adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

infoflow: style cleanup (for GrantReply patch): FinalCaps and Noninterference

This commit is contained in:
Japheth Lim 2018-11-02 16:49:40 +11:00
parent 6e2fbbe7f1
commit f49aefd4a4
2 changed files with 68 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
proof/infoflow/FinalCaps.thy
View File

@ -83,9 +83,9 @@ where
pasObjectAbs aag ptr \<in> subjectAffects (pasPolicy aag) (pasSubject aag)"
abbreviation subject_can_affect_directly_label :: "'a PAS \<Rightarrow> 'a \<Rightarrow> bool"
abbreviation subject_can_affect_label_directly :: "'a PAS \<Rightarrow> 'a \<Rightarrow> bool"
where
"subject_can_affect_directly_label aag l \<equiv>
"subject_can_affect_label_directly aag l \<equiv>
l \<in> subjectAffects (pasPolicy aag) (pasSubject aag)"
@ -141,6 +141,9 @@ where
(pasObjectAbs aag (fst lslot) = SilcLabel))) \<and>
all_children (\<lambda>x. pasObjectAbs aag (fst x) = SilcLabel) (cdt s) \<and>
silc_dom_equiv aag st s \<and>
\<comment> \<open>We want the following condition to hold on s as well,
but stating that here makes proofs more difficult.
It is shown below in silc_inv_no_transferable'.\<close>
(\<forall> slot. pasObjectAbs aag (fst slot) = SilcLabel \<and>
cte_wp_at (\<lambda>cap. cap \<noteq> NullCap \<and> is_transferable_cap cap) slot st
\<longrightarrow> False)"
@ -1318,7 +1321,7 @@ lemma reply_cancel_ipc_silc_inv:
apply wps
apply (wp static_imp_wp hoare_vcg_all_lift hoare_vcg_ball_lift)
apply clarsimp
apply (frule(1) descendants_of_owned, force, force, elim disjE)
apply (frule(1) descendants_of_owned_or_transferable, force, force, elim disjE)
apply (clarsimp simp add:silc_inv_def)
apply (case_tac "cdt s (aa,ba)")
apply (fastforce dest: descendants_of_NoneD)
@ -1850,8 +1853,6 @@ lemma finalise_cap_ret':
apply(auto simp: valid_def dest!: finalise_cap_ret split: cap.splits simp: is_zombie_def)
done
lemma silc_inv_irq_state_independent_A[simp, intro!]:
"irq_state_independent_A (silc_inv aag st)"
apply(simp add: silc_inv_def irq_state_independent_A_def silc_dom_equiv_def equiv_for_def)
@ -1932,7 +1933,6 @@ lemma rec_del_silc_inv':
apply (clarsimp simp: is_cap_simps gen_obj_refs_eq replaceable_zombie_not_transferable cap_auth_conferred_def clas_no_asid aag_cap_auth_def
pas_refined_all_auth_is_owns cli_no_irqs simp del:split_paired_Ex split_paired_All dest!:appropriate_Zombie[symmetric, THEN trans, symmetric])
(* FIXME use simp_sym*)
apply (fastforce dest: sym[where s="{_}"])
done
apply(wp finalise_cap_pas_refined finalise_cap_silc_inv finalise_cap_auth' finalise_cap_ret'

41
proof/infoflow/Noninterference.thy
View File

@ -533,6 +533,7 @@ lemma silc_dom_equiv_from_silc_inv_valid':
apply (rule hoare_strengthen_post)
apply (rule assms)
apply (fastforce simp: silc_inv_def)
(* we can't use clarsimp below because it splits pairs unconditionally *)
apply (simp add: silc_inv_def silc_dom_equiv_def del: split_paired_All)
apply (elim conjE)
apply (intro allI impI notI)
@ -867,13 +868,15 @@ lemma owns_mapping_owns_asidpool:
apply simp
done
(* FIXME: MOVE *)
lemma fun_noteqD:
"f \<noteq> g \<Longrightarrow> \<exists> a. f a \<noteq> g a"
by blast
text {*
This a very important theorem that ensure that @{term subjectAffects} is
coherent with @{term integrity_obj}*}
This a very important theorem that ensures that @{const subjectAffects} is
coherent with @{const integrity_obj}
*}
lemma partitionIntegrity_subjectAffects_obj:
assumes par_inte: "partitionIntegrity aag s s'"
assumes pas_ref: "pas_refined aag s"
@ -886,7 +889,6 @@ lemma partitionIntegrity_subjectAffects_obj:
shows
"pasObjectAbs aag x \<in> subjectAffects (pasPolicy aag) (pasSubject aag)"
using inte_obj
thm converse_rtranclp_induct
proof (induct "kheap s x" rule: converse_rtranclp_induct)
case base
thus ?case using kh_diff by force
@ -1121,8 +1123,6 @@ lemma blocked_onD:
apply(simp_all)
done
thm cdt_change_allowed_delete_derived
(* FIXME: cleanup *)
lemma partitionIntegrity_subjectAffects_cdt:
"\<lbrakk>partitionIntegrity aag s s'; pas_refined aag s; valid_mdb s; valid_objs s;
@ -1137,8 +1137,6 @@ lemma partitionIntegrity_subjectAffects_cdt:
apply (frule(3) cdt_change_allowed_delete_derived)
by simp
lemma partitionIntegrity_subjectAffects_cdt_list:
"\<lbrakk>partitionIntegrity aag s s'; pas_refined aag s; pas_refined aag s';
valid_list s; valid_list s'; silc_inv aag st s; silc_inv aag st' s';
@ -1161,17 +1159,18 @@ lemma partitionIntegrity_subjectAffects_cdt_list:
apply (rule affects_delete_derived)
apply (frule(3) cdt_change_allowed_delete_derived[OF invs_valid_objs invs_mdb])
apply force
subgoal by (fastforce simp add: silc_inv_def valid_list_2_def all_children_def simp del: split_paired_All)
subgoal by (fastforce simp add: silc_inv_def valid_list_2_def all_children_def
simp del: split_paired_All)
apply (rule affects_delete_derived2)
apply (frule(3) cdt_change_allowed_delete_derived[OF invs_valid_objs invs_mdb])
apply assumption
subgoal by (fastforce dest!:aag_cdt_link_DeleteDerived simp add: valid_list_2_def simp del: split_paired_All)
subgoal by (fastforce dest!: aag_cdt_link_DeleteDerived
simp add: valid_list_2_def
simp del: split_paired_All)
apply (rule affects_delete_derived)
apply (frule(3) cdt_change_allowed_delete_derived[OF invs_valid_objs invs_mdb])
by simp
lemma partitionIntegrity_subjectAffects_is_original_cap:
"\<lbrakk>partitionIntegrity aag s s'; pas_refined aag s; valid_mdb s; valid_objs s;
is_original_cap s (x,y) \<noteq> is_original_cap s' (x,y)\<rbrakk> \<Longrightarrow>
@ -1185,7 +1184,6 @@ lemma partitionIntegrity_subjectAffects_is_original_cap:
apply (frule(3) cdt_change_allowed_delete_derived)
by simp
lemma partitionIntegrity_subjectAffects_interrupt_states:
"\<lbrakk>partitionIntegrity aag s s'; pas_refined aag s; valid_objs s;
interrupt_states s x \<noteq> interrupt_states s' x\<rbrakk> \<Longrightarrow>
@ -1377,8 +1375,9 @@ lemma partitionIntegrity_subjectAffects_asid:
apply (drule_tac x="ucast asid" in spec)+
apply clarsimp
apply (drule owns_mapping_owns_asidpool)
apply (simp | blast intro: pas_refined_Control[THEN sym]
| fastforce intro: pas_wellformed_pasSubject_update[simplified])+
apply ((simp
| blast intro: pas_refined_Control[THEN sym]
| fastforce intro: pas_wellformed_pasSubject_update[simplified])+)[4]
apply (drule_tac t="pasSubject aag" in sym)+
apply simp
apply (rule sata_asidpool)
@ -1857,11 +1856,8 @@ lemma user_small_Step_partitionIntegrity:
lemma silc_inv_refl:
"silc_inv aag st s \<Longrightarrow> silc_inv aag s s"
apply (frule silc_inv_def[THEN meta_eq_to_obj_eq, THEN iffD1])
apply (rule silc_inv_def[THEN meta_eq_to_obj_eq, THEN iffD2])
apply (clarsimp simp: silc_dom_equiv_def equiv_for_refl)
apply (erule(2) silc_inv_no_transferableD')
done
by (fastforce simp: silc_inv_def silc_dom_equiv_def equiv_for_refl
intro!: silc_inv_no_transferableD')
lemma ct_active_cur_thread_not_idle_thread:
"valid_idle s \<Longrightarrow> ct_active s \<Longrightarrow> cur_thread s \<noteq> idle_thread s"
@ -2229,9 +2225,10 @@ lemma get_thread_state_reads_respects_g:
apply(fastforce simp: pred_tcb_at_def obj_at_def reads_equiv_g_def globals_equiv_idle_thread_ptr)
apply (simp add: pred_tcb_at_def obj_at_def)
apply(clarsimp simp: spec_equiv_valid_def equiv_valid_2_def)
apply(frule get_thread_state_reads_respects_g[simplified equiv_valid_def2 equiv_valid_2_def,
rule_format, OF conjI, OF _ conjI, simplified,
OF aag_can_read_self];
apply(frule aag_can_read_self)
apply(frule get_thread_state_reads_respects_g
[simplified equiv_valid_def2 equiv_valid_2_def,
rule_format, OF conjI, simplified];
fastforce)
done