adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/infoflow/Noninterference_Base_Altern...

670 lines
32 KiB
Plaintext
Raw Blame History

(*
* Copyright 2020, Data61, CSIRO (ABN 41 687 119 230)
*
* SPDX-License-Identifier: GPL-2.0-only
*)
theory Noninterference_Base_Alternatives
imports
Noninterference_Base
Eisbach_Tools.Eisbach_Methods
begin
text \<open>
This theory explores a bunch of alternative definitions for the @{term sources}
and @{term ipurge} functions that are the basis of our noninterference formulation
and shows that they all turn out to yield equivalent noninterference properties.
\<close>
context noninterference_system begin
(* the following definition turns out to yield an information flow property equivalent
to the above one -- see below *)
primrec xources :: "'e list \<Rightarrow> 's \<Rightarrow> 'd \<Rightarrow> 'd set" where
xources_Nil: "xources [] s u = {u}"
| xources_Cons: "xources (a # as) s u =
(\<Inter>{xources as s' u | s'. (s,s') \<in> Step a}) \<union>
{w. w = dom a s \<and> (\<forall>s'. (s,s') \<in> Step a \<longrightarrow> (\<exists>v. dom a s \<leadsto> v \<and> v \<in> xources as s' u))}"
lemma in_xources_ConsD:
"x \<in> (xources (a # as) s u)
\<Longrightarrow> (\<forall>s'. (s,s') \<in> Step a \<longrightarrow> x \<in> xources as s' u) \<or>
(x = dom a s \<and> (\<forall>s'. (s,s') \<in> Step a \<longrightarrow> (\<exists>v. dom a s \<leadsto> v \<and> v \<in> xources as s' u)))"
by auto
lemma in_xources_ConsI1:
"(\<forall>s'. (s,s') \<in> Step a \<longrightarrow> x \<in> xources as s' u)
\<Longrightarrow> x \<in> xources (a # as) s u"
by auto
lemma in_xources_ConsI2:
"\<lbrakk> x = dom a s; \<forall>s'. (s,s') \<in> Step a \<longrightarrow> (\<exists>v. dom a s \<leadsto> v \<and> v \<in> xources as s' u) \<rbrakk>
\<Longrightarrow> x \<in> xources (a # as) s u"
by auto
declare xources_Nil [simp del]
declare xources_Cons [simp del]
lemma xources_subset_xources_Cons:
"\<Inter>{xources as s' u | s'. (s,s') \<in> Step a} \<subseteq> xources (a # as) s u"
by (fastforce simp: xources_Cons)
primrec gen_purgx :: "('e list \<Rightarrow> 's \<Rightarrow> 'd \<Rightarrow> 'd set) \<Rightarrow> 'd \<Rightarrow> 'e list \<Rightarrow> 's set \<Rightarrow> 'e list" where
Nil: "gen_purgx sf u [] ss = []"
| Cons: "gen_purgx sf u (a#as) ss = (if \<forall>s \<in> ss. dom a s \<in> sf (a#as) s u
then a # gen_purgx sf u as (\<Union>s \<in> ss. {s'. (s,s') \<in> Step a})
else gen_purgx sf u as ss)"
definition xpurge :: "'d \<Rightarrow> 'e list \<Rightarrow> 's set \<Rightarrow> 'e list" where
"xpurge \<equiv> gen_purge xources"
definition ipurgx :: "'d \<Rightarrow> 'e list \<Rightarrow> 's set \<Rightarrow> 'e list" where
"ipurgx \<equiv> gen_purgx sources"
definition xpurgx :: "'d \<Rightarrow> 'e list \<Rightarrow> 's set \<Rightarrow> 'e list" where
"xpurgx \<equiv> gen_purgx xources"
lemma xpurge_Nil:
"xpurge u [] ss = []"
by (auto simp: xpurge_def)
lemma ipurgx_Nil:
"ipurgx u [] ss = []"
by (auto simp: ipurgx_def)
lemma xpurgx_Nil:
"xpurgx u [] ss = []"
by (auto simp: xpurgx_def)
lemma xpurge_Cons:
"xpurge u (a # as) ss = (if \<exists>s \<in> ss. dom a s \<in> xources (a # as) s u
then a # xpurge u as (\<Union>s\<in>ss. {s'. (s,s') \<in> Step a})
else xpurge u as ss)"
by (auto simp: xpurge_def)
lemma ipurgx_Cons:
"ipurgx u (a # as) ss = (if (\<forall>s\<in>ss. dom a s \<in> sources (a # as) s u)
then a # ipurgx u as (\<Union>s \<in> ss. {s'. (s,s') \<in> Step a})
else ipurgx u as ss)"
by (auto simp: ipurgx_def)
lemma xpurgx_Cons:
"xpurgx u (a # as) ss = (if (\<forall>s\<in>ss. dom a s \<in> xources (a # as) s u)
then a # xpurgx u as (\<Union>s\<in>ss. {s'. (s,s') \<in> Step a})
else xpurgx u as ss)"
by (auto simp: xpurgx_def)
definition xNonleakage_gen :: bool where
"xNonleakage_gen \<equiv> \<forall>as s u t. reachable s \<and> reachable t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> s \<approx>(xources as s u)\<approx> t
\<longrightarrow> uwr_equiv s as t as u"
end
context unwinding_system begin
lemma xources_sources:
"confidentiality_u \<Longrightarrow> reachable s \<longrightarrow> (xources as s u = sources as s u)"
apply (induct as arbitrary: s)
apply (simp add: xources_Nil sources_Nil)
apply (simp add: sources_Cons xources_Cons)
apply (rule impI)
apply (rule un_eq)
apply (rule sym)
apply (simp only: Union_eq, simp only: UNION_eq[symmetric])
apply (simp only: Inter_eq, simp only: INTER_eq[symmetric])
apply (rule Un_eq_Int)
apply (clarsimp simp: Step_def)
apply (erule reachable_enabled)
apply (clarsimp simp: Step_def)
apply (erule reachable_enabled)
apply clarsimp
apply (drule_tac x=s'a in meta_spec, clarsimp simp: reachable_Step)
apply (rule sources_eq)
apply assumption
apply (fastforce intro: sched_equiv_preserved uwr_refl)
apply (fastforce intro: reachable_Step)
apply (fastforce intro: reachable_Step)
apply (rule Collect_cong)
apply (rule conj_cong, rule refl)
apply safe
apply (cut_tac s=s and a=a in enabled_Step)
apply assumption
apply clarsimp
apply (drule_tac x=s' in spec)
apply clarsimp
apply (rule_tac x=v in exI)
apply clarsimp
apply (rule_tac x=s' in exI)
apply (drule_tac x=s' in meta_spec)
apply (fastforce intro: reachable_Step)
apply (rule_tac x=v in exI, clarsimp)
apply (drule_tac x=s' in meta_spec)
apply (clarsimp simp: reachable_Step)
apply (rule subst[OF sources_eq])
apply assumption
prefer 4
apply assumption
apply (fastforce intro: sched_equiv_preserved uwr_refl)
by (auto intro: reachable_Step)
lemma xpurge_ipurge':
"confidentiality_u
\<Longrightarrow> (\<forall>s\<in>ss. reachable s) \<longrightarrow> xpurge u as ss = ipurge u as ss"
apply (induct as arbitrary: ss)
apply (simp add: xpurge_Nil ipurge_Nil)
apply (clarsimp simp: ipurge_Cons xpurge_Cons xources_sources[rule_format] intro: reachable_Step
| safe)+
apply (drule_tac x="\<Union>s\<in>ss. {s'. (s,s') \<in> Step a}" in meta_spec)
apply (fastforce intro: reachable_Step)
done
lemma ipurgx_xpurge':
"confidentiality_u
\<Longrightarrow> (\<forall>s\<in>ss. reachable s) \<and> (\<exists>s. s \<in> ss) \<and> (\<forall>s s'. s\<in>ss \<and> s'\<in>ss \<longrightarrow> s\<sim>schedDomain\<sim>s')
\<longrightarrow> ipurgx u as ss = xpurge u as ss"
apply (induct as arbitrary: ss)
apply (simp add: ipurgx_Nil xpurge_Nil)
apply (clarsimp simp: xpurge_Cons ipurgx_Cons | safe)+
apply (drule_tac x="\<Union>s\<in>ss. {s'. (s,s') \<in> Step a}" in meta_spec)
apply (erule impE)
apply (rule conjI)
apply (fastforce intro: reachable_Step)
apply (rule conjI)
apply (drule bspec, assumption, frule_tac a=a in enabled_Step)
apply blast
apply clarsimp
apply (match conclusion in \<open>s' \<sim>schedDomain\<sim> t'\<close> for s' t' \<Rightarrow>
\<open>match premises in \<open>(s,s') \<in> Step a\<close> and \<open>(t,t') \<in> Step a\<close> for a s t \<Rightarrow>
\<open>rule sched_equiv_preserved[of s t]\<close>\<close>)
apply assumption
apply blast
apply blast
apply blast
apply assumption
apply assumption
apply assumption
apply (simp add: xources_sources)
apply (simp add: xources_sources)
apply (erule notE)
apply (frule_tac s=s and t=sa in sources_eq, simp+)
apply (erule ssubst)
apply (subst schedIncludesCurrentDom)
prefer 2
apply assumption
apply blast
done
lemma ipurgx_xpurgx':
"confidentiality_u \<Longrightarrow> (\<forall>s\<in>ss. reachable s) \<longrightarrow> ipurgx u as ss = xpurgx u as ss"
apply (induct as arbitrary: ss)
apply (simp add: ipurgx_Nil xpurgx_Nil)
apply (clarsimp simp: xpurgx_Cons ipurgx_Cons | safe)+
apply (drule_tac x="\<Union>s\<in>ss. {s'. (s,s') \<in> Step a}" in meta_spec)
apply (fastforce intro: reachable_Step)
apply (simp add: xources_sources)
apply (simp add: xources_sources)
done
lemma xpurge_ipurge:
"\<lbrakk> confidentiality_u; reachable s \<rbrakk>
\<Longrightarrow> xpurge u as {s} = ipurge u as {s}"
by (subst xpurge_ipurge', auto)
lemma ipurgx_ipurge:
"\<lbrakk> confidentiality_u; reachable s \<rbrakk>
\<Longrightarrow> ipurgx u as {s} = ipurge u as {s}"
apply (subst ipurgx_xpurge', (simp add: uwr_refl)+)
apply (subst xpurge_ipurge', auto)
done
lemma xpurgx_ipurge:
"\<lbrakk> confidentiality_u; reachable s \<rbrakk>
\<Longrightarrow> xpurgx u as {s} = ipurge u as {s}"
apply (subst ipurgx_xpurgx'[rule_format, THEN sym], simp+)
apply (subst ipurgx_xpurge', (simp add: uwr_refl)+)
apply (subst xpurge_ipurge', auto)
done
(* we have four different purge functions, and two different sources functions.
So we should be able to make 8 different definitions of security. All of which
are equivalent. One of those definitions is of course the one above. *)
definition xNoninfluence_strong_uwr_xources_ipurge :: bool where
"xNoninfluence_strong_uwr_xources_ipurge \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(xources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> ipurge u as {s} = ipurge u bs {s}
\<longrightarrow> uwr_equiv s as t bs u"
definition xNoninfluence_strong_uwr_sources_xpurge :: bool where
"xNoninfluence_strong_uwr_sources_xpurge \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(sources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> xpurge u as {s} = xpurge u bs {s}
\<longrightarrow> uwr_equiv s as t bs u"
definition xNoninfluence_strong_uwr_xources_xpurge :: bool where
"xNoninfluence_strong_uwr_xources_xpurge \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(xources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> xpurge u as {s} = xpurge u bs {s}
\<longrightarrow> uwr_equiv s as t bs u"
definition xNoninfluence_strong_uwr_sources_ipurgx :: bool where
"xNoninfluence_strong_uwr_sources_ipurgx \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(sources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> ipurgx u as {s} = ipurgx u bs {s}
\<longrightarrow> uwr_equiv s as t bs u"
definition
xNoninfluence_strong_uwr_xources_ipurgx :: bool where
"xNoninfluence_strong_uwr_xources_ipurgx \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(xources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> ipurgx u as {s} = ipurgx u bs {s}
\<longrightarrow> uwr_equiv s as t bs u"
definition xNoninfluence_strong_uwr_sources_xpurgx :: bool where
"xNoninfluence_strong_uwr_sources_xpurgx \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(sources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> xpurgx u as {s} = xpurgx u bs {s}
\<longrightarrow> uwr_equiv s as t bs u"
definition xNoninfluence_strong_uwr_xources_xpurgx :: bool where
"xNoninfluence_strong_uwr_xources_xpurgx \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(xources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> xpurgx u as {s} = xpurgx u bs {s}
\<longrightarrow> uwr_equiv s as t bs u"
(* The following perhaps feels more natural, but we show is equivalent.
'pg' here is for Pete Gammie who pushed me to prove this. *)
definition Noninfluence_strong_uwr_pg :: bool where
"Noninfluence_strong_uwr_pg \<equiv> \<forall>u as bs s t. reachable s \<and> reachable t
\<longrightarrow> s \<approx>(sources as s u)\<approx> t
\<longrightarrow> s \<sim>schedDomain\<sim> t
\<longrightarrow> ipurge u as {s} = ipurge u bs {t}
\<longrightarrow> uwr_equiv s as t bs u"
lemma xNoninfluence_strong_uwr_xources_ipurge_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> xNoninfluence_strong_uwr_xources_ipurge = Noninfluence_strong_uwr"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_ipurge_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: xources_sources)
done
lemma xNoninfluence_strong_uwr_sources_xpurge_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> xNoninfluence_strong_uwr_sources_xpurge = Noninfluence_strong_uwr"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_xpurge_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: xpurge_ipurge)
done
lemma xNoninfluence_strong_uwr_xources_xpurge_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> xNoninfluence_strong_uwr_xources_xpurge = Noninfluence_strong_uwr"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_xpurge_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: xources_sources xpurge_ipurge)
done
lemma xNoninfluence_strong_uwr_sources_ipurgx_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> xNoninfluence_strong_uwr_sources_ipurgx = Noninfluence_strong_uwr"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_ipurgx_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: ipurgx_ipurge)
done
lemma xNoninfluence_strong_uwr_xources_ipurgx_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> xNoninfluence_strong_uwr_xources_ipurgx = Noninfluence_strong_uwr"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_ipurgx_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: xources_sources ipurgx_ipurge)
done
lemma xNoninfluence_strong_uwr_sources_xpurgx_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> xNoninfluence_strong_uwr_sources_xpurgx = Noninfluence_strong_uwr"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_xpurgx_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: xpurgx_ipurge)
done
lemma xNoninfluence_strong_uwr_xources_xpurgx_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> xNoninfluence_strong_uwr_xources_xpurgx = Noninfluence_strong_uwr"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_xpurgx_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: xpurgx_ipurge xources_sources)
done
lemma Noninfluence_strong_uwr_pg_Noninfluence_strong_uwr:
"\<lbrakk> confidentiality_u_weak; integrity_u \<rbrakk>
\<Longrightarrow> Noninfluence_strong_uwr_pg = Noninfluence_strong_uwr"
apply (clarsimp simp: Noninfluence_strong_uwr_pg_def Noninfluence_strong_uwr_def)
apply (frule (1) confidentiality_u_weak)
apply (simp add: ipurge_eq)
done
lemma xources_Step:
"\<lbrakk> reachable s; (dom a s, u) \<notin> policy \<rbrakk> \<Longrightarrow> xources [a] s u = {u}"
by (auto simp: xources_Cons xources_Nil enabled_Step dest: enabled_Step)
lemma xources_Step_2:
"\<lbrakk> reachable s; (dom a s, u) \<in> policy \<rbrakk> \<Longrightarrow> xources [a] s u = {dom a s,u}"
by (auto simp: xources_Cons xources_Nil enabled_Step dest: enabled_Step)
lemma xNoninfluence_strong_uwr_xources_ipurge_confidentiality_u_weak:
"xNoninfluence_strong_uwr_xources_ipurge \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_ipurge_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: xources_Step_2 sameFor_dom_def uwr_equiv_def Step_def)
done
lemma xNoninfluence_strong_uwr_sources_xpurge_confidentiality_u_weak:
"xNoninfluence_strong_uwr_sources_xpurge \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_xpurge_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: sources_Step_2 sameFor_dom_def uwr_equiv_def Step_def)
done
lemma xNoninfluence_strong_uwr_xources_xpurge_confidentiality_u_weak:
"xNoninfluence_strong_uwr_xources_xpurge \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_xpurge_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: xources_Step_2 sameFor_dom_def uwr_equiv_def Step_def)
done
lemma xNoninfluence_strong_uwr_sources_ipurgx_confidentiality_u_weak:
"xNoninfluence_strong_uwr_sources_ipurgx \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_ipurgx_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: sources_Step_2 sameFor_dom_def uwr_equiv_def Step_def)
done
lemma xNoninfluence_strong_uwr_xources_ipurgx_confidentiality_u_weak:
"xNoninfluence_strong_uwr_xources_ipurgx \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_ipurgx_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: xources_Step_2 sameFor_dom_def uwr_equiv_def Step_def)
done
lemma xNoninfluence_strong_uwr_sources_xpurgx_confidentiality_u_weak:
"xNoninfluence_strong_uwr_sources_xpurgx \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_xpurgx_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: sources_Step_2 sameFor_dom_def uwr_equiv_def Step_def)
done
lemma xNoninfluence_strong_uwr_xources_xpurgx_confidentiality_u_weak:
"xNoninfluence_strong_uwr_xources_xpurgx \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_xpurgx_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: xources_Step_2 sameFor_dom_def uwr_equiv_def Step_def)
done
lemma ipurge_single_eq:
"\<lbrakk> reachable s; reachable t; s \<sim>schedDomain\<sim> t \<rbrakk>
\<Longrightarrow> ipurge u [a] {s} = ipurge u [a] {t}"
apply (frule_tac e=a in schedIncludesCurrentDom)
apply (simp add: ipurge_Cons ipurge_Nil sources_Cons sources_Nil)
apply (auto dest: enabled_Step)
done
lemma Noninfluence_strong_uwr_pg_confidentiality_u_weak:
"Noninfluence_strong_uwr_pg \<Longrightarrow> confidentiality_u_weak"
apply (clarsimp simp: Noninfluence_strong_uwr_pg_def confidentiality_u_weak_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[a]" in spec)
apply (drule_tac x=s in spec, drule_tac x=t in spec)
apply (simp add: sources_Step_2 sameFor_dom_def uwr_equiv_def Step_def ipurge_single_eq)
done
end
context complete_unwinding_system begin
lemma Nonleakage_gen_xNonleakage_gen:
"confidentiality_u \<Longrightarrow> Nonleakage_gen = xNonleakage_gen"
apply (simp add: Nonleakage_gen_def xNonleakage_gen_def)
apply (fastforce simp: xources_sources)
done
lemma xNonleakage_gen:
"confidentiality_u \<Longrightarrow> xNonleakage_gen"
apply (simp add: Nonleakage_gen_xNonleakage_gen[symmetric])
apply (erule Nonleakage_gen)
done
lemma xNonleakage_gen_confidentiality_u:
"xNonleakage_gen \<Longrightarrow> confidentiality_u"
apply (clarsimp simp: xNonleakage_gen_def confidentiality_u_def)
apply (drule_tac x="[a]" in spec, drule_tac x=s in spec)
apply (drule_tac x=u in spec, drule_tac x=t in spec)
apply (case_tac "dom a s \<leadsto> u")
apply (simp add: xources_Step_2 uwr_equiv_def sameFor_dom_def Step_def)
apply (simp add: xources_Step uwr_equiv_def sameFor_dom_def Step_def)
done
lemma xNoninfluence_strong_uwr_xources_ipurge_integrity_u:
"xNoninfluence_strong_uwr_xources_ipurge \<Longrightarrow> integrity_u"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_ipurge_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: sources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def ipurge_Cons ipurge_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
lemma xNoninfluence_strong_uwr_sources_xpurge_integrity_u:
"xNoninfluence_strong_uwr_sources_xpurge \<Longrightarrow> integrity_u"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_xpurge_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: xources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def xpurge_Cons xpurge_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
lemma xNoninfluence_strong_uwr_xources_xpurge_integrity_u:
"xNoninfluence_strong_uwr_xources_xpurge \<Longrightarrow> integrity_u"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_xpurge_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: xources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def xpurge_Cons xpurge_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
lemma xNoninfluence_strong_uwr_sources_ipurgx_integrity_u:
"xNoninfluence_strong_uwr_sources_ipurgx \<Longrightarrow> integrity_u"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_ipurgx_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: sources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def ipurgx_Cons ipurgx_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
lemma xNoninfluence_strong_uwr_xources_ipurgx_integrity_u:
"xNoninfluence_strong_uwr_xources_ipurgx \<Longrightarrow> integrity_u"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_ipurgx_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: sources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def ipurgx_Cons ipurgx_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
lemma xNoninfluence_strong_uwr_sources_xpurgx_integrity_u:
"xNoninfluence_strong_uwr_sources_xpurgx \<Longrightarrow> integrity_u"
apply (clarsimp simp: xNoninfluence_strong_uwr_sources_xpurgx_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: xources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def xpurgx_Cons xpurgx_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
lemma xNoninfluence_strong_uwr_xources_xpurgx_integrity_u:
"xNoninfluence_strong_uwr_xources_xpurgx \<Longrightarrow> integrity_u"
apply (clarsimp simp: xNoninfluence_strong_uwr_xources_xpurgx_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: xources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def xpurgx_Cons xpurgx_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
lemma Noninfluence_strong_uwr_pg_integrity_u:
"Noninfluence_strong_uwr_pg \<Longrightarrow> integrity_u"
apply (clarsimp simp: Noninfluence_strong_uwr_pg_def integrity_u_def)
apply (drule_tac x=u in spec, drule_tac x="[a]" in spec, drule_tac x="[]" in spec)
apply (drule_tac x=s in spec, drule_tac x=s in spec)
apply (simp add: sources_Step sameFor_dom_def uwr_refl
uwr_equiv_def Step_def ipurge_Cons ipurge_Nil
split: if_splits)
apply (simp add: policy_refl)
apply (simp add: execution_Nil)
apply (blast intro: uwr_sym)
done
(* The choice as to which sources/ipurge definition to adopt doesn't matter.
For this reason we adopt the one that is simpler to prove the sufficiency of the
unwinding conditions for, while having both the sources and ipurge being of the
same "kind". *)
lemma Noninfluence_strong_uwr_equiv_xNoninfluence_strong_uwr_xources_ipurge:
"Noninfluence_strong_uwr = xNoninfluence_strong_uwr_xources_ipurge"
apply (rule iffI)
apply (subst xNoninfluence_strong_uwr_xources_ipurge_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule xNoninfluence_strong_uwr_xources_ipurge_confidentiality_u_weak)
apply (erule xNoninfluence_strong_uwr_xources_ipurge_integrity_u)
done
lemma Noninfluence_strong_uwr_equiv_xNoninfluence_strong_uwr_sources_xpurge:
"Noninfluence_strong_uwr = xNoninfluence_strong_uwr_sources_xpurge"
apply (rule iffI)
apply (subst xNoninfluence_strong_uwr_sources_xpurge_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule xNoninfluence_strong_uwr_sources_xpurge_confidentiality_u_weak)
apply (erule xNoninfluence_strong_uwr_sources_xpurge_integrity_u)
done
lemma Noninfluence_strong_uwr_equiv_xNoninfluence_strong_uwr_xources_xpurge:
"Noninfluence_strong_uwr = xNoninfluence_strong_uwr_xources_xpurge"
apply (rule iffI)
apply (subst xNoninfluence_strong_uwr_xources_xpurge_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule xNoninfluence_strong_uwr_xources_xpurge_confidentiality_u_weak)
apply (erule xNoninfluence_strong_uwr_xources_xpurge_integrity_u)
done
lemma Noninfluence_strong_uwr_equiv_xNoninfluence_strong_uwr_sources_ipurgx:
"Noninfluence_strong_uwr = xNoninfluence_strong_uwr_sources_ipurgx"
apply (rule iffI)
apply (subst xNoninfluence_strong_uwr_sources_ipurgx_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule xNoninfluence_strong_uwr_sources_ipurgx_confidentiality_u_weak)
apply (erule xNoninfluence_strong_uwr_sources_ipurgx_integrity_u)
done
lemma Noninfluence_strong_uwr_equiv_xNoninfluence_strong_uwr_xources_ipurgx:
"Noninfluence_strong_uwr = xNoninfluence_strong_uwr_xources_ipurgx"
apply (rule iffI)
apply (subst xNoninfluence_strong_uwr_xources_ipurgx_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule xNoninfluence_strong_uwr_xources_ipurgx_confidentiality_u_weak)
apply (erule xNoninfluence_strong_uwr_xources_ipurgx_integrity_u)
done
lemma Noninfluence_strong_uwr_equiv_xNoninfluence_strong_uwr_sources_xpurgx:
"Noninfluence_strong_uwr = xNoninfluence_strong_uwr_sources_xpurgx"
apply (rule iffI)
apply (subst xNoninfluence_strong_uwr_sources_xpurgx_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule xNoninfluence_strong_uwr_sources_xpurgx_confidentiality_u_weak)
apply (erule xNoninfluence_strong_uwr_sources_xpurgx_integrity_u)
done
lemma Noninfluence_strong_uwr_equiv_xNoninfluence_strong_uwr_xources_xpurgx:
"Noninfluence_strong_uwr = xNoninfluence_strong_uwr_xources_xpurgx"
apply (rule iffI)
apply (subst xNoninfluence_strong_uwr_xources_xpurgx_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule xNoninfluence_strong_uwr_xources_xpurgx_confidentiality_u_weak)
apply (erule xNoninfluence_strong_uwr_xources_xpurgx_integrity_u)
done
lemma Noninfluence_strong_uwr_equiv_Noninfluence_strong_uwr_pg:
"Noninfluence_strong_uwr = Noninfluence_strong_uwr_pg"
apply (rule iffI)
apply (subst Noninfluence_strong_uwr_pg_Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_integrity_u)
apply assumption
apply (rule Noninfluence_strong_uwr)
apply (erule Noninfluence_strong_uwr_pg_confidentiality_u_weak)
apply (erule Noninfluence_strong_uwr_pg_integrity_u)
done
end
end
Reference in New Issue View Git Blame Copy Permalink