A Finite Prefix for Analysing Information Flow Among Transitions of a Free-Choice Net

In distributed systems, the occurrence of an action can give information about the occurrence of other actions. This can be an unwanted situation when “high” actions of the system need to be kept secret, while allowing users to observe “low” actions. If it is possible to deduce information about occurrence of high actions by observing only low actions, then the system suffers from an unwanted information flow. “Reveals” and “excludes” relations were introduced for modelling and analysing such an information flow among actions of a distributed system that is modelled via Petri nets. In this paper, we provide a formal basis for computing reveals and excludes relations of 1-safe free-choice Petri nets. We introduce the “maximal-step computation tree” to represent the behaviour of a distributed system under maximal-step semantics. We define a finite prefix of the tree called “full prefix” and we show that it is adequate for analysing information flow by means of reveals and excludes relations.


I. INTRODUCTION AND RELATED WORK
In this paper, we work on a formal basis for modelling and analysing information flow in distributed systems. We consider systems that are modelled with 1-safe free-choice Petri nets.
Petri nets are a formalism for modelling concurrent and distributed systems. The concept of Petri nets originates from the PhD thesis of Carl Adam Petri [1] written in the early sixties. Since then, Petri nets have been extensively studied, developed and applied in many different areas. A comprehensive overview on the Petri net theory and its applications is given in [2], [3] and [4]. A more recent overview on Petri nets is presented in [5] from a systems theory and automatic control perspective. Decidability results addressing important properties and equivalence notions of Petri nets are collected in [6].
A Petri net is given by a set of places, and by a set of transitions. Places may contain tokens. The state of a Petri net is given by the distribution of tokens among the whole set of places. When a transition occurs, or fires, it may alter the distribution of tokens among some places. In this way, Petri nets can explicitly encode relations of conflict, causal dependence and concurrency between transitions.
In the literature, a variety of Petri net classes are introduced. These classes differ in the nature of their places. In the basic classes (elementary net systems, 1-safe Petri nets), places represent logical conditions, which can be true or false. The state of the net (or the marking) is then subset of places which hold the value true. In Place/Transition nets, places are counters, which can take nonnegative integer values. In high-level nets, a place is a container for tokens whose values range over more general types. Further exten-sions of the basic model introduce probabilistic or temporal parameters.
Formally, the structure of a basic Petri net is given by the flow relation, which links places and transitions. Restricted classes of Petri nets are defined by imposing restrictions on that structure. Here, we are interested in so-called free-choice nets.
The class of free-choice Petri nets, initially studied in [7], is relevant in Petri net theory since a large amount of results relates the structure of the net to its behaviour, yielding efficient analysis algorithms. See [8] and [9] for a collection of the main results on this class.
Free-choice Petri nets allow for modelling systems whose behaviour include both conflicts and synchronisations as well as concurrency, but they rule out situations in which conflicts and synchronisations interfere with each other, the so called situations of confusion. A typical example of confusion (asymmetric confusion) is given in the net of Fig. 1: transitions a and c are concurrently enabled, whereas b is not enabled. Due to the synchronisation at b, the occurrence of a influences which one between b and c can occur. If a occurs before c there will be a choice between b and c; if a occurs after c, then b will still not be enabled.
Since confusion is excluded, this class of nets cannot model situation of mutual exclusion or resource sharing as discussed in [10]; in spite of that, free-choice nets are suitable to model the flow of control in networks of processors and they are widely used in many application domains as for example in process mining [11], [12]. In [13] and [14], Van der Aalst provides new results in the theory of free-choice nets, including reduction methods to systematically prove properties, thus improving the efficiency of analysis.
The behaviour of a Petri net can be described in different ways. The most used models are the marking graph and the unfolding [15]. The marking graph is a labelled transitions system, formed by the reachable markings, connected by arcs corresponding to transition firings. The unfolding of a Petri net is an acyclic Petri net, made of occurrences of the elements of the original net, both transitions and places, partially ordered by a "causality" relation. In the early stages of this research project, we explored the use of unfolding and unfolding prefixes, namely the complete prefix [16] and the canonical prefix [17]. However, we saw that in the case of free-choice nets under the maximal-step semantics, representation of the behaviour as a tree structure allows us to give simpler axiomatic definitions and provide algorithms.
In the standard semantics, transitions fire asynchronously; an alternative is given by step semantics, where actions that are concurrently enabled occur simultaneously. Maximalstep semantics, in particular, requires that as many actions as possible occur at a time. An overview of different semantics can be found in [4]. The relation between step semantics and maximal-step semantics has been studied for example in [18], where it is shown that they are equivalent in the case of systems without asymmetric confusion, and therefore also in the case of free-choice Petri nets. In our setting, it is assumed that the system progresses unless it goes into a deadlock. Also, the order of occurrence of concurrently enabled actions, or the states reached during occurrence of these concurrent actions have no significance to our purpose. In fact, we can assume the concurrent actions that are enabled at the same state can occur simultaneously.
In distributed systems, security considerations may require that a user is not able to infer if a given action has been performed by another component, while still being able to interact with that component. This kind of unwanted information flow has been studied in formal models of concurrent systems through the concept of noninterference. An informative brief overview on information flow and noninterference is provided in [19].
The concept of noninterference was introduced by Goguen and Meseguer for deterministic state machines in [20]. Sutherland and McCullough moved the concept to the nondeterministic and concurrent systems in [21] and [22]. Since then, various noninterference properties have been proposed in the literature based on different system models. Focardi and Gorrieri attempt to provide a classification of possibilistic security properties for process algebras. They do not, however, provide a general scheme for the definition of security [23]. By the use of selective interleaving functions, McLean provides a uniform framework in [24] which allows one to compare a subset of different information-flow security properties and reason about composition. Mantel provides a more expressive framework in which different noninterference notions can be defined in a modular way by assembling basic security predicates [25], [26]. As shown by Mantel in [27], each property that can be represented in McLean's framework of selective interleaving functions can also be represented in the assembly kit.
In the concept of noninterference, a system is viewed as consisting of components at two distinct levels of confidentiality: high (hidden) and low (observable). A system is then said to be secure with respect to noninterference if a user, which knows the structure of the system, cannot deduce information about high actions by interacting only via low actions. Busi and Gorrieri moved the concept to 1-safe Petri nets in [28] by studying observational equivalences and structural properties. In [29], the authors define structural noninterference properties for elementary nets based on absence of particular places in the net. Frau et al., in [30], investigate the algorithmic properties of these structural properties and introduce a tool for detecting places that violate security in elementary net models. Best et al.,in [31], study the decidability of noninterference in Petri nets and prove that it is undecidable for unbounded nets. Baldan and Carraro give a characterisation of noninterference based on unfoldings of 1safe Petri nets in terms of causalities and conflicts in [32]. In [33], multilevel noninterference properties are studied based on causal characterisations in the unfolding semantics of safe net systems. In [34], the authors provide an algorithm to compute all the minimal solutions for enforcing noninterference on bounded Petri nets by using linear integer programming techniques. In this work, we follow the line of results from the references [35] and [36] which introduce two families of relations, namely reveals and excludes, to model information flow among transitions of a Petri net and use these relations to define various noninterference properties for 1-safe Petri nets. The original reveals relation was defined for events of an occurrence net by Haar in [37]. In [38] it was applied in the field of fault diagnosis. Later, in [36], the relation was redefined for transitions of a Petri net and applied in the field of information-flow security by means of noninterference. Noninterference deals with two kinds of information flow: positive and negative. The first one arises when the occurrence of a transition allows an observer to infer that another transition has already occurred or will inevitably occur in the future. The second one refers to the deduction of information about nonoccurrence of a transition. More specifically, this kind of information flow arises when the occurrence of a transition implies that another transition did not occur or cannot occur in the future. Reveals relation models positive information flow, whereas excludes relation models negative information flow among transitions of a 1-safe Petri net.
The contributions of this paper can be summarised as follows. We introduce the so called maximal-step computation tree which represents behaviour of a 1-safe free-choice net under the maximal-step semantics. We show the correspondence between this tree and the net unfolding. We show that there exists a finite prefix of such tree, named full prefix, on which reveals and excludes relations between the transitions of the corresponding Petri net can be computed efficiently. Thus, the full prefix can be used to determine information flow and to verify noninterference on the basis of reveals and excludes relations as defined in [35], [36]. We prove that the full prefix is sufficient to directly determine reveals relations, and we provide an algorithm to compute excludes relations on it. We consider the notion of footprint, which is the set of transitions observed along a system run. We provide an algorithm to compute footprints of all the maximal runs of a system. The footprints can then be used for further analysis for information flow among sets of transitions. The full prefix contains a summary of the corresponding net's behaviour, and all possible maximal-step computations are deducible from it. Thus, in addition to information-flow analysis, the prefix can be used for the analysis and verification of various behavioural properties of a distributed system modelled by a 1-safe free-choice net.
The paper is organised as follows. Section II provides the necessary background on Petri nets to be reasonably self contained. Section III recalls the definitions of reveals and excludes relations in the context of Petri net information flow. Section IV formalises the maximal-step computation tree and its full prefix. In Section V, the prefix is used for information flow analysis by computing reveals and excludes relations. Section V-C is dedicated to the computation of footprints of all the maximal paths of the maximal-step computation tree from its full prefix. We discuss the use of our notions and methods on some examples in Section VI. Section VII concludes the paper and discusses some possible future work.

II. BACKGROUND IN PETRI NET THEORY
In this section, we give a short introduction to Petri net theory.
A net is a triple N = (P, T, F ), where P and T are disjoint sets, the elements of P are called places, the elements of T are called transitions, and F ⊆ (P × T ) ∪ (T × P ) is called the flow relation. The pre-set of an element x ∈ P ∪ T is the set • x = {y ∈ P ∪ T : (y, x) ∈ F }. The post-set of x is the set x • = {y ∈ P ∪ T : (x, y) ∈ F }. Analogously, let X ⊆ P ∪ T be a subset of elements. Its pre-set is defined as • X = {y ∈ P ∪ T : ∃x ∈ X : (y, x) ∈ F }, and its post-set is defined as X • = {y ∈ P ∪ T : ∃x ∈ X : (x, y) ∈ F }.
An (ordinary) Petri net Σ = (P, T, F, m 0 ) is defined by a net (P, T, F ), and an initial marking m 0 : P → N. A net is finite if the sets of places and of transitions are finite.
A marking is a map m : P → N. Markings represent global states of a net. A transition t is enabled at a marking m, denoted m[t⟩, if, for each p ∈ • t, m(p) > 0. Let t be enabled at m; then, t can occur (or fire) in m producing the new marking m ′ , denoted m[t⟩m ′ and defined as follows: in all other cases.
Example 1. A graphical representation of a Petri net is illustrated in Fig. 1. Conventionally, places are illustrated as circles and transitions are illustrated as squares. The marking is represented through the tokens inside the places, which are illustrated as small black circles. The initial marking m i of the Petri net in Fig. 1 is m i (1) = 1, m i (2) = 1, m i (j) = 0 ∀j ̸ ∈ {1, 2}. At the initial marking transitions a, f and c are enabled, i.e., all the preconditions of these transitions are VOLUME 4, 2016 marked. When transition c fires it consumes the token from its precondition, namely place 2, and puts a token to its postcondition, namely place 4. Hence, the marking obtained after the occurrence of c is m 1 (1) = 1, m 1 (4) = 1, m 1 (j) = 0, ∀j ̸ ∈ {1, 4}.
A marking q is reachable from a marking m if there exist transitions t 1 . . . t k+1 and intermediate markings m The set of markings reachable from m will be denoted by [m⟩. A marking m is safe if m(p) ∈ {0, 1} for all p ∈ P . If all the markings in [m 0 ⟩ are safe, then Σ = (P, T, F, m 0 ) is said to be 1-safe (or, shortly, safe). Σ is called 1-live if for all t ∈ T there exists m ∈ [m 0 ⟩ such that m[t⟩. In the rest of the paper, we will consider systems modelled by 1-safe, 1-live Petri nets such that each transition has a nonempty preset, in which the underlying nets are finite. Since we restrict to 1-safe nets, from now on we will represent markings as subsets of places, where p ∈ m iff m(p) = 1. With this interpretation, a transition t is enabled in a marking m iff • t ⊆ m. Fig. 1 is 1-safe, and its initial marking can be equivalently expressed as {1, 2}. After the occurrence of transition c, the Petri net reaches the marking {1, 4}.

Example 2. The net in
Petri nets allow for representing different kinds of relations between transitions. Given a marking m, two transitions t 1 and t 2 are sequential if the occurrence of t 1 is necessary to enable t 2 . In Fig. 1, c and e are sequential, because e is enabled by the occurrence of c. Also, a and b are sequential: even if the occurrence of a may not be sufficient to enable b (since c may fire), the occurrence of a is necessary to enable b. In a marking m, two transitions t 1 and t 2 are in conflict if they are both enabled and • t 1 ∩ • t 2 ̸ = ∅. In this case, only one of them can fire, because the occurrence of one disables the other. For example, in Fig. 1, a and f are in conflict, because they both need the token from place 1, but only one can consume it. Finally, given a marking m, two transitions t 1 and t 2 are concurrent if they are both enabled in m and they can both fire, no matter in what order. In Fig. 1, c is concurrent with both a and f (although, as we specified before, a and f are not concurrent with each other).
Given a marking m, a step is a conflict free subset of transitions that are all enabled at m. A step is maximal if it is maximal with respect to set inclusion. In the net in Fig. 1, the maximal steps enabled in the initial markings are {a, c} and {c, f }.
A marking is a deadlock if no transition is enabled. Examples of deadlocks are the markings {6, 8} or {3, 8} in the net of Fig. 1.
Let N i = (P i , T i , F i ) be a net for i = 1, 2. A map λ : Historically, nets with this property were called extended-free-choice, the term freechoice referring to nets where conflicting transitions share exactly one precondition, and have no other preconditions. In extended-free-choice, transitions can have an arbitrary number of preconditions, as long as the above property holds. However, it was shown in [8] that these two classes are equivalent, and we will henceforth consider free-choice nets to be those where two transitions sharing at least one precondition are required to share all of their preconditions.
From Section IV on, we will consider free-choice nets as defined above.
We now introduce two technical relation that will be useful to define the idea of unfolding of a Petri net. The ≺ relation on a net N is the transitive closure of F and ⪯ is the reflexive closure of ≺. Given two elements x, y ∈ P ∪T , x#y, iff there exist t 1 , t 2 ∈ T : t 1 ̸ = t 2 , t 1 ⪯ x, t 2 ⪯ y and there exists p ∈ • t 1 ∩ • t 2 .
A net N = (B, E, F ), possibly infinite, is an occurrence net if the following restrictions hold: In an occurrence net, the elements of B are called conditions and the elements of E are called events; the transitive and reflexive closure of F forms a partial order. The set of minimal elements of an occurrence net N with respect to ⪯ will be denoted by min(N ). Since we only consider the nets in which every transition has a nonempty preset, the elements of min(N ) are conditions. An occurrence net represents the alternative histories of a system; therefore its underlying graph is acyclic (cond. 1), and paths branching from a condition, corresponding to a choice between alternative behaviours, never converge (cond. 2). A configuration of an occurrence net N = (B, E, F ) is a set C of events which is causally closed and free of conflicts. C is maximal if it is maximal with respect to set inclusion.
A B-cut of N is a maximal set of pairwise concurrent elements of B, and can be intuitively seen as a global state of the net in a certain moment. An E-cut of N is a maximal set of pairwise concurrent elements of E, that corresponds with a maximal step on N . By analogy with net systems, we will sometimes say that an event e of an occurrence net is enabled at a B-cut β, denoted β[e⟩, if • e ⊆ β. A B-cut is a deadlock if no event is enabled at it. We will denote by C(γ) the set of all events in the causal closure of a B-cut γ, i.e., A branching process of a Petri net Σ = (P, T, F, m 0 ) is a pair (O, λ), where O = (B, E, F ) is an occurrence net, and λ is a morphism from O to Σ such that: We extend the definition of λ to the set of configurations on the branching process: for each configuration C, for each e i ∈ C, λ(C) = i λ(e i ). The set λ(C) is the footprint of C.
A branching process which is a bijection when restricted to min(O 1 ), and such that λ 1 = λ 2 f . Any finite Petri net Σ = (P, T, F, m 0 ) has a unique branching process which is maximal with respect to the prefix relation. This maximal process, called the unfolding of Σ, will be denoted by unf(Σ) = ((B, E, F ), λ), where λ is the morphism from (B, E, F ) to (P, T, F ) [15].
A run is the subnet of an unfolding that is induced by a configuration. A run is maximal if the corresponding configuration is maximal.
Example 4. In Fig. 1, unf(Σ) is the unfolding of Σ. A maximal run of unf(Σ) is the subnet such that: the set of events is the configuration and F is the flow relation on unf(Σ) restricted to the elements in B 1 ∪ C 1 . The footprint of C 1 is λ(C 1 ) = {f, c, e, h}.

III. INFORMATION FLOW BETWEEN TRANSITIONS OF A PETRI NET
Consider a concurrent system which has two distinct kinds of actions: high (hidden) and low (observable). The high actions are confidential, whereas the low ones are not. It is important that an attacker or an observer with no authorisation cannot deduce information about the high actions. Noninterference formally guarantees that this kind of information flow does not happen, so that the system is secure. Petri nets can model concurrency, conflict and causal dependency. However, these are not the only meaningful logical relations between transitions of a Petri net when informationflow security is considered. Two transitions which are not related to each other in terms of above mentioned relations can still be related in the sense that the occurrence of one gives information about the occurrence of the other. For example, the occurrence of an observable transition might imply the occurrence or nonoccurrence of a hidden transition, endangering information-flow security.
In [36] reveals, extended-reveals and excludes relations were introduced for the transitions of a Petri net with the aim of modelling information flow in concurrent systems. A number of noninterference notions were defined by means of reveals and excludes relations providing different levels of security guarantees. Below we recall these relations. For all, we assume progress of the system, i.e., an enabled transition either fires or gets disabled by another transition that is in conflict.

A. REVEALS RELATION
The reveals relation was originally introduced for events of an occurrence net in [37]. In [38] the authors applied it in the field of fault diagnosis. In [36] reveals relation is redefined for the transitions of a 1-live Petri net in order to express positive information flow. In this paper we only consider 1safe nets but reveals relation between transitions is actually defined without any restriction on safeness.
We say transition t 1 reveals transition t 2 if each maximal configuration which contains an occurrence of t 1 also contains at least one occurrence of t 2 . This means that, from the occurrence of t 1 , we can deduce that t 2 has already occurred or will occur inevitably. In other words, the occurrence of t 1 implies the occurrence of t 2 either in the past or in the future. It can violate security if a low transition reveals a high transition.
Definition 1. Let Σ = (P, T, F, m 0 ) be a 1-safe Petri net, C max the set of all its maximal configurations and t 1 , t 2 ∈ T be two transitions. Then Reveals is a reflexive and transitive relation. However, it is neither symmetric nor anti-symmetric. In some cases, one transition alone does not give much information about the occurrence of another transition, however, the occurrence of a set of transitions might give information about the occurrence of others. For example, the occurrence of all the transitions in set W can imply the occurrence of some transitions in set Z. This relation was originally defined in [39] for the events of an occurrence net and used in the field of fault diagnosis. Later the relation was expressed in terms of the transitions of a Petri net [36], and used to analyse noninterference for information-flow security. Depending on the chosen noninterference notion, it can violate security if a group of low transitions extended-reveals a group of high transitions.
Definition 2. Let W, Z ⊆ T and C max be the set of all maximal configurations. Then W extended-reveals Z, denoted Extended-reveals relation is reflexive and nontransitive. It is neither symmetric nor anti-symmetric. The reveals relation VOLUME 4, 2016 Similarly, both f and g reveal d but d reveals neither f nor g. However, the occurrence of d implies that either f or g will occur inevitably. This can be expressed by the extended-reveals relation, i.e., {d} {f, g}.

C. EXCLUDES RELATION
Excludes relation was also introduced in [36] for transitions of a 1-live Petri net in order to express negative information flow. In this paper, we focus on the case of 1-safe Petri nets. Two transitions exclude each other if they never occur in the same run. This means that the occurrence of one implies nonoccurrence of the other. Depending on the chosen noninterference notion, it can violate security if a low transition excludes a high transition.
Definition 3. Let Σ = (P, T, F, m 0 ) be a 1-safe Petri net, C max the set of all its maximal configurations and let t 1 , By definition, excludes is a symmetric relation. It is neither transitive nor reflexive. Moreover, it does not coincide with the conflict relation. Transitions which are in conflict at a reachable marking can still appear in the same maximal run, so they may not exclude each other.
Example 7. In the net in Fig. 1, b is in conflict with c, however, the two transitions are not in exclude relation, since there is a maximal configuration with footprint {a, b, c, e, d, g}. In the same net, f ex b, since a maximal configuration displaying f has either {f, c, e} or {f, c, e, h} as footprint.

IV. MAXIMAL-STEP SEMANTICS ON PETRI NETS
In Section II we have given the definition of maximal step: a set of conflict-free transitions, all enabled at a marking m.
Transitions belonging to a step can fire concurrently without interfering with one another.
The behaviour of a Petri net is commonly expressed by means of its marking graph, which displays the firings of single transitions. In some applications, however, the so-called maximal-step semantics is used. Here, the set of reachable markings is computed by firing only maximal steps.
For general 1-safe Petri nets, the two semantics produce different sets of reachable markings; more precisely, any reachable marking under the maximal-step semantics is also a reachable marking for the ordinary semantics, but not vice versa. For example, in Fig. 1 the marking {2, 3} is not reachable for maximal-step semantics, but it is reachable under the ordinary semantics. This difference has a counterpart on the set of runs of the unfolding of a net: some maximal runs of the unfolding of a net system are not maximal when considering maximal-step semantics.
For free-choice nets, it is still true that the sets of reachable markings differ, but the sets of maximal runs in the unfolding coincide, as shown below.

A. THE TREE OF MAXIMAL-STEP COMPUTATIONS
In this section we define a tree structure that represents all computations of a free-choice net Σ according to maximalstep semantics. We show that this model is semantically equivalent to the unfolding for free-choice nets (this does not hold for more general classes of Petri nets).
The equivalence of semantics is a corollary of the following lemma. Proof. Suppose that t is not enabled at m. Then the pre-set of t can be split in two disjoint subsets, A and B, with A ⊆ m and B ⊆ V • . In words, an input place of t either belongs to m or is marked by a transition in V . All places in B belong to m 1 . Suppose that there is a place p in A which is not in m 1 . Then, there must be a transition t 2 in U \ V which takes the token from p. Then t and t 2 have a common input place; since the net is free-choice, this implies that t is enabled at m, contradicting the hypothesis. The proof is illustrated in Fig. 3 The tree of maximal-step computations of Σ (msct(Σ)) is a labelled tree, defined inductively. Each node is associated to a B-cut of unf(Σ) and each arc is labelled by an E-cut of unf(Σ) which corresponds to a maximal step of Σ.  V occurs is a node of the tree, and a child of γ; The edge between γ and γ ′ is labelled with V . • Nothing else is a node of the tree.
A path in the msc −tree from a node γ 0 is a sequence of nodes, γ 0 γ 1 · · · such that, for each i > 0, γ i is a child of γ i−1 . A path is maximal in S if it starts from the root and cannot be extended. Given two finite paths π 1 = γ 0 γ 1 ...γ n and π 2 = γ n γ n+1 ...γ m such that the last node of π 1 is equal to the first node of π 2 , we define their concatenation as the path π 1 · π 2 = γ 0 γ 1 ...γ m . The tree induces a partial order between its nodes and arcs. Let γ 1 and γ 2 be two nodes of the msc −tree. γ 1 < γ 2 iff there is a path π = γ 1 ...γ 2 starting in γ 1 and ending in γ 2 .
In msct(Σ) each path π starting from the root is associated to a configuration of unf(Σ); the configuration is obtained by taking the union of the labels of the arcs along the path. Clearly this is a configuration as defined in Section II, and will be denoted by conf(π). λ(conf(π)) denotes the footprint of the path π.
The correspondence between paths and configurations is not bijective, since a configuration can include only some of the events forming a maximal step at a given B-cut. However, the correspondence is bijective for maximal paths and maximal configurations, as stated in the following.
Proof. Let C be a maximal configuration of unf(Σ). The set of events in C inherits from unf(Σ) a partial order. Let C 1 be the set of minimal elements of this partial order; then C 1 is an E-cut, a maximal step enabled at the initial B-cut of unf(Σ), corresponding to a maximal step enabled at the initial marking of Σ; let γ 1 be the B-cut reached by firing the events in C 1 . In msct(Σ) there is an arc, labelled by C 1 , from the root to the node corresponding to γ 1 . Now take the minimal elements in C \ C 1 ; these events form a maximal step enabled at γ 1 , leading to a B-cut γ 2 , and there is a corresponding arc in msct(Σ), from γ 1 to γ 2 . By iterating this procedure, we construct a path of msct(Σ). The maximal configuration C can be decomposed into a (possibly infinite) sequence of steps C 1 C 2 · · · , giving a maximal, corresponding path in msct(Σ).
Let now π be a maximal path in msct(Σ). By construction of π, the union of the arc labels along π is a configuration of unf(Σ). Let conf(π) be this configuration, and suppose conf(π) is not maximal; then, there is an event e which is not in conf(π), and such that conf(π) ∪ {e} is a configuration. Then e cannot be in conflict with any event in conf(π). There must be a cut γ, associated to a node of msct(Σ), such that e is enabled by γ, and γ is the first cut enabling e along π. Let H be the step labelling the arc going out of γ along π. Since no event in H is in conflict with e, H ∪ {e} is a step at γ, contradicting maximality of H.
The initial marking of the net is {1}. In the unfolding, it corresponds to min(unf(Σ 1 )), which is the B-cut consisting of a condition labelled by 1 1 . In the tree, it corresponds to the node labelled by 1 1 which is also the root of the tree. At the initial marking, transitions a and b are enabled. Firing of b leads the system to a deadlock. We can see a maximal configuration in the unfolding and a maximal path in the tree representing the occurrence of b. The firing of a from the initial marking leads the system to marking {3, 4}. This marking is represented in the unfolding as a B-cut and it is represented in the tree as a node labelled by 3 1 , 4 1 . In the unfolding, c 1 and d 1 are two concurrent events which can occur in any order. In case c 1 occurs first, {5 1 , 4 1 } is reached. In case d 1 occurs first, {3 1 , 6 1 } is reached. Occurrence of both of these events leads to {5 1 , 6 1 }. In the tree, only the maximal steps are considered, so c 1 , d 1 occur together and the node {5 1 , 6 1 } is reached. There are no correspondences of the Bcuts {5 1 , 4 1 } and {3 1 , 6 1 } in the tree.
Although some reachable markings are not represented in the tree, each maximal configuration of the unfolding correspond to a maximal path in the tree and vice versa.
Lemma 2 does not hold in general for the nets that are not free-choice.
Example 9. The net in Fig. 1 is not free choice, because In the initial marking, the maximal steps are {a, c} and {f, c}, therefore, by considering only maximal steps we would assume that c must belong to all the maximal configurations of the unfolding. This is not true, since there is a maximal configuration with footprint {a, b, d, g}, in other words, there exist a maximal configuration in which c is not in the set of labels.

B. SOME NOTATION FOR MAXIMAL-STEP COMPUTATION TREE
In the following we will introduce some msc-tree related notations which then will be used throughout the rest of the paper. In all the following items, A will denote a msc-tree, or any sub-tree of it.
• Π A is the set of all the maximal paths of A.

C. A FINITE PREFIX OF MAXIMAL-STEP COMPUTATION TREE
We now define a finite prefix of msct(Σ), which contains the information needed to determine the whole reveals relation in Σ. The prefix is built starting from the root, and adding nodes along a path until we meet a B-cut γ such that λ(γ) = λ(γ ′ ), for some γ ′ on the path between the root and γ.
Definition 5. Let Σ be a 1-safe free-choice net. The full prefix of msct (Σ), denoted fp(Σ), is a labelled rooted tree defined by the following clauses.
Given a leaf l of the full prefix, let rep(l) denote the ancestor of l corresponding to the same marking. If l corresponds to a deadlock, then rep(l) is undefined.
Example 10. In Fig. 4, the border of the full prefix is shown via a dashed line. The corresponding part of the unfolding is drawn in black whereas the rest is drawn in pale grey.
The nodes of the tree which correspond to deadlocks are in bold black. If the leaf does not correspond to a deadlock, then it corresponds to a marking which is already reached in the same path before. The two corresponding nodes are drawn in the same colour. For example, the path in which a 1 , c 1 , d 1 , f 1 , h 1 occur reaches the marking {3, 4} twice. This path is maximal in the full prefix. In total, there are four maximal paths in the full prefix of msct(Σ 1 ). In the following sections we will show that all the reveals and excludes relations of the net Σ 1 can be computed on the full prefix.
The full prefix of a msc-tree of a Petri net can be constructed on the basis of Definition 4 and Definition 5. Note that this construction can be done directly from the Petri net without resorting to the unfolding. Proof. Since the number of transitions is finite, for each node the number of children is finite. Let n be the total number of reachable markings in the net, no path of the tree can have more than n + 1 nodes without reaching a marking that was already visited.
Lemma 5. For each maximal path π of a msc-tree, there is a maximal path π ′ of its full prefix, such that π ′ is a prefix of π.
Proof. Let π be a maximal path of an msc-tree and γ be the last node of the intersection between π and the full prefix. γ cannot have any child in the prefix, otherwise one of them should also be in the intersection, since by definition, if γ is not a leaf, all the children in the msc-tree are also in its full prefix. Hence γ must be a leaf, and the path from the root to γ is maximal in the prefix.
Next, we describe an operation involving both msc-tree and full prefix, that is at the core of the main results of this paper. In particular, it will allow us to show that the full prefix gathers enough information to directly determine some of the information flow in the system. It is fundamentally adapted from [38] to the structures here at stake. Informally, the idea is that whenever a path contains two nodes representing the same marking, then we may obtain a new path by collapsing the whole segment between these two nodes to a single node representing that marking.
Definition 6 (Peeling). Let A be a msc −tree. We define a function peel : Π A → Π A . Given a maximal path π of A, peel(π) is called the peeling of π.
In terms of Petri nets, such a path π is nothing but a run which may cycle back to some previously visited marking.
Then peel(π) and π corresponds to the same run but for skipping the cycle altogether. Lemma 6. Let Σ be a free-choice Petri net and fp(Σ) the full prefix of msct(Σ). For each node γ in msct(Σ), there is at least a node γ ′ in fp(Σ) such that λ(γ) = λ(γ ′ ).
(2) γ ′ follows two cuts γ 1 and γ ′ 1 with λ(γ 1 ) = λ(γ ′ 1 ). In this case, we can repeat the peeling procedure until a node associated with γ is in fp(Σ). This will happen in a finite number of steps, since each time the number of nodes between the node associated with γ and the root decreases.

Remark 1.
If γ is not a deadlock, at least an occurrence of γ ′ as described in Lemma 6 is an internal node. In order to see it, we can observe that if γ ′ is a leaf and it is not a deadlock, then there is another node in fp(Σ) preceding γ ′ and associated to the same marking by construction.
A consequence of Lemma 6 is that at least an occurrence of all the transitions in Σ appears in fp(Σ): let t be a transition in Σ, an occurrence of t must appear also in msct(Σ). Let γ be a node in msct(Σ) and V the label of an outgoing arc from γ such that t ∈ λ(V ); by Lemma 6, there is a node γ ′ in fp(Σ) corresponding to the same marking, and an outgoing arc from γ labelled with V ′ , such that λ(V ) = λ(V ′ ).
We now define an extension operation on finite paths.
Definition 7. Let π = γ 0 γ 1 ...γ n be a finite path in the msctree A, and L be the full prefix of A. For each internal node γ ∈ L such that λ(γ) = λ(γ n ) and for each π ′ ∈ Π Lγ , we define the extension of π through π ′ as the function ext(π, π ′ ) = π · π ex , where π ex is the path with first node γ n and such that π ex ≃ π ′ .
The existence of π ex in Definition 7 is a direct consequence of Lemma 3. The extension operation allows us to state another property of the full prefix, that establish a relation between its paths and the paths of the msc −tree. This is expressed by the following lemma.
Lemma 7. For each π finite path in the msc −tree, if π is not contained in fp(Σ), then we can find a path including it, by starting from a maximal path of the full prefix and applying recursively the extension operation.

VOLUME 4, 2016
The result of the previous Lemma applies also to infinite paths when considering the limit of applying recursively the extension operation. This means that we can extract all possible system behaviour under maximal-step semantics from the full prefix.

V. INFORMATION-FLOW ANALYSIS ON THE FULL PREFIX
In this section we study the relations that are recalled in Section III on the full prefix. We show that the full prefix is an adequate basis for computing these relations and so it can be used to verify information-flow security with the noninterference notions introduced in [36].

A. COMPUTING REVEALS ON THE FULL PREFIX
Let a and b be two transitions of Σ, we say that a reveals b if and only if each maximal configuration which includes an occurrence of a also includes an occurrence of b (see Definition 1). This is directly translated to the following due to the equivalence of maximal configurations of an unfolding and maximal paths of the corresponding msc-tree. a reveals b if and only if each maximal path of msct (Σ) which includes an occurrence of a also includes an occurrence of b. In other words, let A be msct (Σ), a ▷ b iff Π a A ⊆ Π b A . In the following example, we study the reveals relation among transitions of a Petri net on the full prefix of its msctree.
Example 11. In Fig. 4, in the net Σ 1 , a reveals both c and d. Similarly, h reveals a, c, d and f . In fact, each maximal path of the full prefix of msct(Σ 1 ) that contains a also contains c and d. And each maximal path of the full prefix which contains h also contains a, c, d and f . Looking at the other direction, we see that each maximal path of the full prefix which contains e also contains d and in fact e reveals d in the net system. However, the converse is not true. There is a maximal path of the full prefix which contains d but does not contain e (namely the maximal path which ends with node {3 2 , 4 3 }) and in fact d does not reveal e in the net system.
Next, we prove that, for 1-safe free-choice nets, the full prefix is enough to compute the reveals relation. In other words, if a ▷ b in Σ, then each maximal path of fp(Σ) which has an occurrence of a also has an occurrence of b and vice versa.
Theorem 1. Let Σ = (P, T, F, m 0 ) be a 1-safe free-choice Petri net, a, b ∈ T , A be the msct(Σ), and L be its full prefix, Let ρ be a maximal path in L such that ρ ∈ Π a L and ρ ̸ ∈ Π b L . If λ(leaf(ρ)) is a deadlock the conclusion is trivial because ρ is a maximal path in A. Otherwise, rep(leaf(ρ)) exists in ρ, and we can extend infinitely many times ρ with an isomorphic copy of the segment between rep(leaf(ρ)) and leaf(ρ). This procedure produces a maximal path in A with the same labels of ρ, therefore without occurrences of b.
We now suppose that Π a A ⊈ Π b A and we show that Π a L ⊈ Π b L . The proof proceeds with an iterative procedure meant to find a maximal path of the prefix with an occurrence of a and no occurrence of b, thus showing that a does not reveal b in L. Informally, this procedure constructs, at each step, a maximal path of A with an occurrence of a and no occurrence of b, in such a way that the number of elements in the past of its first occurrence of a is reduced at each step. Since there can only be finitely many such elements, the procedure will reach a maximal path of L containing an occurrence of a but not of b, in a finite number of steps.
By hypothesis, there is a maximal path ρ ′ ∈ Π A : ρ ′ ∈ Π a A ∧ ρ ′ ̸ ∈ Π b A . By Lemma 5, there is ρ ∈ Π L that is a prefix of ρ ′ . Note that ρ has no occurrence of b -otherwise, so would ρ ′ -, and so if it has an occurrence of a, then ρ ∈ Π a L and ρ ̸ ∈ Π b L . Now, suppose that a does not occur in ρ, and γ f = leaf(ρ). If γ f were a deadlock, we would necessarily have that ρ = ρ ′ , but this is a contradiction, since a occurs in ρ ′ and not in ρ. Then rep(γ f ) is defined, there is only a finite number of elements in ρ ′ which are in the past of a, and at least one of these must be found between rep(γ f ) and γ f , not to contradict maximal-step semantics. The path ρ ′′ = peel(ρ ′ ) is maximal in A, and by Lemma 5, there is a maximal path ρ 1 ∈ Π L which is a prefix of it. Clearly, b does not occur in ρ ′′ or ρ 1 , and so if a occurs in ρ 1 we reach the desired conclusion. Otherwise, consider leaf(ρ 1 ). Clearly, it is not a deadlock, and by construction, rep(leaf(ρ 1 )) is defined. Since the number of elements between the root and the first occurrence of a in ρ ′′ is strictly less than that between the root and the first occurrence of a in ρ ′ , we may iterate the procedure by finding prefixes ρ 2 , . . . , ρ n with no occurrences of b, until eventually ρ n will have an occurrence of a, for a finite n.
With the above proof, we conclude that all the reveals relations among the transitions of Σ can be found by computing the footprints of the maximal paths of fp(Σ) and checking for the corresponding labels among them. Note that maximal paths of fp(Σ) are finite, whereas maximal configurations of the unfolding are in general infinite.

B. COMPUTING EXCLUDES ON THE FULL PREFIX
Let a and b be two transitions of Σ, we say that a excludes b (or b excludes a by symmetry of the relation) if, and only if, no maximal configuration of unf(Σ) has both an occurrence of a and of b (see Definition 3). Due to the equivalence of maximal configurations of an unfolding and maximal paths of the corresponding msc-tree, this is directly translated to the following: a excludes b if, and only if, no maximal path of msct (Σ) displays both a and b. In other words, let A be msct (Σ), a ex b iff Π a A ∩ Π b A = ∅. In the following example, we will study the excludes relation among transitions of a Petri net on the full prefix of its msc-tree.
Example 12. In the net in Fig. 4, b excludes all the other transitions of the net. By symmetry of the excludes relation, each transition (except b itself) excludes b. These are the only excludes relations in the net. Now let us examine the full prefix, fp(Σ 1 ), and consider the transitions a and b. The initial node corresponds to the marking (1). From the initial node we can either continue with an occurrence of a or an occurrence of b (and these are the only occurrences of a and b in fp(Σ 1 )). None of the maximal paths of fp(Σ 1 ) has occurrences of a and b together. However, we cannot conclude a excludes b by looking at the maximal paths of the full prefix. We need to make sure the maximal paths of the msct (Σ 1 ) don't have the two transitions together. To do this, we do not need to construct the whole tree. We can use the full prefix as a basis to decide excludes in a finite number of steps. This procedure is formally defined later in this section.
The maximal path of fp(Σ 1 ) with the occurrence of b ends in a deadlock so it is maximal in the msct (Σ 1 ) as well. It is clear that after the occurrence of b, a cannot occur. Now we need to check if b can occur after a does. We can extend the paths by gluing the nodes corresponding to the same marking. In this way, we can build maximal paths of msct Σ 1 . For example, in the maximal path in which a, {c, d}, f, and h occur (let's call it π 1 ), the blue nodes correspond to a repeated marking, namely {3, 4}. So, π 1 can be extended in many different ways by gluing the blue nodes and repeating the gluing operation on different repeated marking pairs. It can be extended to a maximal path in which only a, c, d, f, h, occur. It can be extended so as to also have occurrences of either e or g or both. But none of the continuations can have an occurrence of b because the marking which enables b can never be reached during this operation. So, we can conclude a excludes b. Now let's consider the transitions f and h. We can easily see that there is a maximal path of fp(Σ 1 ) in which both occur, namely π 1 . So we can decide f does not exclude h on the full prefix, without any further computation.
If we look at the transitions e and g, we can see that the maximal path of fp(Σ 1 ), in which e occurs, ends in a node corresponding to the marking {5, 6}, which is repeated in the path. So the path can be extended so that after e occurs, g does as well. This path witnesses that e does not exclude g.
In the following we present a finite algorithmic procedure to check whether a excludes b on the full prefix of the msc-tree; the pseudocode of this procedure is presented in Algorithm 1. Theorem 2 then proves the correctness of the algorithm.
Algorithm 1 takes the full prefix L and two transitions a, b ∈ T as input. During its execution, it checks whether there can be an occurrence of b following or being in the step label as an occurrence of a, in any path of the msc-tree. If this is the case, the algorithm returns false, and the procedure terminates. Otherwise, it returns true. In this second case, in order to determine whether a ex b, Algorithm 1 must be repeated by exchanging the roles of a and b, so as to check the case in which an occurrence of a follows an occurrence of b. If the algorithm also returns true in this case, we conclude that a ex b.
Next, we discuss the pseudocode as presented in Algorithm 1. The reasoning is analogous when the roles of a and b are exchanged.
First, the algorithm checks whether there is any maximal path in the full prefix L with both a and b. If a does not exclude b on the prefix, then it will certainly not exclude it on the whole tree. Otherwise, we compute the set sup of nodes following an occurrence of a and such that for each γ i ∈ sup, there is no γ j < γ i following an occurrence of a. Until sup is empty, the function extract removes an arbitrary element from sup and assigns it to x. For each x, we consider the set leaves(x) of the leaves in L x , and we compute the minimum element of the set ({rep(l) : l ∈leaves(x)\ checked} ∪ {x}). This element, denoted by m is unique, as proved in Lemma 8. If the returned node m is different from x, then we check whether b occurs in L m . If it does, a does not exclude b. Otherwise, we remove from sup all the nodes i such that m < i, and we mark all the leaves over x as checked. In the next steps we will not need to visit these leaves again. When sup is empty we can conclude that there cannot be any occurrence of b following an occurrence of a.
Lemma 9. The procedure described in Algorithm 1 is finite.
Proof. If Π a L ∩ Π b L ̸ = ∅ then the algorithm immediately terminates. Else, the procedure terminates when the set sup is empty. Let n be the number of leaves in L, then initially n 0 = |sup| ≤ n. At every iteration, at least one element x of sup is removed, and possibly an element i < x is added. Hence, after a general iteration |sup| ≤ n 0 . For each x ∈ sup, the number of elements i : i < x is finite, therefore after a finite number of steps there is no element left that can be added to sup, and k = |sup| ≤ n 0 . When this point is reached, after at most k iteration the procedure terminates. Proof. The procedure ex(L, a, b) checks whether some path of L containing an occurrence of a can be extended to a path of A containing an occurrence of b, and returns false in that case. It is then required to check ex(L, b, a) symmetrically, to ensure that no path of A contains both a and b.
We first assume that either ex(L, a, b) or ex(L, b, a) return false. If Π a L ∩ Π b L ̸ = ∅, then Π a A ∩ Π b A ̸ = ∅ as an immediate consequence of Lemma 5.
We assume that Π a L ∩Π b L = ∅, and we can suppose, without loss of generality, that ex(L, a, b) = false, the other case being symmetric with respect to a and b. Since Π a L ∩Π b L = ∅, there must be an m such that b ∈ L m .
At every iteration of the while loop, the initial segment of a path of A is considered, with at least an occurrence of a and such that its final node is isomorphic to m. It then considers all its possible extensions with segments isomorphic to those in L m . Only if some of these extensions include b the algorithm returns false, therefore some path of A has an initial segment containing occurrences of both a and b, so Π a A ∩ Π b A ̸ = ∅. We now assume that π ∈ Π a A ∩ Π b A ̸ = ∅, and that the algorithm returns true, to derive a contradiction.
If a and b occur in π |L , the algorithm returns false in the first conditional statement. We consider the case in which a or b do not occur in π |L . As a consequence, and by Lemma 6, there cannot be any arc in π with occurrences of both a and b. Without loss of generality, we can assume that the first occurrence of a precedes the first occurrence of b in π. We may also suppose that a occurs in π |L . Otherwise, we can successively peel π until a occurs in the prefix. We also assume that there are n nodes between γ 0 = leaf(π |L ) and the first occurrence of b. Let π 0 = π |L , and suppose that for 0 ≤ j, π j is an initial segment of π with an occurrence of a, but none of b. Suppose that leaf(π j ) is isomorphic to some leaf γ j of L, and note that if it were a deadlock, we would have π j = π, so b would occur in π j . Then rep(γ j ) must be well-defined. Furthermore, by Lemma 3, L rep(γj ) is isomorphic to some prefix of A leaf(πj ) , so we may define π j+1 to be the initial segment of π, obtained by extending π j with a maximal path of L rep(γj ) . Then π j+1 still contains an occurrence of a, and its final node is isomorphic to some leaf γ j+1 of L. Next, we show that b cannot occur in π j+1 .
Let m be as in Algorithm 1, it follows from its definition, and Lemma 8, that L rep(γj ) ⊆ L m . Since by assumption, the algorithm does not return false, there is no occurrence of b in L m , and so no occurrence of b can appear in L rep(γj ) . Hence b cannot occur π j+1 . Let k ≥ n, we just showed by induction that b does not occur in π k , but it must have at least n nodes after γ 0 , and since it is a prefix of π, it must have an occurrence of b. This is a contradiction, so either Π a A ∩ Π b A = ∅ or the algorithm returns false.
In the next section, we will present a more general algorithm, that also allows for checking the excludes relation. In order to justify that Algorithm 1 is in general a better option, we here provide a means of comparing the two solutions.
During the first if, Algorithm 1 analyses all the arcs of the tree exactly once. In the while loop, the algorithm crosses each arc at most once. Indeed, an appropriate implementation of the condition b ∈ L m would not require to check the arcs of a sub-tree that has already been analysed. As discussed above, in order to determine whether a ex b, the while loop must be run twice, therefore the algorithm will check at most 3 * |L| arcs. In order to determine excludes for all the pairs of transitions, this analysis must be repeated for all the |T | * |T −1| pairs of distinct transitions, for an overall upper bound of 3 * |L| * |T | * |T − 1| arcs to be checked.
It will be shown, in the next section that Algorithm 2 would require, in the same conditions, to perform at least |L| + w * 2 |T | * |L| visits to the nodes of L, where w is the number of leaves of L which are not deadlocks. Therefore, it is in general more convenient to use Algorithm 1 when only the excludes relation needs to be checked.

C. COMPUTING FOOTPRINTS OF MAXIMAL RUNS
So far, we have considered information flow among two chosen transitions of a Petri net. The reveals and excludes relations determine if it may be inferred from the observation of one transition whether the other occurs, or does not occur in the same maximal run. In this section, we consider extensions of these concepts to subsets of transitions.
A natural way of extending information-flow analysis among the transitions of a Petri net, when it comes to information-flow security, is to determine whether observing a set of transitions causes an unwanted information flow about another set of transitions. Extended-reveals relation models such information flow (see Definition 2).
A general approach to check extended-reveals requires to determine the footprints of all runs of the system. Given a Petri net Σ, the footprint of a maximal configuration C of unf(Σ) is the set of transitions that can be observed through the corresponding run, i.e., λ(C). Thanks to the bijection between maximal configurations of the unfolding and maximal paths of the msc-tree, let S be the set of labels found on the edges of a maximal path of the msc-tree, λ(S) is the footprint of the corresponding maximal run of the system, and each such footprint can be retrieved in this way.
Furthermore, the set of footprints of all maximal paths of a msc-tree can be computed from its full prefix. This is made possible by two key features. First, any path of the msc-tree can be reconstructed solely with the information provided by its full prefix. This is enabled by the following properties: (a) all reachable markings of a msc-tree are represented in the full prefix; (b) each maximal path of a full prefix which does not end in a deadlock ends in a node corresponding to a marking which is repeated in that path; and (c) the sub-trees of msct(Σ) whose roots correspond to the same marking are isomorphic. Second, since the set of labels of the system is finite, there are only finitely many possible footprints of runs. Then only a finite collection of maximal paths needs to be explored, making sure that each possible footprint is represented in the collection. Furthermore, only a finite prefix of each such path needs to be explored, if we make sure that it displays all labels that will eventually occur along the path. These notions are formalised in the following lemma.
This lemma provides a stop condition for an exploration of the msc-tree A, with the aim of finding footprints. Implication b) provides a bound to the number of maximal paths that need to be effectively visited, whereas a) lets us know when to stop exploring a path.
Algorithm 2 simulates such an exploration of A, in recursive depth first, by successively exploiting Lemma 3 to explore sub-trees of the full prefix L.
We suppose that the full prefix L is implemented thanks VOLUME 4, 2016 to the structure msct_node. Aside from the field children, standard in a tree structure, each node γ gathers the following information. γ.m is the marking λ(γ) corresponding to the interpretation of γ as a B-cut. Recall that each arc (γ p , γ) of the tree is labelled with the set of events V corresponding to the step it represents. We suppose to have stored the labelling of this step λ(V ), which is a set of transitions of the net system, in the variable γ.Λ. When γ is a leaf of the prefix which is not a deadlock, then rep(γ) is a well-defined node of the prefix, and γ.ancestor stores a pointer to that node. Finally, we need an additional field γ.seen that is required for Algorithm 2 to terminate. It shall be initialised to ∅ and will accumulate a collection of partial footprints.
Proof. f is a recursive function that simulates a depth first exploration of A on its full prefix L. In order to formalise this, we will say that a pair (γ ′ , c) ∈ L × 2 T simulates a node γ of A whenever λ(γ) = λ(γ ′ ), and c = λ(C(γ)). Note that since L ⊆ A, out of Lemma 3 it holds that A γ ′ ≃ A γ whenever (γ ′ , c) simulates γ, independently of c.
First, we show that for each call f (γ ′ , c), there is a node γ simulated by (γ ′ , c). Indeed, the initial call f (γ r , ∅) satisfies that λ(C(γ r )) = ∅. Now suppose that we enter the body of the function from a call f (γ ′ , c) where (γ ′ , c) simulates some γ of A. Further recursive calls are performed either if γ ′ is not a leaf of L, or when γ ′ is a leaf which is not a deadlock.
Next, we show that each call f (γ ′ , c) returns a set containing only footprints of maximal paths of A. In fact, it returns the footprints of all maximal paths of A which contain a node γ simulated by (γ ′ , c), unless these footprints are already returned at a previous call f (γ ′ , c). Note in the function body, that the only return statement concerns the variable value, which is set to ∅ at the beginning of the call. We may suppose that all recursive calls inside the body are effectively returning a set containing only valid footprints.
We distinguish two cases, either γ ′ is a leaf of L or not. If it is not, then the algorithm will enter a for loop, at each iteration of which the content of the variable value will be extended with whatever is returned by a recursive call to function f . Thus, by hypothesis, only valid footprints are added to the contents of value.
If γ ′ is a leaf of L, which is not a deadlock, and such that c / ∈ γ ′ .seen, then the same argument applies. If c ∈ γ ′ .seen, variable value gets the singleton {c}. In this case, c must have been added to γ ′ .seen in a previous call f (γ ′ , c), and so there are two nodes γ 0 , and γ 1 of A, both simulated by (γ ′ , c).
Suppose there is a maximal path of A which contains both γ 0 and γ 1 , then we are in the conditions of Lemma 10. By 10.a), c must be the footprint of some maximal path of A. Note that in this case, the simulated visit to γ 1 must return before that to γ 0 does, and so the values to be returned by the latter depend on those returned by the former. However, from 10.b) we may deduce that if the footprint of a maximal path containing γ 1 is different from c, then it is returned by the first call f (γ ′ , c), independently from the second. Indeed, for each such path, there is a path with the same footprint containing γ 0 , but not γ 1 , so its footprint is computed without relying on the second call. Hence, c is the only footprint to be returned by the second call, which is not redundant with those returned by the first.
If on the contrary, there is no maximal path of A containing both γ 0 and γ 1 , then by the second call, the first call f (γ ′ , c) must have already returned and so there must have been an intermediary call f (γ ′ , c) simulating a visit to a node γ 2 , such that there is a maximal path of A containing both γ 0 and γ 2 . Then conditions of Lemma 10 apply to γ 0 and γ 2 , and by the previous argument, the first call has returned the footprints of all maximal paths of A containing γ 0 . Since by Lemma 3, A γ0 ≃ A γ1 , then a maximal path of A containing γ 1 has a given footprint if and only if A has a maximal path containing γ 0 with the same footprint. Furthermore, by concatenating infinitely many isomorphic copies of the segment with initial node rep(γ ′ ) and final node γ ′ to the path leading to γ 1 , we obtain a maximal path of A whose footprint is precisely c.
The case in which γ ′ is a leaf of L which is a deadlock remains. But we have seen that (γ ′ , c) simulates some γ of A, and since A γ ≃ A γ ′ , then γ must be a deadlock as well. Hence c = λ(C(γ)) is the footprint of the finite maximal path ending at γ.
Finally, since L and T are finite, there are only finitely many pairs (γ, c) ∈ L × 2 T . Only the first time a call f (l, c) is performed, the size of the sub-tree of A whose exploration is simulated increases, and always by at most the size of the full prefix. Then if w is the number of leaves of L which are not deadlocks, the size of the explored sub-tree is at most |L| + w * 2 |T | * |L|. This value is an upper bound to the total number of calls to f , which ensures termination.
This proof concludes that the footprints of maximal runs of a system can be computed on its full prefix in a finite number of steps. This enables us to identify all the extendedreveals relations among transitions by looking for labels in the computed footprints.

VI. EXAMPLES
In this section we discuss some simple application scenarios in which our approach is meaningful. Our objective is twofold. On the one hand, we indicate some directions for the development of effective applications. On the other hand each scenario is chosen so as to underline a feature of the methods we have proposed. Although reveals and excludes relations are defined and studied mainly for information-flow security, we do not limit our discussions with that and we include some further discussions on the use of our methods for verification of other properties like system reliability and conformance.

A. THE DINING CRYPTOGRAPHERS
The notions of information flow we have studied in this paper allow for expressing security requirements in a very natural way. Indeed, either in systems or communication protocols, reveals and excludes relations allow one to determine whether a system is free from information flow, i.e., no information can be achieved about occurrence of the hidden actions by observing the public actions. The following example displays such a situation, in which security specifications can be checked as proposed in this work. We rely on an example developed in [40] and [41], in which the authors study a variant of the dining cryptographers protocol. Here we provide a 1-safe free-choice net modelling the protocol, and apply our methods to verify its conformance to the security specifications.
The two cryptographers Anne and Bob enjoy a meal at the restaurant. When they ask for the bill, they are informed that it has already been paid. They want to know whether one of them or the NSA paid, but in case one of them paid, they do not want their neighbour Eve to discover who. To this aim, they perform a protocol to exchange information in a secure way. They toss two coins, visible to both of them, and they state their parity ('agree' if the coins show the same side, 'disagree' otherwise). Eve can hear whatever they say, but she cannot see the coins. If Anne paid, she will lie about the parity of the two coins, otherwise she will tell the truth. Bob will do the same. After this procedure Anne and Bob will know who paid the bill, whereas Eve will only be able to say whether one of them or the NSA paid. But if NSA did not pay, Eve will not be able to know who paid among Anne and Bob.
This protocol is modelled with the 1-safe free choice net in Fig. 6, where the msc-tree of the net and the legend of the labels of each transition are also presented. Below we examine the net with our techniques.
Example 13. The protocol must make sure (1) Eve is not able to determine who paid among Anne and Bob, (2) Anne and Bob are able to determine who paid.
The first requirement is a noninterference property. In the protocol, Eve can observe AdBa, AaBd, ABA and ABD. Everything else is hidden. We can verify the first requirement by checking whether the transitions that are observable to Eve reveal if Anne or Bob paid (AP and BP ). As discussed in Section V-A, by looking at the footprints of the maximal paths of the full prefix (which is actually the whole msc-tree in this case), we see that none of the mentioned transitions reveals AP or BP , e.g., AdBa ̸ ▷ AP , AdBa ̸ ▷ BP , etc. We see that no combination of the observable transitions appears in the same path, so it is not relevant to check whether any combination extended-reveals AP or BP . We can conclude that the first requirement is satisfied.
The second requirement is actually not a noninterference property but it is a property that the protocol must satisfy to ensure the required information is exchanged between Anne and Bob. This property can be expressed in terms of extended-reveals relation and can be verified by computing the footprints of the msc-tree as discussed in Section V-C. However, in this example there are no cycles and so the full prefix is actually the whole msc-tree. This means further computation is not required. The set of footprints of maximal paths of the full prefix and the msc-tree are the same. The protocol is finalised by one of the following transitions: AdBa, AaBd, ABA, ABD. All are observable. Nothing else is observable to Eve, but AP is observable to Anne while BP is observable to Bob. Looking at the footprints we deduce that ABA ▷ N P and ABD ▷ N P . We also see that {AdBa} {AP, BP } and {AaBd} {AP, BP }. This means that by observing AdBa or AaBd, the observer can deduce either Anne or Bob paid. So, while Eve is not able to understand who paid, when Bob pays, Anne understands and vice versa.
In this example, reveals and extended-reveals relations are used to verify that the protocol is free from positive infor-Legend of transitions AP/ BP/ NP Anne/ Bob/ NSA paid HH/CC the coins show two heads or two crosses HC one coin shows head, the other cross ALA/ BLA Anne/ Bob lies stating that the two coins agree ALD/ BLD Anne/ Bob lies stating that the two coins disagree ABA Anne and Bob state that the coins agree ABD Anne and Bob state that the coins disagree AdBa Anne states that the two coins disagree, whereas Bob states they agree AaBd Anne states that the two coins agree, whereas Bob states they disagree mation flow and that it ensures the information exchange. Negative information flow is not relevant in this example but it is a nice exercise to look for it. The only negative information flow is the following. Occurrences of ABA and ABD imply nonoccurrence of AP and BP , i.e., ABA ex AP , ABA ex BP , ABD ex AP and ABD ex BP . Since nonoccurrence of AP doesn't imply Bob paid (and similarly nonoccurrence of BP doesn't imply Anne paid), the secrets are still safe and this flow doesn't violate the security of the protocol.

B. A BUSINESS PROCESS MODEL
Free-choice nets are proven to allow efficient analysis of various properties [14], [42]. This is achieved by eliminating a certain kind of behaviour, namely interference of choice and synchronisation. This separation comes natural for majority of process models used in practice and hence makes this particular class of Petri nets suitable for modelling business processes [12]. Here we reason about the use of our methods in the fields of process mining and business process management. We foresee that our methods can be useful in the field for tackling two major aspects: (1) informationflow security analysis by computing reveals and excludes relations, (2) conformance check by the use of footprints for characterising possible runs of the system. We discuss our techniques on a simple example. The Petri net in Fig. 7 is adapted from a model in Chapter 2.3 of "Process Mining" book by Aalst [43]. The net models handling of compensation requests within an airline. A customer may place a request for various reasons. After a request, the ticket is checked and an inspection is performed in parallel. However, inspection can be in two different ways which is modelled via conflicting activities. Transition b and e model a critical inspection activity which is performed for suspicious or complex requests. Transition c and f model a casual inspection activity which is performed for regular requests. Decision is made only after ticket is checked and the inspection is performed. There are three possible outcomes of the decision: the requested compensation is paid, the request is declined or further processing is needed. In the first two cases the process is finalised. In the latter case the process returns to the marking {2, 3}.
Below we apply our techniques on the net in Fig. 7.
Example 14. The full prefix of the msc-tree of the net is included in Fig. 7. Thick black nodes indicate deadlocks whereas coloured nodes correspond to a marking which is repeated in a path. Looking at the footprints of the maximal paths of the full prefix, we can extract the reveals relations among the transitions. To start with, all the transitions reveal transition a. However, this is not a security concern. In fact, reveals relation raises an information-flow security concern only when an observable (low) transition reveals a secret (high) transition. In the example, no transition is classified as high or low but we can intuitively assume that what kind of inspection activity is performed is meant to be a secret, so transitions b, c, e and f are high transitions and assume everything else is low. We can easily deduce from the footprints these transitions are not revealed by any low transition. This means no deductions about the inspection can be done by observing the low actions. By checking reveals relations, we proved that the net is secure with respect to positive information flow. We can further analyse the net for negative information flow by checking the excludes relations with the help of Algorithm 1. In this net, no low transition excludes a high transition so we can confirm that there is no negative information flow. The Algorithm 2 computes footprints of all maximal paths of the msc-tree, so the footprints of all possible maximal runs of the system, on the full prefix. From informationflow security perspective, this algorithm helps to investigate extended-reveals relation which models a more intricate flow involving more than two transitions. In this net, no low transition extended-reveals any high transition. The algorithm can also help us to characterise the possible maximal runs of the system. For example, {a, b, c, d, e, f, g, h, j} is a footprint of the msc-tree of the net in Fig. 7. This means that there exists at least one maximal run of the system in which all these labels occur. On the other hand, {a, b, g}, {a, c, d, f, g, j, k} or {a, b, e, h} are not footprints of the maximal paths of msctree of the net. This means that there are no maximal runs of the system with only these labels.
Business process management and process mining are widely studied and there is a collection of software that are effectively used in the industry (e.g., Celonis, Disco/Fluxicon) as well as scientific tools (e.g., ProM). Our theoretical results might practically contribute in the field by extending one of these software with our techniques with the aim of information-flow security analysis and/or conformance check.

C. CLIENT AND PROVIDERS
The central role of concurrency in Petri nets make them suitable models for the design of distributed workflows. They have become a standard tool for this purpose [44], and the latest industrial requirements keep motivating the use of these models.
We discuss a simple modular example, which could grow in size to express arbitrarily complex behaviours. We discuss system reliability and information-flow security in terms of reveals and excludes relations on a simple instance of this model. We model a client as a controller interacting with providers through some actions. Each action may send one or several service requests in parallel, each to a different service provider, and remains idle until all the services are performed. When all services are performed the action is concluded and control returns to the client. The client controller may implement an arbitrary program by sequentially determining which action to take. Suppose that the client needs to perform an operation for which she requires data, and some remote computational power. She then needs to check the outcome against a data set from a different database. Fig. 8 displays a controller for such task. It accesses the database of Provider 1 by performing request cr1. If the query produces an error, the controller launches an emergency interrupt procedure. If the data is obtained, the firing of cr23 launches two requests in parallel to concurrently process the data on the remote cluster of Provider 2, and query the database of Provider 3 for the second data set. If this second query does not produce an error, then cr23 ′ may fire, allowing the system to check the processed data against this data set, possibly by invoking yet other services, and continue with the execution of its arbitrary program, and service requests.
When a data provider receives the request, it simply processes it through pr1 or pr3, which sends a positive or negative reply and enables it to reset. Provider 2 is optimised so that depending on the request, it may choose to perform the operation with algorithms algo1, or algo2.
Below, we examine the model illustrated in Fig. 8 for system reliability and information-flow security by means of reveals and excludes relations. Note that, in this setting, client can observe the transitions that are within the client component (illustrated via dashed rectangle labelled "Client"). The transitions belonging to the providers are hidden from the client. And conversely, the providers can only observe their own transitions. In the below example, the observability of the transitions is relevant for the analysis of security (noninterference) properties.
Example 15. In this model, transition cr23 ′ reveals transitions s1, s2, and s3, but does not reveal transitions algo1, algo2. In fact, no observable transition reveals algo1 or algo2. This can be interpreted as the fact that once the client has received all the data, she is sure that the three services have been provided, but she cannot decide which algorithm was chosen by Provider 2 to perform its task. Conversely, transition s1 reveals cr1, and s2 and s3 both reveal transition cr23; i.e., the providers send a reply only when the client sends them a request. In general, reveals transition doesn't imply any order, i.e., the revealed transition may occur before or after the revealing transition or even simultaneously with it. However, knowing the structure of the net, we can safely say that the mentioned reveals relations guarantee that the services are provided only when a request is made.
Note that cr1 does not reveal s1, since the request might lead to error1. Neither does cr23 reveal s3, but it does instead reveal s2 since Provider 2 always processes the data it receives. Also, error1 and error3 exclude each other, because the system stalls after interrupt.
These properties can easily be verified on the full prefix of msc-tree. Note that for all practical purpose, the undefined process in Fig. 8 may be abstracted as a single transition t. This transition represents the set of transitions T which represents all the transitions in the abstracted module. In this context, for a transition t ′ / ∈ T , t ▷ t ′ has to be interpreted as ∃t 0 ∈ T : t 0 ▷ t ′ , and conversely, t ′ ▷ t as ∀t 0 ∈ T : t ′ ▷ t 0 .
We may conclude that it is impossible, by observing the client, or the database providers, to determine whether Provider 2 used algorithm 1 or 2. On the other hand, the client may determine that Provider 1 did provide the requested service s1, by observing cr1 ′ , cr23, cr23 ′ , or resetC. With analogous computations all the reveals relation can be derived, as for instance cr23 ▷ s1, but cr23 ̸ ▷ algo1.
Another property that we may want to check is the possibility of error. It is easy to see that error1 ex error3, i.e., only one error can occur in the system that performs an emergency stop. However, by applying Algorithm 1 we can see that cr23 ′ does not exclude error1 (or error3), i.e., even when the three services were successfully provided once to the client, an error could still occur after the first resetC.
This model can be straightforwardly extended by adding an arbitrary number of actions and providers with possibly different features. The class of properties discussed in this example can be verified on these larger models with the same techniques. In order to do so, however, some care has to be taken in modelling the system as a free-choice net.

VII. CONCLUSION
In this paper, we have introduced maximal-step computation tree which is a tree structure to represent the behaviour of a 1-safe free-choice Petri net under maximal-step semantics. Nodes of the tree correspond to B-cuts of the net's unfolding and arcs are labelled by the E-cuts corresponding the maximal steps of the net. We have defined a finite prefix of the tree, called full prefix. This prefix is a compact representation of a Petri net's behaviour from which all the possible maximal configurations of the corresponding unfolding can be computed.
We have shown that the full prefix forms an adequate basis for information-flow analysis of concurrent systems that can be modelled by 1-safe free-choice Petri nets. On the full prefix, we have studied reveals and excludes relations which are defined to model information flow among the transitions of a Petri net. We have proved that reveals relation can be computed on the full prefix without further computation. This can be done by traversing the tree and checking for labels. We have shown that the excludes relation can be computed on the full prefix in a finite number of steps with Algorithm 1. As a consequence, reveals and excludes based noninterference properties can be verified on the full prefix of a Petri net model.
We have presented the notion of footprint. The footprint of a path of a msc-tree is the finite set of labels of the transitions that are fired throughout the corresponding system run. A footprint can be seen as a summary of a system run independent from how many times a certain transition fired. Footprints relate to reveals and excludes relations in the following way. Transition a reveals transition b if, and only if, each maximal path of the full prefix whose footprint displays a also displays b. Transition a excludes transition b (and so b excludes a) if, and only if, no maximal path of the msctree has both a and b in its footprint. The extended-reveals relation can be extracted from the footprints of maximal runs of a Petri net. Algorithm 2 computes these sets when given the full prefix of the Petri net.
Although the notions of reveals, excludes and footprints are introduced and studied from the information-flow secu-rity perspective, they can be used for verification of different properties of systems that can be modelled via 1-safe freechoice nets. Our methods show potential to be used in various application areas including fault diagnosis, protocol verification, workflow verification, business process analysis.
In the near future, we plan to continue to explore the notions of msc-tree, full prefix and footprints in more details and improve our methods. We will work on extending our results to more general classes of Petri nets which will broaden the application domain. We will explore the practical use of our analysis methods on complex systems such as critical infrastructures, IoT, cloud systems and blockchains.