afp-mirror
/
UPF_Firewall
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

Initial commit.

master
Achim D. Brucker 5 years ago
commit
671debf879
49 changed files with 12267 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 75
      Examples/DMZ/DMZ.thy
  2. 120
      Examples/DMZ/DMZDatatype.thy
  3. 133
      Examples/DMZ/DMZInteger.thy
  4. 50
      Examples/Examples.thy
  5. 292
      Examples/NAT-FW/NAT-FW.thy
  6. 45
      Examples/PersonalFirewall/PersonalFirewall.thy
  7. 108
      Examples/PersonalFirewall/PersonalFirewallDatatype.thy
  8. 113
      Examples/PersonalFirewall/PersonalFirewallInt.thy
  9. 103
      Examples/PersonalFirewall/PersonalFirewallIpv4.thy
  10. 44
      Examples/Transformation/Transformation.thy
  11. 268
      Examples/Transformation/Transformation01.thy
  12. 219
      Examples/Transformation/Transformation02.thy
  13. 136
      Examples/VoIP/VoIP.thy
  14. 76
      FWNormalisation/ElementaryRules.thy
  15. 42
      FWNormalisation/FWNormalisation.thy
  16. 654
      FWNormalisation/FWNormalisationCore.thy
  17. 2397
      FWNormalisation/NormalisationGenericProofs.thy
  18. 1959
      FWNormalisation/NormalisationIPPProofs.thy
  19. 1971
      FWNormalisation/NormalisationIntegerPortProof.thy
  20. 34
      LICENSE
  21. 170
      NAT/NAT.thy
  22. 62
      PacketFilter/DatatypeAddress.thy
  23. 93
      PacketFilter/DatatypePort.thy
  24. 88
      PacketFilter/IPv4.thy
  25. 83
      PacketFilter/IPv4_TCPUDP.thy
  26. 48
      PacketFilter/IntegerAddress.thy
  27. 85
      PacketFilter/IntegerPort.thy
  28. 111
      PacketFilter/IntegerPort_TCPUDP.thy
  29. 182
      PacketFilter/NetworkCore.thy
  30. 79
      PacketFilter/NetworkModels.thy
  31. 45
      PacketFilter/PacketFilter.thy
  32. 86
      PacketFilter/PolicyCombinators.thy
  33. 70
      PacketFilter/PolicyCore.thy
  34. 183
      PacketFilter/PortCombinators.thy
  35. 78
      PacketFilter/Ports.thy
  36. 180
      PacketFilter/ProtocolPortCombinators.thy
  37. 31
      README.md
  38. 11
      ROOT
  39. 248
      StatefulFW/FTP.thy
  40. 314
      StatefulFW/FTPVOIP.thy
  41. 77
      StatefulFW/FTP_WithPolicy.thy
  42. 160
      StatefulFW/LTL_alike.thy
  43. 106
      StatefulFW/Stateful.thy
  44. 44
      StatefulFW/StatefulFW.thy
  45. 321
      StatefulFW/VOIP.thy
  46. 48
      UPF-Firewall.thy
  47. 12
      document/introduction.tex
  48. 254
      document/root.bib
  49. 159
      document/root.tex

75
Examples/DMZ/DMZ.thy
View File

@ -0,0 +1,75 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* A Simple DMZ Setup *}
theory
DMZ
imports
DMZDatatype
DMZInteger
begin
text{* This scenario is slightly more complicated than the SimpleDMZ
one, as we now also model specific servers within one
network. Therefore, we cannot use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).
The scenario is the following:
\begin{labeling}{Networks:}
\item[Networks:]
\begin{itemize}
\item Intranet (Company intern network)
\item DMZ (demilitarised zone, servers, etc), containing
at least two distinct servers ``mail'' and ``web''
\item Internet (``all others'')
\end{itemize}
\item[Policy:]
\begin{itemize}
\item allow http(s) from Intranet to Internet
\item deny all trafic from Internet to Intranet
\item allo imaps and smtp from intranet to mailserver
\item allow smtp from Internet to mailserver
\item allow http(s) from Internet to webserver
\item deny everything else
\end{itemize}
\end{labeling}
*}
end

120
Examples/DMZ/DMZDatatype.thy
View File

@ -0,0 +1,120 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* DMZ Datatype *}
theory
DMZDatatype
imports
"../../UPF-Firewall"
begin
text{* This is the fourth scenario, slightly more complicated than the
previous one, as we now also model specific servers within one
network. Therefore, we could not use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).
Just for comparison, this theory is the same scenario with datatype synonym
anyway, but with four distinct networks instead of one contained in
another. As there is no corresponding network model included, we need
to define a custom one. *}
datatype Adr = Intranet | Internet | Mail | Web | DMZ
instance Adr::adr ..
type_synonym port = int
type_synonym Networks = "Adr \<times> port"
definition
intranet::"Networks net" where
"intranet = {{(a,b). a= Intranet}}"
definition
dmz :: "Networks net" where
"dmz = {{(a,b). a= DMZ}}"
definition
mail :: "Networks net" where
"mail = {{(a,b). a=Mail}}"
definition
web :: "Networks net" where
"web = {{(a,b). a=Web}}"
definition
internet :: "Networks net" where
"internet = {{(a,b). a= Internet}}"
definition
Intranet_mail_port :: "(Networks ,DummyContent) FWPolicy" where
"Intranet_mail_port = (allow_from_ports_to {21::port,14} intranet mail)"
definition
Intranet_Internet_port :: "(Networks,DummyContent) FWPolicy" where
"Intranet_Internet_port = allow_from_ports_to {80::port,90} intranet internet"
definition
Internet_web_port :: "(Networks,DummyContent) FWPolicy" where
"Internet_web_port = (allow_from_ports_to {80::port,90} internet web)"
definition
Internet_mail_port :: "(Networks,DummyContent) FWPolicy" where
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz)"
definition
policyPort :: "(Networks, DummyContent) FWPolicy" where
"policyPort = deny_all ++
Intranet_Internet_port ++
Intranet_mail_port ++
Internet_mail_port ++
Internet_web_port"
text {* We only want to create test cases which are sent between the
three main networks --- e.g. not between the mailserver and the
dmz. Therefore, the constraint looks as follows. *}
definition
not_in_same_net :: "(Networks,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and>
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and>
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"
lemmas PolicyLemmas = dmz_def internet_def intranet_def mail_def web_def
Internet_web_port_def Internet_mail_port_def
Intranet_Internet_port_def Intranet_mail_port_def
src_def dest_def src_port dest_port in_subnet_def
end

133
Examples/DMZ/DMZInteger.thy
View File

@ -0,0 +1,133 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* DMZ: Integer *}
theory
DMZInteger
imports
"../../UPF-Firewall"
begin
text{* This scenario is slightly more complicated than the SimpleDMZ
one, as we now also model specific servers within one
network. Therefore, we cannot use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).
The scenario is the following:
\begin{labeling}{Networks:}
\item[Networks:]
\begin{itemize}
\item Intranet (Company intern network)
\item DMZ (demilitarised zone, servers, etc), containing
at least two distinct servers ``mail'' and ``web''
\item Internet (``all others'')
\end{itemize}
\item[Policy:]
\begin{itemize}
\item allow http(s) from Intranet to Internet
\item deny all trafic from Internet to Intranet
\item allo imaps and smtp from intranet to mailserver
\item allow smtp from Internet to mailserver
\item allow http(s) from Internet to webserver
\item deny everything else
\end{itemize}
\end{labeling}
*}
definition
intranet::"adr\<^sub>i\<^sub>p net" where
"intranet = {{(a,b) . (a > 1 \<and> a < 4) }}"
definition
dmz :: "adr\<^sub>i\<^sub>p net" where
"dmz = {{(a,b). (a > 6) \<and> (a < 11)}}"
definition
mail :: "adr\<^sub>i\<^sub>p net" where
"mail = {{(a,b). a = 7}}"
definition
web :: "adr\<^sub>i\<^sub>p net" where
"web = {{(a,b). a = 8 }}"
definition
internet :: "adr\<^sub>i\<^sub>p net" where
"internet = {{(a,b). \<not> ( (a > 1 \<and> a < 4) \<or> (a > 6) \<and> (a < 11)) }}"
definition
Intranet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Intranet_mail_port = (allow_from_to_ports {21::port,14} intranet mail)"
definition
Intranet_Internet_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Intranet_Internet_port = allow_from_to_ports {80::port,90} intranet internet"
definition
Internet_web_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Internet_web_port = (allow_from_to_ports {80::port,90} internet web)"
definition
Internet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz )"
definition
policyPort :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
"policyPort = deny_all ++
Intranet_Internet_port ++
Intranet_mail_port ++
Internet_mail_port ++
Internet_web_port"
text {* We only want to create test cases which are sent between the three main networks ---
e.g. not between the mailserver and the dmz. Therefore, the constraint looks as follows. *}
definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and>
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and>
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"
lemmas PolicyLemmas = policyPort_def dmz_def internet_def intranet_def mail_def web_def
Intranet_Internet_port_def Intranet_mail_port_def Internet_web_port_def
Internet_mail_port_def src_def dest_def IntegerPort.src_port
in_subnet_def IntegerPort.dest_port
end

50
Examples/Examples.thy
View File

@ -0,0 +1,50 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
chapter {* Examples *}
theory
Examples
imports
"DMZ/DMZ"
"VoIP/VoIP"
"Transformation/Transformation"
"NAT-FW/NAT-FW"
"PersonalFirewall/PersonalFirewall"
begin
end

292
Examples/NAT-FW/NAT-FW.thy
View File

@ -0,0 +1,292 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Example: NAT *}
theory
"NAT-FW"
imports
"../../UPF-Firewall"
begin
definition subnet1 :: "adr\<^sub>i\<^sub>p net" where
"subnet1 = {{(d,e). d > 1 \<and> d < 256}}"
definition subnet2 :: "adr\<^sub>i\<^sub>p net" where
"subnet2 = {{(d,e). d > 500 \<and> d < 1256}}"
definition
"accross_subnets x \<equiv>
((src x \<sqsubset> subnet1 \<and> (dest x \<sqsubset> subnet2)) \<or>
(src x \<sqsubset> subnet2 \<and> (dest x \<sqsubset> subnet1)))"
definition
filter :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
"filter = allow_from_port_to (1::port) subnet1 subnet2 ++
allow_from_port_to (2::port) subnet1 subnet2 ++
allow_from_port_to (3::port) subnet1 subnet2 ++ deny_all"
definition
nat_0 where
"nat_0 = (A\<^sub>f(\<lambda>x. {x}))"
lemmas UnfoldPolicy0 =filter_def nat_0_def
NATLemmas
ProtocolPortCombinators.ProtocolCombinators
adr\<^sub>i\<^sub>pLemmas
packet_defs accross_subnets_def
subnet1_def subnet2_def
lemmas subnets = subnet1_def subnet2_def
definition Adr11 :: "int set"
where "Adr11 = {d. d > 2 \<and> d < 3}"
definition Adr21 :: "int set" where
"Adr21 = {d. d > 502 \<and> d < 503}"
definition nat_1 where
"nat_1 = nat_0 ++ (srcPat2pool_IntPort Adr11 Adr21)"
definition policy_1 where
"policy_1 = ((\<lambda> (x,y). x) o_f
((nat_1 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy1 = UnfoldPolicy0 nat_1_def Adr11_def Adr21_def policy_1_def
definition Adr12 :: "int set"
where "Adr12 = {d. d > 4 \<and> d < 6}"
definition Adr22 :: "int set" where
"Adr22 = {d. d > 504 \<and> d < 506}"
definition nat_2 where
"nat_2 = nat_1 ++ (srcPat2pool_IntPort Adr12 Adr22)"
definition policy_2 where
"policy_2 = ((\<lambda> (x,y). x) o_f
((nat_2 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy2 = UnfoldPolicy1 nat_2_def Adr12_def Adr22_def policy_2_def
definition Adr13 :: "int set"
where "Adr13 = {d. d > 6 \<and> d < 9}"
definition Adr23 :: "int set" where
"Adr23 = {d. d > 506 \<and> d < 509}"
definition nat_3 where
"nat_3 = nat_2 ++ (srcPat2pool_IntPort Adr13 Adr23)"
definition policy_3 where
"policy_3 = ((\<lambda> (x,y). x) o_f
((nat_3 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy3 = UnfoldPolicy2 nat_3_def Adr13_def Adr23_def policy_3_def
definition Adr14 :: "int set"
where "Adr14 = {d. d > 8 \<and> d < 12}"
definition Adr24 :: "int set" where
"Adr24 = {d. d > 508 \<and> d < 512}"
definition nat_4 where
"nat_4 = nat_3 ++ (srcPat2pool_IntPort Adr14 Adr24)"
definition policy_4 where
"policy_4 = ((\<lambda> (x,y). x) o_f
((nat_4 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy4 = UnfoldPolicy3 nat_4_def Adr14_def Adr24_def policy_4_def
definition Adr15 :: "int set"
where "Adr15 = {d. d > 10 \<and> d < 15}"
definition Adr25 :: "int set" where
"Adr25 = {d. d > 510 \<and> d < 515}"
definition nat_5 where
"nat_5 = nat_4 ++ (srcPat2pool_IntPort Adr15 Adr25)"
definition policy_5 where
"policy_5 = ((\<lambda> (x,y). x) o_f
((nat_5 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy5 = UnfoldPolicy4 nat_5_def Adr15_def Adr25_def policy_5_def
definition Adr16 :: "int set"
where "Adr16 = {d. d > 12 \<and> d < 18}"
definition Adr26 :: "int set" where
"Adr26 = {d. d > 512 \<and> d < 518}"
definition nat_6 where
"nat_6 = nat_5 ++ (srcPat2pool_IntPort Adr16 Adr26)"
definition policy_6 where
"policy_6 = ((\<lambda> (x,y). x) o_f
((nat_6 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy6 = UnfoldPolicy5 nat_6_def Adr16_def Adr26_def policy_6_def
definition Adr17 :: "int set"
where "Adr17 = {d. d > 14 \<and> d < 21}"
definition Adr27 :: "int set" where
"Adr27 = {d. d > 514 \<and> d < 521}"
definition nat_7 where
"nat_7 = nat_6 ++ (srcPat2pool_IntPort Adr17 Adr27)"
definition policy_7 where
"policy_7 = ((\<lambda> (x,y). x) o_f
((nat_7 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy7 = UnfoldPolicy6 nat_7_def Adr17_def Adr27_def policy_7_def
definition Adr18 :: "int set"
where "Adr18 = {d. d > 16 \<and> d < 24}"
definition Adr28 :: "int set" where
"Adr28 = {d. d > 516 \<and> d < 524}"
definition nat_8 where
"nat_8 = nat_7 ++ (srcPat2pool_IntPort Adr18 Adr28)"
definition policy_8 where
"policy_8 = ((\<lambda> (x,y). x) o_f
((nat_8 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy8 = UnfoldPolicy7 nat_8_def Adr18_def Adr28_def policy_8_def
definition Adr19 :: "int set"
where "Adr19 = {d. d > 18 \<and> d < 27}"
definition Adr29 :: "int set" where
"Adr29 = {d. d > 518 \<and> d < 527}"
definition nat_9 where
"nat_9 = nat_8 ++ (srcPat2pool_IntPort Adr19 Adr29)"
definition policy_9 where
"policy_9 = ((\<lambda> (x,y). x) o_f
((nat_9 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy9 = UnfoldPolicy8 nat_9_def Adr19_def Adr29_def policy_9_def
definition Adr110 :: "int set"
where "Adr110 = {d. d > 20 \<and> d < 30}"
definition Adr210 :: "int set" where
"Adr210 = {d. d > 520 \<and> d < 530}"
definition nat_10 where
"nat_10 = nat_9 ++ (srcPat2pool_IntPort Adr110 Adr210)"
definition policy_10 where
"policy_10 = ((\<lambda> (x,y). x) o_f
((nat_10 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy10 = UnfoldPolicy9 nat_10_def Adr110_def Adr210_def policy_10_def
end

45
Examples/PersonalFirewall/PersonalFirewall.thy
View File

@ -0,0 +1,45 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Personal Firewall *}
theory
PersonalFirewall
imports
PersonalFirewallInt
PersonalFirewallIpv4
begin
end

108
Examples/PersonalFirewall/PersonalFirewallDatatype.thy
View File

@ -0,0 +1,108 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Personal Firewall: Datatype *}
theory
PersonalFirewallDatatype
imports
FWTesting
begin
text{* The most basic firewall scenario; there is a personal PC on one
side and the Internet on the other. There are two policies: the first
one allows all traffic from the PC to the Internet and denies all
coming into the PC. The second policy only allows specific ports from
the PC. This scenario comes in three variants: the first one specifies
the allowed protocols directly, the second together with their
respective port numbers, the third one only with the port numbers. *}
datatype Adr = pc | internet
type_synonym DatatypeTwoNets = "Adr \<times> int"
instance Adr::adr ..
defs (overloaded)
src_port_def: "src_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (src x)"
dest_port_def: "dest_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (dest x)"
definition
PC :: "DatatypeTwoNets net" where
"PC = {{(a,b). a = pc}}"
definition
Internet :: "DatatypeTwoNets net" where
"Internet = {{(a,b). a = internet}}"
text{*
Definition of the testing constraint
*}
definition
not_in_same_net :: "(DatatypeTwoNets,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"
text {*
Definitions of the policies
In fact, the short definitions wouldn't have to be written down - they
are the automatically simplified versions of their big counterparts.
*}
definition
strictPolicy :: "(DatatypeTwoNets,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"
definition
PortPolicy :: "(DatatypeTwoNets,'b) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"
definition
PortPolicyBig :: "(DatatypeTwoNets,'b) FWPolicy" where
"PortPolicyBig =
allow_from_port_to (80::port) PC Internet \<Oplus>
allow_from_port_to (24::port) PC Internet \<Oplus>
allow_from_port_to (21::port) PC Internet \<Oplus>
deny_all"
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def Internet_def PortPolicyBig_def src_def dest_def src_port_def dest_port_def
PolicyCombinators PortCombinators in_subnet_def
end

113
Examples/PersonalFirewall/PersonalFirewallInt.thy
View File

@ -0,0 +1,113 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection{* Personal Firewall: Integer *}
theory
PersonalFirewallInt
imports
"../../UPF-Firewall"
begin
text{*
The most basic firewall scenario; there is a personal PC on one side and the Internet on the other.
There are two policies: the first one allows all traffic from the PC to the Internet and denies
all coming into the PC. The second policy only allows specific ports from the PC. This scenario
comes in three variants: the first one specifies the allowed protocols directly, the second together
with their respective port numbers, the third one only with the port numbers.
*}
text{*
Definitions of the subnets
*}
definition
PC :: "(adr\<^sub>i\<^sub>p net)" where
"PC = {{(a,b). a = 3}}"
definition
Internet :: "adr\<^sub>i\<^sub>p net" where
"Internet = {{(a,b). \<not> (a = 3)}}"
text{*
Definition of the testing constraint
*}
definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"
text {*
Definitions of the policies
*}
definition
strictPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"
definition
PortPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {http,smtp,ftp} PC Internet"
definition
PortPolicyBig :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"PortPolicyBig = deny_all ++
allow_from_port_to http PC Internet ++
allow_from_port_to smtp PC Internet ++
allow_from_port_to ftp PC Internet"
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
Internet_def PortPolicyBig_def src_def dest_def
adr\<^sub>i\<^sub>pLemmas content_def
PortCombinators in_subnet_def PortPolicyBig_def id_def
declare Ports [simp add]
definition wellformed_packet::"(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"wellformed_packet p = (content p = data)"
end

103
Examples/PersonalFirewall/PersonalFirewallIpv4.thy
View File

@ -0,0 +1,103 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Personal Firewall IPv4 *}
theory
PersonalFirewallIpv4
imports
"../../UPF-Firewall"
begin
text{*
The most basic firewall scenario; there is a personal PC on one side and the Internet on the other.
There are two policies: the first one allows all traffic from the PC to the Internet and denies
all coming into the PC. The second policy only allows specific ports from the PC. This scenario
comes in three variants: the first one specifies the allowed protocols directly, the second together
with their respective port numbers, the third one only with the port numbers.
*}
text{*
Definitions of the subnets
*}
definition
PC :: "(ipv4 net)" where
"PC = {{((a,b,c,d),e). a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2}}"
definition
Internet :: "ipv4 net" where
"Internet = {{((a,b,c,d),e). \<not> (a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2)}}"
text{*
Definition of the testing constraint
*}
definition
not_in_same_net :: "(ipv4,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"
text {*
Definitions of the policies
*}
definition
strictPolicy :: "(ipv4,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"
definition
PortPolicy :: "(ipv4,DummyContent) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"
definition
PortPolicyBig :: "(ipv4,DummyContent) FWPolicy" where
"PortPolicyBig = deny_all ++ allow_from_port_to (80::port) PC Internet++ allow_from_port_to (24::port) PC Internet++ allow_from_port_to (21::port) PC Internet"
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
Internet_def PortPolicyBig_def src_def dest_def
IPv4.src_port
IPv4.dest_port PolicyCombinators
PortCombinators in_subnet_def PortPolicyBig_def
end

44
Examples/Transformation/Transformation.thy
View File

@ -0,0 +1,44 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Demonstrating Policy Transformations *}
theory Transformation
imports
Transformation01
Transformation02
begin
end

268
Examples/Transformation/Transformation01.thy
View File

@ -0,0 +1,268 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Transformation Example 1 *}
theory
Transformation01
imports
"../../UPF-Firewall"
begin
definition
FWLink :: "adr\<^sub>i\<^sub>p net" where
"FWLink = {{(a,b). a = 1}}"
definition
any :: "adr\<^sub>i\<^sub>p net" where
"any = {{(a,b). a > 5}}"
definition
i4:: "adr\<^sub>i\<^sub>p net" where
"i4 = {{(a,b). a = 2 }}"
definition
i27:: "adr\<^sub>i\<^sub>p net" where
"i27 = {{(a,b). a = 3 }}"
definition
eth_intern:: "adr\<^sub>i\<^sub>p net" where
"eth_intern = {{(a,b). a = 4 }}"
definition
eth_private:: "adr\<^sub>i\<^sub>p net" where
"eth_private = {{(a,b). a = 5 }}"
definition
(* Mandatory: Global *)
MG2 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG2 = AllowPortFromTo i27 any 1 \<oplus>
AllowPortFromTo i27 any 2 \<oplus>
AllowPortFromTo i27 any 3"
definition
MG3 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG3 = AllowPortFromTo any FWLink 1"
definition
MG4 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG4 = AllowPortFromTo FWLink FWLink 4"
definition
MG7 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG7 = AllowPortFromTo FWLink i4 6 \<oplus>
AllowPortFromTo FWLink i4 7"
definition
MG8 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG8 = AllowPortFromTo FWLink i4 6 \<oplus>
AllowPortFromTo FWLink i4 7"
(* Default Global *)
definition
DG3:: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"DG3 = AllowPortFromTo any any 7"
definition
"Policy = DenyAll \<oplus> MG8 \<oplus> MG7 \<oplus> MG4 \<oplus> MG3 \<oplus> MG2 \<oplus> DG3"
lemmas PolicyLemmas = Policy_def
FWLink_def
any_def
i27_def
i4_def
eth_intern_def
eth_private_def
MG2_def MG3_def MG4_def MG7_def MG8_def
DG3_def
lemmas PolicyL = MG2_def MG3_def MG4_def MG7_def MG8_def
DG3_def Policy_def
definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = (((src x \<sqsubset> i27) \<longrightarrow> ( \<not> (dest x \<sqsubset> i27))) \<and>
((src x \<sqsubset> i4) \<longrightarrow> ( \<not> (dest x \<sqsubset> i4))) \<and>
((src x \<sqsubset> eth_intern) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_intern))) \<and>
((src x \<sqsubset> eth_private) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_private))))"
consts fixID :: id
consts fixContent :: DummyContent
definition "fixElements p = (id p = fixID \<and> content p = fixContent)"
lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def
lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
apply auto
done
lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
apply auto
done
lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
apply auto
done
lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}"
apply (auto simp: sets_distinct3)
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
apply (erule aux)
apply assumption+
apply simp
by blast
lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}"
apply (rule not_sym)
apply (rule sets_distinct5)
by simp
lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4 \<and> FWLink \<noteq> i27 \<and> FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and>
any \<noteq> FWLink \<and> any \<noteq> i4 \<and> any \<noteq> i27 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4 \<noteq> FWLink \<and>
i4 \<noteq> any \<and> i4 \<noteq> i27 \<and> i4 \<noteq> eth_intern \<and> i4 \<noteq> eth_private \<and> i27 \<noteq> FWLink \<and> i27 \<noteq> any \<and>
i27 \<noteq> i4 \<and> i27 \<noteq> eth_intern \<and> i27 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern \<noteq> any \<and>
eth_intern \<noteq> i4 \<and> eth_intern \<noteq> i27 \<and> eth_intern \<noteq> eth_private \<and> eth_private \<noteq> FWLink \<and>
eth_private \<noteq> any \<and> eth_private \<noteq> i4 \<and> eth_private \<noteq> i27 \<and> eth_private \<noteq> eth_intern"
apply (simp add: PolicyLemmas sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6)
done
lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
apply auto
done
lemma aux2: "{a,b} = {b,a}"
apply auto
done
(*
lemma noMT: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
apply (simp add: PolicyLemmas)
apply (simp add: PLemmas PolicyLemmas)
by arith
*)
lemma ANDex: "allNetsDistinct (policy2list Policy)"
apply (simp add: PolicyL allNetsDistinct_def distinctNets)
apply (auto simp: PLemmas PolicyLemmas netsDistinct_def sets_distinct5 sets_distinct6)
done
(*
lemma count_the_rules: "(int (length(policy2list (list2FWpolicy(normalize Policy)))) = post) \<and>
(int(length (policy2list Policy)) = pre) \<and>
(int (length((normalize Policy))) = Partitions)"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
lemma normedPolicy: "normalize Policy = X"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
*)
fun (sequential) numberOfRules where
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
|"numberOfRules a = (1::int)"
fun numberOfRulesList where
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
|"numberOfRulesList [] = []"
(*
lemma "numberOfRulesList (normalize Policy) = X"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
*)
lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
apply (simp add: PolicyL)
apply (unfold Nets_List_def)
apply (unfold bothNets_def)
apply (insert distinctNets)
apply simp
done
lemmas normalizeUnfold = normalize_def Policy_def Nets_List_def bothNets_def aux aux2 bothNets_def
(*
lemma noMT2: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
apply (simp add: PLemmas normalize_def bothNets_def
PolicyLemmas aux5 aux2 Nets_List_def )
by (metis zless_add1_eq)
*)
end

219
Examples/Transformation/Transformation02.thy
View File

@ -0,0 +1,219 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Transforamtion Example 2 *}
theory
Transformation02
imports
"../../UPF-Firewall"
begin
definition
FWLink :: "adr\<^sub>i\<^sub>p net" where
"FWLink = {{(a,b). a = 1}}"
definition
any :: "adr\<^sub>i\<^sub>p net" where
"any = {{(a,b). a > 5}}"
definition
i4_32:: "adr\<^sub>i\<^sub>p net" where
"i4_32 = {{(a,b). a = 2 }}"
definition
i10_32:: "adr\<^sub>i\<^sub>p net" where
"i10_32 = {{(a,b). a = 3 }}"
definition
eth_intern:: "adr\<^sub>i\<^sub>p net" where
"eth_intern = {{(a,b). a = 4 }}"
definition
eth_private:: "adr\<^sub>i\<^sub>p net" where
"eth_private = {{(a,b). a = 5 }}"
definition
D1a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D1a = AllowPortFromTo eth_intern any 1 \<oplus>
AllowPortFromTo eth_intern any 2"
definition
D1b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D1b = AllowPortFromTo eth_private any 1 \<oplus>
AllowPortFromTo eth_private any 2"
definition
D2a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D2a = AllowPortFromTo any i4_32 21"
definition
D2b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D2b = AllowPortFromTo any i10_32 21 \<oplus>
AllowPortFromTo any i10_32 43"
definition
Policy :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"Policy = DenyAll \<oplus> D2b \<oplus> D2a \<oplus> D1b \<oplus> D1a"
lemmas PolicyLemmas = Policy_def D1a_def D1b_def D2a_def D2b_def
lemmas PolicyL = Policy_def
FWLink_def
any_def
i10_32_def
i4_32_def
eth_intern_def
eth_private_def
D1a_def D1b_def D2a_def D2b_def
consts fixID :: id
consts fixContent :: DummyContent
definition "fixElements p = (id p = fixID \<and> content p = fixContent)"
lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def
lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
apply auto
done
lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
apply auto
done
lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
apply auto
done
lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}"
apply (auto simp: sets_distinct3)
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
apply (erule aux)
apply assumption+
apply simp
by blast
lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}"
apply (rule not_sym)
apply (rule sets_distinct5)
by simp
lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4_32 \<and> FWLink \<noteq> i10_32 \<and>
FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and> any \<noteq> FWLink \<and> any \<noteq>
i4_32 \<and> any \<noteq> i10_32 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4_32 \<noteq>
FWLink \<and> i4_32 \<noteq> any \<and> i4_32 \<noteq> i10_32 \<and> i4_32 \<noteq> eth_intern \<and> i4_32 \<noteq>
eth_private \<and> i10_32 \<noteq> FWLink \<and> i10_32 \<noteq> any \<and> i10_32 \<noteq> i4_32 \<and> i10_32
\<noteq> eth_intern \<and> i10_32 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern
\<noteq> any \<and> eth_intern \<noteq> i4_32 \<and> eth_intern \<noteq> i10_32 \<and> eth_intern \<noteq>
eth_private \<and> eth_private \<noteq> FWLink \<and> eth_private \<noteq> any \<and> eth_private \<noteq>
i4_32 \<and> eth_private \<noteq> i10_32 \<and> eth_private \<noteq> eth_intern "
apply (simp add: PolicyL sets_distinct1 sets_distinct2 sets_distinct3
sets_distinct4 sets_distinct5 sets_distinct6)
done
lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
apply auto
done
lemma aux2: "{a,b} = {b,a}"
apply auto
done
lemma ANDex: "allNetsDistinct (policy2list Policy)"
apply (simp add: PolicyLemmas allNetsDistinct_def distinctNets)
apply (simp add: PolicyL)
apply (auto simp: PLemmas PolicyL netsDistinct_def sets_distinct5 sets_distinct6 sets_distinct1 sets_distinct2)
done
fun (sequential) numberOfRules where
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
|"numberOfRules a = (1::int)"
fun numberOfRulesList where
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
|"numberOfRulesList [] = []"
lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
apply (simp add: PolicyLemmas)
apply (unfold Nets_List_def)
apply (unfold bothNets_def)
apply (insert distinctNets)
apply simp
done
lemmas normalizeUnfold = normalize_def PolicyL Nets_List_def bothNets_def aux aux2 bothNets_def sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6 aux5 aux2
end

136
Examples/VoIP/VoIP.thy
View File

@ -0,0 +1,136 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Voice over IP *}
theory VoIP
imports
"../../UPF-Firewall"
begin
text{* In this theory we generate the test data for correct runs of
the FTP protocol. As usual, we start with definining the networks and
the policy. We use a rather simple policy which allows only FTP
connections starting from the Intranet and going to the Internet, and
deny everything else. *}
definition
intranet :: "adr\<^sub>i\<^sub>p net" where
"intranet = {{(a,e) . a = 3}}"
definition
internet :: "adr\<^sub>i\<^sub>p net" where
"internet = {{(a,c). a > 4}}"
definition
gatekeeper :: "adr\<^sub>i\<^sub>p net" where
"gatekeeper = {{(a,c). a =4}}"
definition
voip_policy :: "(adr\<^sub>i\<^sub>p,address voip_msg) FWPolicy" where
"voip_policy = A\<^sub>U"
text{* The next two constants check if an address is in the Intranet
or in the Internet respectively.*}
definition
is_in_intranet :: "address \<Rightarrow> bool" where
"is_in_intranet a = (a = 3)"
definition
is_gatekeeper :: "address \<Rightarrow> bool" where
"is_gatekeeper a = (a = 4)"
definition
is_in_internet :: "address \<Rightarrow> bool" where
"is_in_internet a = (a > 4)"
text{*
The next definition is our starting state: an empty trace and the just defined policy.*}
definition
"\<sigma>_0_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<times>
(adr\<^sub>i\<^sub>p, address voip_msg) FWPolicy"
where
"\<sigma>_0_voip = ([],voip_policy)"
text{*Next we state the conditions we have on our trace: a normal
behaviour FTP run from the intranet to some server in the internet on
port 21.*}
definition "accept_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<Rightarrow> bool" where
"accept_voip t =
(\<exists> c s g i p1 p2. t \<in> NB_voip c s g i p1 p2 \<and> is_in_intranet c \<and> is_in_internet s
\<and> is_gatekeeper g)"
fun packet_with_id where
"packet_with_id [] i = []"
|"packet_with_id (x#xs) i =
(if id x = i then (x#(packet_with_id xs i)) else (packet_with_id xs i))"
text{*The depth of the test case generation corresponds to the maximal
length of generated traces. 4 is the minimum to get a full FTP
protocol run. *}
fun ids1 where
"ids1 i (x#xs) = (id x = i \<and> ids1 i xs)"
|"ids1 i [] = True"
lemmas ST_simps = Let_def valid_SE_def unit_SE_def bind_SE_def
subnet_of_int_def p_accept_def content_def
is_in_intranet_def is_in_internet_def intranet_def internet_def exI
subnetOf_lemma subnetOf_lemma2 subnetOf_lemma3 subnetOf_lemma4 voip_policy_def
NetworkCore.id_def is_arq_def is_fin_def
is_connect_def is_setup_def ports_open_def subnet_of_adr_def
VOIP.NB_voip_def \<sigma>_0_voip_def PLemmas VOIP_TRPolicy_def
policy2MON_def applyPolicy_def
end

76
FWNormalisation/ElementaryRules.thy
View File

@ -0,0 +1,76 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Elementary Firewall Policy Transformation Rules *}
theory ElementaryRules
imports FWNormalisationCore
begin
text{*
This theory contains those elementary transformation rules which are presented in the ICST
2010 paper~\cite{brucker.ea:firewall:2010}. They are not used elsewhere.
*}
lemma elem1:
"C (AllowPortFromTo x y p \<oplus> DenyAllFromTo x y) = C (DenyAllFromTo x y)"
by (rule ext, auto simp: PLemmas)
lemma elem2:
"C ((a \<oplus> b) \<oplus> c) = C (a \<oplus> (b \<oplus> c))"
by (simp add: C.simps)
lemma elem3:
"C (AllowPortFromTo x y a \<oplus> AllowPortFromTo x y b) =
C (AllowPortFromTo x y b \<oplus> AllowPortFromTo x y a)"
by (rule ext, auto simp: PLemmas)
lemma elem4:
"C (a \<oplus> DenyAll) = C DenyAll"
by (rule ext, auto simp: PLemmas)
lemma elem5:
"C (DenyAllFromTo x y \<oplus> DenyAllFromTo u v) = C (DenyAllFromTo u v \<oplus> DenyAllFromTo x y)"
by (rule ext, auto simp: PLemmas)
lemma elem6:
"dom (C a) \<inter> dom (C b) = {} \<Longrightarrow> C (a \<oplus> b) = C (b \<oplus> a)"
by (rule ext, metis C.simps(4) map_add_comm)
end

42
FWNormalisation/FWNormalisation.thy
View File

@ -0,0 +1,42 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
chapter {* Firewall Policy Normalisation *}
theory FWNormalisation
imports NormalisationIPPProofs
begin
end

654
FWNormalisation/FWNormalisationCore.thy
View File

@ -0,0 +1,654 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Policy Normalisation: Core Definitions *}
theory
FWNormalisationCore
imports
"../PacketFilter/PacketFilter"
begin
text{*
This theory contains all the definitions used for policy normalisation as described
in~\cite{brucker.ea:icst:2010,brucker.ea:formal-fw-testing:2014}.
The normalisation procedure transforms policies into semantically equivalent ones which are
``easier'' to test. It is organized into nine phases. We impose the following two restrictions
on the input policies:
\begin{itemize}