Escape Edges Verification Overview
- Escape Edges Verification is a family of edge-centered verification problems that address safety, liveness, and containment across various domains.
- It employs localized reasoning, combinatorial geometry, and symbolic Z3-based analysis to certify escape paths and prevent system vulnerabilities.
- Applications range from robust BGP network routing and autonomous driving safety under occlusion to ensuring arithmetic safeguards in sandbox infrastructures.
Escape edges verification is not a standardized term across the literature. In the available sources, closely related problems arise whenever an edge, boundary segment, or channel is the locus at which escape, leakage, propagation, or containment must be certified. The common pattern is local reasoning about whether a route can traverse an edge, whether an occluded region behind a sensing-field border can contain a hidden obstacle, whether a vertex-blind viewpoint must still expose a minimum set of edges, whether edge deletions disconnect all exits, whether invariant manifolds delineate escape channels, or whether arithmetic boundary conditions in sandbox code create a machine-usable escape path. This suggests a family of edge-centered verification problems rather than a single formalism. The phrase also appears in unrelated escape-dynamics settings such as direct proton leakage from shell edges in gamma-ray bursts, escape and formation of edge channels in a two-dimensional electron gas, and the escape rate of favorite edges of simple random walk; these usages indicate that “edge escape” is broader than explicit verification alone (Bustamante et al., 2013).
1. Edge-local verification in routing control planes
In BGP verification, the most explicit edge-centered formalism is the modular approach of "LIGHTYEAR: Using Modularity to Scale BGP Control Plane Verification" (Tang et al., 2022). That work does not explicitly use the term “escape edges,” but it reduces end-to-end network properties to purely local checks on individual nodes and edges. A BGP network is modeled by a topology together with policy functions
A safety property is a pair , and Lightyear requires one invariant per location. For every edge , it generates an Import check, an Export check, and an Originate check. In the notation of the paper, these are:
If all generated checks pass and 0, then the network property holds for all valid traces.
The significance of this formulation is that safety becomes an inductive edge-by-edge propagation argument. For external neighbors, the framework assumes 1, so arbitrary external route announcements are allowed. The correctness theorem is therefore robust to arbitrary external route announcements and arbitrary node/link failures. For liveness, the framework adds a path witness and no-interference checks. Along a chosen path 2, propagation checks ensure that “good” routes are not dropped, while no-interference checks prove that alternative routes with the same prefix cannot block the desired route by being preferred. The liveness theorem depends on the absence of link failures along the specified path, but it explicitly allows failures elsewhere. A common misconception is that Lightyear verifies only static router-local predicates; in fact, its edge-local checks are used to prove global safety and path-based liveness, and the paper reports verification of three properties in the wide area network of a major cloud provider containing hundreds of routers and tens of thousands of edges.
2. Critical sensing field edges under occlusion
In occlusion-aware autonomous driving, the relevant edge objects are not graph edges but field-of-view borders. "Tackling Occlusions & Limited Sensor Range with Set-based Safety Verification" identifies critical sensing field edges by combining the ego vehicle’s field of view with a lanelet map (Orzechowski et al., 2018). The borders of the sensing field are intersected with all lanelets, and each intersection generates at least one border segment. A segment is non-relevant if it does not intersect any lanelet that can lead to or cross the ego’s current or future lanelets, lies on a lanelet without right of way, is in the ego lane behind the ego vehicle, leads outside the sensing field with respect to driving direction, or is dominated by a more foremost segment on the same side of the same lane. The paper is explicit that falsely considering non relevant sections as relevant comes at an additional performance cost, but does not affect the safety verification result.
Each critical edge is treated as a possible hiding place for an unknown obstacle. Rather than spawning random virtual obstacles, the method creates one virtual obstacle per critical edge and models its initial state conservatively by intervals:
3
Set-based reachable occupancies are then propagated by extending the acceleration-based approximation 4 and the lane-following approximation 5 to interval-valued initial states. For position intervals, the paper computes occupancies from the lower and upper endpoints and takes the convex hull,
6
as an over-approximation for the entire segment. Safety verification is then reduced to a non-intersection test between the intended-plus-fail-safe trajectory and the union of occupancies of visible obstacles and all critical edges:
7
The result is binary: a trajectory is safe if it does not intersect any predicted occupancy and unsafe otherwise. The paper emphasizes that the guarantee is not merely collision avoidance in the currently visible scene, but preservation of a collision-free fail-safe maneuver option under occlusions and limited sensor range.
3. Visibility lower bounds in polyhedra and polygonal scenes
In computational geometry, escape-edge verification takes the form of proving that edges cannot all be hidden simultaneously. "Minimizing Visible Edges in Polyhedra" studies a polyhedron 8 or, more generally, a finite arrangement of internally disjoint polygons (Tóth et al., 2022). A point 9 sees an edge if it sees at least one point of that edge, and it sees a positive portion if it sees a subsegment of positive length. The paper proves four sharp lower bounds. Every point in 0 sees at least six edges of 1. Every point in the interior of 2 sees positive portions of at least six distinct edges, while every exterior point sees positive portions of at least three distinct edges. Most directly relevant to the present topic, if 3 sees no vertex of 4, then 5 sees positive portions of at least eight distinct edges. The same eight-edge lower bound holds for polygonal scenes. All of these bounds are tight.
The proof strategy is geometric and combinatorial. For the six-edge theorem, visible edge portions are projected onto the unit sphere centered at 6, producing noncrossing arcs of great circles. These arcs define a planar directed contact graph in which every vertex has out-degree exactly 7; planarity then forces at least six visible edge portions. For the eight-edge theorem, the paper introduces Spherical Occlusion Diagrams, finite nonempty sets of arcs of great circles satisfying three conditions: each arc is shorter than a great semicircle and arcs are internally disjoint; each arc feeds into another arc at each endpoint; and all arcs that feed into the same arc reach it from the same side. The paper proves that every SOD has at least four swirls, and from the swirl graph deduces that every SOD has at least eight arcs. A further semicircle-cover lemma shows that these arcs must come from at least eight distinct edges. The article’s relevance to verification is therefore theorem-proving rather than algorithm design: it establishes an irreducible combinatorial obstruction to complete edge concealment.
4. Escape under adversarial edge deletion in graphs
In graph games, escape-edge verification is literal. "Nemesis, an Escape Game in Graphs" defines a game on a graph or multigraph 8 with exits 9 and a starting vertex 0 (Bergé et al., 20 Jan 2026). At each round, the fugitive moves first to an adjacent vertex, and then the Nemesis deletes one edge anywhere in the graph. The fugitive wins by reaching an exit; the Nemesis wins by trapping the fugitive in a connected component that contains no exit. The paper observes that if the fugitive has a winning strategy, then he has one that never revisits a vertex, so a winning play has length at most 1. From a verification viewpoint, the central predicate is whether the connected component containing the fugitive still contains an exit after each deletion.
For trees and graphs of maximum degree at most 2, the paper gives a linear-time solution based on binary escape trees, defined as rooted full binary trees in 3 whose leaves are exits. If 4, or one of its neighbors, is the root of such a tree, then the fugitive has a winning strategy; after simplification, this condition is also necessary for trees and degree-5 graphs. The Blizzard variant, in which only edges adjacent to the position of the fugitive can be deleted, admits a different linear-time characterization. One defines
6
and 7 for the first fixed point. The trapper has a winning strategy iff his starting position is adjacent to a vertex of 8. These positive results are sharply delimited by hardness results: deciding whether a root is the root of a binary escape tree is NP-complete even for graphs of maximum degree 9; Nemesis is NP-hard on planar multigraphs and PSPACE-complete for arbitrary graphs; and the related Cat Herding problem is PSPACE-complete. A plausible implication is that escape verification by local edge structure is tractable only in restricted graph classes or under restricted deletion rules.
5. Escape basins, channels, and manifold-defined edges in dynamical systems
In dynamical astronomy, escape edges are phase-space boundaries rather than combinatorial edges. "Orbital and escape dynamics in barred galaxies - III. The 3D system: Correlations between the basins of escape and the NHIMs" studies a three-degree-of-freedom barred-galaxy Hamiltonian with nucleus, rotating bar, disk, and halo components (Zotos et al., 2018). In the rotating frame, the effective potential is
0
and the conserved Jacobi integral is 1. For the standard model, 2 and 3 are index-1 saddles at 4 with 5, and the escape energy is
6
For 7, the zero-velocity surface opens and two symmetrical escape channels emerge around 8 and 9. The paper studies 0 grids of initial conditions, classifies orbits into five types, and uses SALI thresholds 1 for regular, 2 for chaotic, and 3 for sticky motion.
The paper’s central verification claim is that the stable manifolds of the NHIMs over the index-1 saddles define the fractal basin boundaries. To demonstrate this, it chooses 4 points very close to the NHIM, integrates them backward in time, and marks points that return near the 5 plane with
6
after a threshold time 7. The marked set lies in the neighborhood of the yellow and magenta fractal boundary regions in the escape diagrams, while the interiors of the blue, red, and green regions are essentially free of those points. The comparison therefore supports the interpretation that stable manifolds are the phase-space separatrices between escape through 8, escape through 9, and long-lived trapped dynamics. The escape-time maps reinforce the same structure: escape is rapid inside basins and very slow near the manifold-defined boundaries.
6. Arithmetic escape paths in sandbox infrastructure
A distinct but increasingly important use of escape-edge verification appears in AI containment. "Mythos and the Unverified Cage: Z3-Based Pre-Deployment Verification for Frontier-Model Sandbox Infrastructure" treats escape edges as formally characterizable arithmetic vulnerabilities in sandbox C/C++ code that could become an escape path (Blain, 22 Apr 2026). The paper does not claim to have identified Anthropic’s actual Mythos escape vector; it explicitly treats secondary accounts as unverified and analyzes the vulnerability class rather than the specific incident. Its threat model defines four failure categories: T1, Infrastructure Vulnerability, as a reachable arithmetic vulnerability in the CWE-190/191 family; T2, Pre-Execution Bypass; T3, Output Exfiltration; and T4, Runtime Opacity. The validated component is COBALT, a libclang-based static analyzer that parses C/C++ into a typed AST, extracts arithmetic operations, indexing, pointer arithmetic, and casts, models them as fixed-width Z3 bitvectors, and solves with Z3 4.12.x under the default bitvector theory and a 60-second timeout. SAT denotes that a vulnerability pattern is reachable and yields a witness; UNSAT denotes that the modeled flaw cannot be triggered within the encoded bounds.
The paper’s verification logic is exemplified by arithmetic guards that turn SAT queries into UNSAT certificates. For allocation overflow, it models
0
with 1 and 2 to capture wraparound. With 3, Z3 returns 4 and 5, showing overflow. Adding the bound
6
makes the query UNSAT. The paper reports four production case studies with witnesses and acknowledged outcomes: NASA cFE truncation of a 64-bit identifier to 32 bits, wolfSSL signed left-shift overflow in ML-DSA coefficient encoding, Eclipse Mosquitto length underflow leading to a secondary CWE-125 out-of-bounds read, and NASA F Prime overflow bypassing a guard and causing a downstream out-of-bounds read. It further proposes a four-layer containment framework—COBALT, VERDICT, DIRECTIVE-4, and SENTINEL—mapping pre-deployment verification, pre-execution constraints, output control, and runtime monitoring to the failure modes exposed by the Mythos incident. A central misconception is directly addressed by the paper itself: the claim is not that the actual Mythos exploit has been reconstructed, but that under explicit assumptions a pre-deployment Z3 analysis of the relevant arithmetic class would have been capable of surfacing that class of escape path before deployment.