX Ykout n.ZW? nYkZW ?strict?
mX
38
Back to the Open Problem
nX Ykout n.ZW? nYkZW ?strict?
mX Ykout n.ZW /?
39
Back to the Open Problem
nX Ykout n.ZW? nYkZW ?strict
mX Ykout n.ZW /?
40
Back to the Open Problem
nX ?univ mX
(take X kout n.0)
41
A Last Problem
nmout n.X Y? n0m0 ?strict
? n0maa.X Y? n0m0
42
A Last Problem
nmout n.X Y? n0mY ?strict
n0maa.X Y? n0mY
43
A Last Problem
nmout n.X ?strict n0maa.X
nmout n.X ?univ n0maa.X
?
44
Is strict Too Fine? I

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
45
Is strict Too Fine? I

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
46
Is strict Too Fine? II

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
47
Is strict Too Fine? II

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
48
Large Bisimilarity

• Large Bisimilarity largest (large) bisimulation
  s.t.
• CX ?(Y)?a CY ?large D?(Y)
• ?large
• DX ?(Z)?a DZ ?(Y) ?(?(Y))
• ?(Y) spatial
• THEOREM
• If the STS is correct complete, then
• ?large ? ?univ

49
Large Bisimilarity

• Large Bisimilarity largest (large) bisimulation
  s.t.
• CX ?(Y)?a CY ?large D?(Y)
• ?large
• DX ?(Z)?a DZ ?(Y) ?(?(Y))
• ?(Y) spatial
• THEOREM
• If the STS is correct complete, then
• ?large ? ?univ

50
Large Bisimilarity

• Large Bisimilarity largest (large) bisimulation
  s.t.
• CX ?(Y)?a CY ?large D?(Y)
• ?large
• DX ?(Z)?a DZ ?(Y) ?(?(Y))
• ?(Y) spatial
• THEOREM
• If the STS is correct complete, then
• ?large ? ?univ

51
Large Bisimilarity

• Large Bisimilarity largest (large) bisimulation
  s.t.
• CX ?(Y)?a CY ?large D?(Y)
• ?large
• DX ?(Z)?a DZ ?(Y) ?(?(Y))
• ?(Y) spatial
• THEOREM
• If the STS is correct complete, then
• ?large ? ?univ

52
Large Bisimilarity

• Large Bisimilarity largest (large) bisimulation
  s.t.
• CX ?(Y)?a CY ?large D?(Y)
• ?large
• DX ?(Z)?a DZ ?(Y) ?(?(Y))
• ?(Y) spatial
• THEOREM ?strict ? ?large
• If the STS is correct complete, then
• ?large ? ?univ

53
Large Bisimilarity

• Large Bisimilarity largest (large) bisimulation
  s.t.
• CX ?(Y)?a CY ?large D?(Y)
• ?large
• DX ?(Z)?a DZ ?(Y) ?(?(Y))
• ?(Y) spatial
• THEOREM ?strict ? ?large
• If the STS is correct complete, then
• ?large ? ?univ

54
Is large Better Than strict? I

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
key1(lock(X)) ?r.Y?? key1(Y) key1(lock(X))
strict large univ key2(lock(X)) ?r.Y??
key2(Y) key2(lock(X)) key2(lock(X)) r.Y??
key2(Y) strict large univ key3(lock(X))
key3(lock(X)) ?r.Y?? key3(Y) strict large
univ key1(lock(X))
55
Is large Better Than strict? I

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
key1(lock(X)) ?r.Y?? key1(Y) key1(lock(X))
strict large univ key2(lock(X)) ?r.Y??
key2(Y) key2(lock(X)) key2(lock(X)) r.Y??
key2(Y) strict large univ key3(lock(X))
key3(lock(X)) ?r.Y?? key3(Y) strict large
univ key1(lock(X))
56
Is large Better Than strict? II

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
key1(X) lock(r.Y)?? key1(Y) key1(X) strict
large univ key2(X) lock(r.Y)?? key2(Y)
key2(X) strict large univ key3(X)
lock(r.Y)?? key3(Y) key3(X) key3(X)
lock(r.lock(Y))?? key3(lock(Y)) strict large
univ key1(X)
57
Is large Better Than strict? II

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
key1(X) lock(r.Y)?? key1(Y) key1(X) strict
large univ key2(X) lock(r.Y)?? key2(Y)
key2(X) strict large univ key3(X)
lock(r.Y)?? key3(Y) key3(X) key3(X)
lock(r.lock(Y))?? key3(lock(Y)) strict large
univ key1(X)
58
Why Use ?strict ?large I

• In general ?large is coarser than ?strict
• But ?large can lack transitivity
• It makes sense to see them as convenient
  approximation methods for ?univ
• ?univ is not defined coinductively
• ?univ via verification of infinitely many
  equivalences

59
Why Use ?strict ?large II

• Congruence properties
• in general ?strict and ?large are not left
  congruences, i.e.
• CX ?strict DX ? CEY ?strict DEY
• CX ?large DX ? CEY ?large DEY
• (ex. Ckey1 Dkey2 Elock)
• but they are such for ?univ
• CX ?strict DX ? CEY ?univ DEY
• CX ?large DX ? CEY ?univ DEY

60
Why Use ?strict ?large III

• On Transitivity of large
• if ?large is a left congruence, then ?large is
  transitive (and thus it is an equivalence
  relation)
• But note that we have anyway
• (large) ? univ

61
Irredundant Bisimilarity

• Assume no structural axioms are present
• CX ?(Y)?a CY is redundant if
• ? CX ?(Z)?a CZ ? ? ?(Y) spatial formula
  s.t.
• C?(Y) CY
• ?(?(Y)) ?(Y)
• is irredundant otherwise
• In the irredundant bisimilarity irred, only
  irredundant transitions must be simulated

62
Is irred Meaningful?

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
key1(X) lock(r.Y)?? key1(Y) key1(X) strict
large irred univ key2(X) lock(r.Y)?? key2(Y)
key2(X) strict large irred univ key3(X)
lock(r.Y)?? key3(Y) key3(X) key3(X)
lock(r.lock(Y))?? key3(lock(Y)) strict large
irred univ key1(X)
63
Is irred Meaningful?

• Pathological example

p 0 r.p lock(p) key1(p) key2(p)
key3(p)
key1(X) lock(r.Y)?? key1(Y) key1(X) strict
large irred univ key2(X) lock(r.Y)?? key2(Y)
key2(X) strict large irred univ key3(X)
lock(r.Y)?? key3(Y) key3(X) key3(X)
lock(r.lock(Y))?? key3(lock(Y)) strict large
irred univ key1(X)
64
Properties of ?irred

• In general
• ?irred can lack transitivity
• ?irred is coarser than ?strict
• ?irred and ?large are not comparable
• ?irred is strictly finer than ?univ

65
Bisimulation by Unification

• PC specified in Algebraic SOS Format
• (Yi is either Xi (if i?I) or Zi (if i?I))
• ASOS, unlike De Simone, allows a generic context
  C in the source of the conclusion (instead of
  f??)

Xi ai? Zii?I
CX1,,Xn a? DY1,,Yn
66
The Prolog Algorithm

• trs( box(A,X) , A , X ) - !.
• trs( CX1,,Xn,a,DY1,,Yn ) -
• trs(Xi1 , ai1 , Zi1),
• ,
• trs(Xin , ain , Zin).
• The program can be seen as the specification of
  the STS
• Goals have the form ?- trs(CX1,,Xn, a , Z).
• Computed answer substitutions give the
  transitions
• Backtracking mechanism meta-logic ops (bagof)
  can be used to collect all symbolic transitions
  for CX1 ,, Xn
• THEOREM
• The resulting STS is correct complete

67
The Prolog Algorithm

• trs( box(A,X) , A , X ) - !.
• trs( CX1,,Xn,a,DY1,,Yn ) -
• trs(Xi1 , ai1 , Zi1),
• ,
• trs(Xin , ain , Zin).
• The program can be seen as the specification of
  the STS
• Goals have the form ?- trs(CX1,,Xn, a , Z).
• Computed answer substitutions give the
  transitions
• Backtracking mechanism meta-logic ops (bagof)
  can be used to collect all symbolic transitions
  for CX1 ,, Xn
• THEOREM
• The resulting STS is correct complete

68
The Algorithm

• trs( box(A,X) , A , X ) - !.
• trs( CX1,,Xn,a,DY1,,Yn ) -
• trs(Xi1 , ai1 , Zi1),
• ,
• trs(Xin , ain , Zin).
• The program can be seen as the specification of
  the STS
• Goals have the form ?- trs(CX1,,Xn, a , Z).
• Computed answer substitutions give the
  transitions
• Backtracking mechanism meta-logic ops (bagof)
  can be used to collect all symbolic transitions
  for CX1 ,, Xn
• THEOREM
• The resulting STS is correct complete

69
The Prolog Algorithm

• trs( box(A,X) , A , X ) - !.
• trs( CX1,,Xn,a,DY1,,Yn ) -
• trs(Xi1 , ai1 , Zi1),
• ,
• trs(Xin , ain , Zin).
• The program can be seen as the specification of
  the STS
• Goals have the form ?- trs(CX1,,Xn, a , Z).
• Computed answer substitutions give the
  transitions
• Backtracking mechanism meta-logic ops (bagof)
  can be used to collect all symbolic transitions
  for CX1 ,, Xn
• THEOREM
• The resulting STS is correct complete

70
Linear Positive GSOS Format
Xi ai,j? Zi,j 1?j?mi i?I
f(X1,,Xn) a? DY1,,Ym

• (D linear, Yk is either Xi (if i?I) or Zi,j (if
  i?I))

The first clause this time becomes trs( box(X) ,
A , ref(X,A,Y) ) - !. (because the same
variable can appear as the source of many goals,
with different actions and conclusions) Conjuncti
on needed in the logic De Simone format can be
dealt with equivalently with any of the two
encodings
71
Conclusions (almost)

• General formal framework for open systems
• Meta-theoretic foundations
• Under suitable hypothesis
• ?strict implies ?large / ?irred implies ?univ
• For suitable SOS format, a minimal STS can be
  defined constructively in Prolog
• cut unification
• AC1 parallel operator (see AMAST paper)

72
Traces

• Branching structure can be irrelevant in many
  situations
• Finite step sequences (traces) can suffice!
• p a1? p1 a2? p2 a3? an? pn
• also written p a1a2a3 an? pn
• or just p a1a2a3 an?
• Trace language
• L(p) ??? p ??
• Trace equivalence ?
• p ? q if L(p)L(q)
• Universal trace equivalence ?univ
• CX ?univ DX if ?p. Cp ? Dp

73
Traces

• Branching structure can be irrelevant in many
  situations
• Finite step sequences (traces) can suffice!
• p a1? p1 a2? p2 a3? an? pn
• also written p a1a2a3 an? pn
• or just p a1a2a3 an?
• Trace language
• L(p) ??? p ??
• Trace equivalence ?
• p ? q if L(p)L(q)
• Universal trace equivalence ?univ
• CX ?univ DX if ?p. Cp ? Dp

74
Symbolic Traces

• Traces of pairs (formula,action)
• CX ?1?a1 C1X1 ?2?a2 ?n?an CnXn
• written CX (?1,a1)(?2,a2)(?n,an)? CnXn
• or just CX (?1,a1)(?2,a2)(?n,an)?
• Strict Trace language
• L(CX) ??(???) CX ??
• Strict Trace equivalence ?strict
• CX ?strict DX if L(CX)L(DX)

75
Symbolic Traces

• Traces of pairs (formula,action)
• CX ?1?a1 C1X1 ?2?a2 ?n?an CnXn
• written CX (?1,a1)(?2,a2)(?n,an)? CnXn
• or just CX (?1,a1)(?2,a2)(?n,an)?
• Strict Trace language
• L(CX) ??(???) CX ??
• Strict Trace equivalence ?strict
• CX ?strict DX if L(CX)L(DX)

76
Tight Traces

• Formulae can be composed!
• CX ?1?a1 C1X1 ?2?a2 ?n?an CnXn
• ? ?1?2?n /Xn-1/X2/X1
• we get CX (?,a1a2an)?
• Strict Tight Trace language
• C(CX) ????? CX ??
• Strict Tight Trace equivalence ?stight
• CX ?stight DX if C(CX)C(DX)

77
Tight Traces

• Formulae can be composed!
• CX ?1?a1 C1X1 ?2?a2 ?n?an CnXn
• ? ?1?2?n /Xn-1/X2/X1
• we get CX (?,a1a2an)?
• Strict Tight Trace language
• C(CX) ????? CX ??
• Strict Tight Trace equivalence ?stight
• CX ?stight DX if C(CX)C(DX)

78
Saturated Traces

• Collecting also the instances
• ? (?1,a1)(?2,a2)(?n,an) is a saturated trace
  for C0X0 if
• ?C1X1CnXn D1Y1DnYn and ??1?n and
  ??1?n spatial with
• CiXi ?i1?ai1 Di1Yi1
• Ci1Xi1 Di1?i1
• ?i1 ?i1?i1/Yi1
• Saturated Trace language
• S(CX) saturated traces ? of CX

79
Large Trace Equivalences

• CX and DX are large trace pre-equivalent,
  written CX ?large DX, if
• L(CX) ? S(DX) ? L(DX) ? S(CX)
• (?large might fail to be transitive)
• The tight version ?ltight can be defined by
  resorting to the corresponding tight trace
  languages

80
Irredundant Trace Equivalences

• Let I(CX) be the subset of L(CX) containg
  traces composed by irredundant transitions only
• Then CX and DX are irredundant trace
  pre-equivalent, written CX ?irred DX, if
• I(CX) ? L(DX) ? I(DX) ? L(CX)
• (?irred might fail to be transitive)
• The tight version ?itight can be defined by
  resorting to the corresponding tight trace
  languages

81
The Tower of Semantics

• Orange symbols if transitivity can lack
• Dotted inclusions holds if the Logic is tight

?univ
?itight
?ltight
?stight
?irred
?large
?strict
?univ
?irred
?large
?strict
82
Dual View

• Instantiation ? Contextualization
• When ? is not a congruence
• p ?ctx q iff ?CX. Cp ? Cq
• ?ctx is not a bisimulation (unless ? is a
  congruence)
• (the largest congruence which is also a
  bisimulation is called dynamic bisimulation)
• Sewell, Leifer Milner
• contexts (small as possible) as labels
• Transitions p C _ ,X1,,Xn? DX1,,Xn
• ?p1pn. Cp,p1,,pn -?? Dp1,,pn
• C. minimal (not necessarily minimum)
• Universal quantification moved from contexts to
  components!

83
Dual View

• Instantiation ? Contextualization
• When ? is not a congruence
• p ?ctx q iff ?CX. Cp ? Cq
• ?ctx is not a bisimulation (unless ? is a
  congruence)
• (the largest congruence which is also a
  bisimulation is called dynamic bisimulation)
• Sewell, Leifer Milner
• contexts (small as possible) as labels
• Transitions p C _ ,X1,,Xn? DX1,,Xn
• ?p1pn. Cp,p1,,pn -?? Dp1,,pn
• C. minimal (not necessarily minimum)
• Universal quantification moved from contexts to
  components!

84
Related Work / Source of Inspiration

• Caires, Cardelli Gordon
• Fiadeiro, Maibaum, Martì-Oliet, Meseguer Pita
• elegant mathematical tool for expressing
  structural temporal aspects
• Sewell
• Leifer Milner
• dual categorical characterization of the most
  general interaction (relative pushout)
• Bruni, Montanari Rossi
• interactive view of Logic Programming

85
Future Work

• Deal with names
• Name restriction Logical notion of freshness
• Develop tools and applications
• Verification of cryptographic protocols
• Analogies with other approaches
• Narrowing in RL and hidden logic techniques
• Extension to meta and abductive LP
• Programmable definition of proofs
• To answer questions like under which assumptions
  can pX evolve so to satisfy a certain property?
  that are relevant in dynamic system engineering
• Duality
• Categorical formulation (relative pullback?)

86

• Symbolic Equivalences
• for Open Systems
• a research by Andrea Bracciali
• Paolo Baldan
• Roberto Bruni
• presented by Roberto Bruni