Initial commit.

4 years ago · 671debf879
--- a/Examples/DMZ/DMZ.thy
+++ b/Examples/DMZ/DMZ.thy
@@ -0,0 +1,75 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 section {* A Simple DMZ Setup *}
 theory 
  DMZ
 imports 
  DMZDatatype
  DMZInteger
 begin

 text{* This scenario is slightly more complicated than the SimpleDMZ
 one, as we now also model specific servers within one
 network. Therefore, we cannot use anymore the modelling using
 datatype synonym, but only use the one where an address is modelled as an
 integer (with ports).

 The scenario is the following:

 \begin{labeling}{Networks:}
 \item[Networks:]
  \begin{itemize}
  \item Intranet (Company intern network)
  \item DMZ (demilitarised zone, servers, etc), containing
     at least two distinct servers ``mail'' and ``web''
  \item Internet (``all others'') 
  \end{itemize}
 \item[Policy:]
  \begin{itemize}
  \item allow http(s) from Intranet to Internet
  \item deny all trafic from Internet to Intranet
  \item allo imaps and smtp from intranet to mailserver
  \item allow smtp from Internet to mailserver
  \item allow http(s) from Internet to webserver 
  \item deny everything else
  \end{itemize}
  
 \end{labeling}
 *}

 end
--- a/Examples/DMZ/DMZDatatype.thy
+++ b/Examples/DMZ/DMZDatatype.thy
@@ -0,0 +1,120 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* DMZ Datatype *}
 theory 
  DMZDatatype
 imports 
    "../../UPF-Firewall"
 begin

 text{* This is the fourth scenario, slightly more complicated than the
 previous one, as we now also model specific servers within one
 network. Therefore, we could not use anymore the modelling using
 datatype synonym, but only use the one where an address is modelled as an
 integer (with ports). 

 Just for comparison, this theory is the same scenario with datatype synonym
 anyway, but with four distinct networks instead of one contained in
 another. As there is no corresponding network model included, we need
 to define a custom one.  *}


 datatype Adr = Intranet | Internet | Mail | Web | DMZ
 instance Adr::adr ..
 type_synonym port = int
 type_synonym Networks = "Adr \<times> port"


 definition
  intranet::"Networks net" where
 "intranet = {{(a,b). a= Intranet}}"
 definition
  dmz :: "Networks net" where
 "dmz = {{(a,b). a= DMZ}}"
 definition
  mail :: "Networks net" where
 "mail = {{(a,b). a=Mail}}" 
 definition
  web :: "Networks net" where
 "web = {{(a,b). a=Web}}" 
 definition
  internet :: "Networks net" where 
 "internet = {{(a,b). a= Internet}}"

 definition 
  Intranet_mail_port :: "(Networks ,DummyContent) FWPolicy" where
  "Intranet_mail_port = (allow_from_ports_to {21::port,14} intranet mail)" 

 definition
  Intranet_Internet_port :: "(Networks,DummyContent) FWPolicy" where
  "Intranet_Internet_port = allow_from_ports_to {80::port,90} intranet internet"
     
 definition
  Internet_web_port :: "(Networks,DummyContent) FWPolicy" where
  "Internet_web_port = (allow_from_ports_to {80::port,90} internet web)"
          
 definition
  Internet_mail_port :: "(Networks,DummyContent) FWPolicy" where
  "Internet_mail_port =  (allow_all_from_port_to internet (21::port) dmz)"

 definition 
  policyPort :: "(Networks, DummyContent) FWPolicy" where
 "policyPort = deny_all ++ 
                  Intranet_Internet_port ++ 
                  Intranet_mail_port ++  
                  Internet_mail_port ++ 
                  Internet_web_port"


 text {* We only want to create test cases which are sent between the
 three main networks --- e.g. not between the mailserver and the
 dmz. Therefore, the constraint looks as follows. *}

 definition
 not_in_same_net :: "(Networks,DummyContent) packet \<Rightarrow> bool" where
 "not_in_same_net x  =  ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and> 
                        (src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and> 
                        (src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"

 lemmas PolicyLemmas =   dmz_def internet_def intranet_def mail_def web_def 
                       Internet_web_port_def Internet_mail_port_def
                       Intranet_Internet_port_def Intranet_mail_port_def 
                       src_def dest_def src_port dest_port in_subnet_def


 end
--- a/Examples/DMZ/DMZInteger.thy
+++ b/Examples/DMZ/DMZInteger.thy
@@ -0,0 +1,133 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* DMZ: Integer *}
 theory 
  DMZInteger
 imports 
  "../../UPF-Firewall"
 begin

 text{* This scenario is slightly more complicated than the SimpleDMZ
 one, as we now also model specific servers within one
 network. Therefore, we cannot use anymore the modelling using
 datatype synonym, but only use the one where an address is modelled as an
 integer (with ports).

 The scenario is the following:

 \begin{labeling}{Networks:}
 \item[Networks:]
  \begin{itemize}
  \item Intranet (Company intern network)
  \item DMZ (demilitarised zone, servers, etc), containing
     at least two distinct servers ``mail'' and ``web''
  \item Internet (``all others'') 
  \end{itemize}
 \item[Policy:]
  \begin{itemize}
  \item allow http(s) from Intranet to Internet
  \item deny all trafic from Internet to Intranet
  \item allo imaps and smtp from intranet to mailserver
  \item allow smtp from Internet to mailserver
  \item allow http(s) from Internet to webserver 
  \item deny everything else
  \end{itemize}
  
 \end{labeling}
 *}


 definition
   intranet::"adr\<^sub>i\<^sub>p net" where
   "intranet = {{(a,b) . (a > 1 \<and> a < 4) }}"
 definition
  dmz :: "adr\<^sub>i\<^sub>p net" where
  "dmz = {{(a,b). (a > 6) \<and> (a < 11)}}" 
 definition
  mail :: "adr\<^sub>i\<^sub>p net" where
  "mail = {{(a,b). a = 7}}"
 definition
  web :: "adr\<^sub>i\<^sub>p net" where
  "web = {{(a,b). a = 8 }}"
 definition
  internet :: "adr\<^sub>i\<^sub>p net" where
  "internet = {{(a,b).  \<not> ( (a > 1 \<and> a < 4) \<or> (a > 6) \<and> (a < 11))   }}"


 definition 
  Intranet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
  "Intranet_mail_port = (allow_from_to_ports {21::port,14} intranet mail)" 

 definition
  Intranet_Internet_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
  "Intranet_Internet_port = allow_from_to_ports {80::port,90} intranet internet"
     
 definition
  Internet_web_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
  "Internet_web_port = (allow_from_to_ports {80::port,90} internet web)"
          
 definition
  Internet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
  "Internet_mail_port =  (allow_all_from_port_to internet (21::port) dmz )"



 definition 
  policyPort :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
 "policyPort = deny_all ++ 
                  Intranet_Internet_port ++ 
                  Intranet_mail_port ++  
                  Internet_mail_port ++ 
                  Internet_web_port"


 text {* We only want to create test cases which are sent between the three main networks ---
 e.g. not between the mailserver and the dmz. Therefore, the constraint looks as follows. *}

 definition
 not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
 "not_in_same_net x  =  ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and> 
                        (src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and> 
                        (src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"

 lemmas PolicyLemmas =  policyPort_def  dmz_def internet_def intranet_def mail_def web_def 
                       Intranet_Internet_port_def Intranet_mail_port_def Internet_web_port_def 
                       Internet_mail_port_def src_def dest_def IntegerPort.src_port
                       in_subnet_def IntegerPort.dest_port

 end
--- a/Examples/Examples.thy
+++ b/Examples/Examples.thy
@@ -0,0 +1,50 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 chapter {* Examples *}
 theory  
  Examples
 imports 
  "DMZ/DMZ"
  "VoIP/VoIP"
  "Transformation/Transformation"
  "NAT-FW/NAT-FW"
  "PersonalFirewall/PersonalFirewall"
 begin

 end

--- a/Examples/NAT-FW/NAT-FW.thy
+++ b/Examples/NAT-FW/NAT-FW.thy
@@ -0,0 +1,292 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 section {* Example: NAT *} 
 theory 
  "NAT-FW"
 imports
  "../../UPF-Firewall"
 begin


 definition subnet1 :: "adr\<^sub>i\<^sub>p net" where
 "subnet1 = {{(d,e). d > 1 \<and> d < 256}}"

 definition subnet2 :: "adr\<^sub>i\<^sub>p net" where
 "subnet2 = {{(d,e). d > 500 \<and> d < 1256}}"


 definition
  "accross_subnets x  \<equiv> 
 ((src x \<sqsubset> subnet1 \<and> (dest x \<sqsubset> subnet2)) \<or>
  (src x \<sqsubset> subnet2 \<and> (dest x \<sqsubset> subnet1)))"

 definition
   filter :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
  "filter = allow_from_port_to (1::port) subnet1 subnet2 ++
             allow_from_port_to (2::port) subnet1 subnet2 ++
             allow_from_port_to (3::port) subnet1 subnet2 ++ deny_all"

 definition 
 nat_0  where 
 "nat_0 = (A\<^sub>f(\<lambda>x. {x}))"


 lemmas UnfoldPolicy0 =filter_def nat_0_def 
                      NATLemmas 
                      ProtocolPortCombinators.ProtocolCombinators 
                      adr\<^sub>i\<^sub>pLemmas
                      packet_defs accross_subnets_def
                      subnet1_def subnet2_def


 lemmas subnets = subnet1_def subnet2_def 





 definition Adr11 :: "int set"
 where "Adr11 = {d. d > 2 \<and> d < 3}"

 definition Adr21 :: "int set" where
 "Adr21 = {d. d > 502 \<and> d < 503}"


 definition nat_1 where
 "nat_1 = nat_0 ++ (srcPat2pool_IntPort Adr11 Adr21)"


 definition policy_1 where
 "policy_1 = ((\<lambda> (x,y). x) o_f 
 ((nat_1 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy1 = UnfoldPolicy0 nat_1_def Adr11_def Adr21_def policy_1_def




 definition Adr12 :: "int set"
 where "Adr12 = {d. d > 4 \<and> d < 6}"

 definition Adr22 :: "int set" where
 "Adr22 = {d. d > 504 \<and> d < 506}"


 definition nat_2 where
 "nat_2 = nat_1 ++ (srcPat2pool_IntPort Adr12 Adr22)"


 definition policy_2 where
 "policy_2 = ((\<lambda> (x,y). x) o_f 
 ((nat_2 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy2 = UnfoldPolicy1 nat_2_def Adr12_def Adr22_def policy_2_def




 definition Adr13 :: "int set"
 where "Adr13 = {d. d > 6 \<and> d < 9}"

 definition Adr23 :: "int set" where
 "Adr23 = {d. d > 506 \<and> d < 509}"


 definition nat_3 where
 "nat_3 = nat_2 ++ (srcPat2pool_IntPort Adr13 Adr23)"


 definition policy_3 where
 "policy_3 = ((\<lambda> (x,y). x) o_f 
 ((nat_3 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy3 = UnfoldPolicy2 nat_3_def Adr13_def Adr23_def policy_3_def




 definition Adr14 :: "int set"
 where "Adr14 = {d. d > 8 \<and> d < 12}"

 definition Adr24 :: "int set" where
 "Adr24 = {d. d > 508 \<and> d < 512}"


 definition nat_4 where
 "nat_4 = nat_3 ++ (srcPat2pool_IntPort Adr14 Adr24)"


 definition policy_4 where
 "policy_4 = ((\<lambda> (x,y). x) o_f 
 ((nat_4 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy4 = UnfoldPolicy3 nat_4_def Adr14_def Adr24_def policy_4_def




 definition Adr15 :: "int set"
 where "Adr15 = {d. d > 10 \<and> d < 15}"

 definition Adr25 :: "int set" where
 "Adr25 = {d. d > 510 \<and> d < 515}"


 definition nat_5 where
 "nat_5 = nat_4 ++ (srcPat2pool_IntPort Adr15 Adr25)"


 definition policy_5 where
 "policy_5 = ((\<lambda> (x,y). x) o_f 
 ((nat_5 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy5 = UnfoldPolicy4 nat_5_def Adr15_def Adr25_def policy_5_def




 definition Adr16 :: "int set"
 where "Adr16 = {d. d > 12 \<and> d < 18}"

 definition Adr26 :: "int set" where
 "Adr26 = {d. d > 512 \<and> d < 518}"


 definition nat_6 where
 "nat_6 = nat_5 ++ (srcPat2pool_IntPort Adr16 Adr26)"


 definition policy_6 where
 "policy_6 = ((\<lambda> (x,y). x) o_f 
 ((nat_6 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy6 = UnfoldPolicy5 nat_6_def Adr16_def Adr26_def policy_6_def




 definition Adr17 :: "int set"
 where "Adr17 = {d. d > 14 \<and> d < 21}"

 definition Adr27 :: "int set" where
 "Adr27 = {d. d > 514 \<and> d < 521}"


 definition nat_7 where
 "nat_7 = nat_6 ++ (srcPat2pool_IntPort Adr17 Adr27)"


 definition policy_7 where
 "policy_7 = ((\<lambda> (x,y). x) o_f 
 ((nat_7 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy7 = UnfoldPolicy6 nat_7_def Adr17_def Adr27_def policy_7_def




 definition Adr18 :: "int set"
 where "Adr18 = {d. d > 16 \<and> d < 24}"

 definition Adr28 :: "int set" where
 "Adr28 = {d. d > 516 \<and> d < 524}"


 definition nat_8 where
 "nat_8 = nat_7 ++ (srcPat2pool_IntPort Adr18 Adr28)"


 definition policy_8 where
 "policy_8 = ((\<lambda> (x,y). x) o_f 
 ((nat_8 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy8 = UnfoldPolicy7 nat_8_def Adr18_def Adr28_def policy_8_def




 definition Adr19 :: "int set"
 where "Adr19 = {d. d > 18 \<and> d < 27}"

 definition Adr29 :: "int set" where
 "Adr29 = {d. d > 518 \<and> d < 527}"


 definition nat_9 where
 "nat_9 = nat_8 ++ (srcPat2pool_IntPort Adr19 Adr29)"


 definition policy_9 where
 "policy_9 = ((\<lambda> (x,y). x) o_f 
 ((nat_9 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy9 = UnfoldPolicy8 nat_9_def Adr19_def Adr29_def policy_9_def




 definition Adr110 :: "int set"
 where "Adr110 = {d. d > 20 \<and> d < 30}"

 definition Adr210 :: "int set" where
 "Adr210 = {d. d > 520 \<and> d < 530}"


 definition nat_10 where
 "nat_10 = nat_9 ++ (srcPat2pool_IntPort Adr110 Adr210)"


 definition policy_10 where
 "policy_10 = ((\<lambda> (x,y). x) o_f 
 ((nat_10 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


 lemmas UnfoldPolicy10 = UnfoldPolicy9 nat_10_def Adr110_def Adr210_def policy_10_def



 end
--- a/Examples/PersonalFirewall/PersonalFirewall.thy
+++ b/Examples/PersonalFirewall/PersonalFirewall.thy
@@ -0,0 +1,45 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 section {* Personal Firewall *}
 theory 
  PersonalFirewall
 imports 
  PersonalFirewallInt
  PersonalFirewallIpv4
 begin 
 end
--- a/Examples/PersonalFirewall/PersonalFirewallDatatype.thy
+++ b/Examples/PersonalFirewall/PersonalFirewallDatatype.thy
@@ -0,0 +1,108 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* Personal Firewall: Datatype *}
 theory 
  PersonalFirewallDatatype
 imports 
  FWTesting
 begin

 text{* The most basic firewall scenario; there is a personal PC on one
 side and the Internet on the other.  There are two policies: the first
 one allows all traffic from the PC to the Internet and denies all
 coming into the PC. The second policy only allows specific ports from
 the PC. This scenario comes in three variants: the first one specifies
 the allowed protocols directly, the second together with their
 respective port numbers, the third one only with the port numbers.  *}

 datatype Adr = pc | internet

 type_synonym DatatypeTwoNets = "Adr \<times> int"

 instance Adr::adr ..

 defs (overloaded)
 src_port_def: "src_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (src x)"
 dest_port_def: "dest_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (dest x)"

 definition
 PC :: "DatatypeTwoNets net" where
 "PC = {{(a,b). a = pc}}"

 definition
 Internet :: "DatatypeTwoNets net" where
 "Internet = {{(a,b). a = internet}}"


 text{*
 Definition of the testing constraint
 *}

 definition
 not_in_same_net :: "(DatatypeTwoNets,DummyContent) packet \<Rightarrow> bool" where
 "not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))" 

 text {*
 Definitions of the policies 

 In fact, the short definitions wouldn't have to be written down - they
 are the automatically simplified versions of their big counterparts.

 *}

 definition
 strictPolicy :: "(DatatypeTwoNets,DummyContent) FWPolicy" where
 "strictPolicy = deny_all ++ allow_all_from_to PC Internet"

 definition
 PortPolicy :: "(DatatypeTwoNets,'b) FWPolicy" where
 "PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"

 definition
 PortPolicyBig :: "(DatatypeTwoNets,'b) FWPolicy" where
 "PortPolicyBig =  
                 allow_from_port_to (80::port) PC Internet \<Oplus> 
                 allow_from_port_to (24::port) PC Internet \<Oplus> 
                 allow_from_port_to (21::port) PC Internet \<Oplus> 
                 deny_all"


 lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def Internet_def PortPolicyBig_def src_def dest_def src_port_def dest_port_def  
                      PolicyCombinators PortCombinators in_subnet_def

 end
--- a/Examples/PersonalFirewall/PersonalFirewallInt.thy
+++ b/Examples/PersonalFirewall/PersonalFirewallInt.thy
@@ -0,0 +1,113 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection{* Personal Firewall: Integer *}
 theory 
  PersonalFirewallInt
 imports 
  "../../UPF-Firewall"
 begin

 text{*
 The most basic firewall scenario; there is a personal PC on one side and the Internet on the other. 
 There are two policies: the first one allows all traffic from the PC to the Internet and denies
 all coming into the PC. The second policy only allows specific ports from the PC. This scenario
 comes in three variants: the first one specifies the allowed protocols directly, the second together 
 with their respective port numbers, the third one only with the port numbers.
 *}



 text{*
 Definitions of the subnets 
 *}

 definition
 PC :: "(adr\<^sub>i\<^sub>p net)" where
 "PC = {{(a,b). a = 3}}"

 definition
 Internet :: "adr\<^sub>i\<^sub>p net" where
 "Internet = {{(a,b). \<not> (a = 3)}}"



 text{*
 Definition of the testing constraint
 *}



 definition
 not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
 "not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))" 

 text {*
 Definitions of the policies 
 *}



 definition
 strictPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
 "strictPolicy = deny_all ++ allow_all_from_to PC Internet"

 definition 
 PortPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
 "PortPolicy = deny_all ++ allow_from_ports_to {http,smtp,ftp} PC Internet"

 definition
 PortPolicyBig :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
 "PortPolicyBig = deny_all ++ 
                 allow_from_port_to http PC Internet ++ 
                 allow_from_port_to smtp PC Internet ++ 
                 allow_from_port_to ftp PC Internet"


 lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
                      Internet_def PortPolicyBig_def src_def dest_def
                      adr\<^sub>i\<^sub>pLemmas content_def
                      PortCombinators in_subnet_def PortPolicyBig_def id_def


 declare Ports [simp add]

 definition wellformed_packet::"(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
 "wellformed_packet p = (content p = data)"


 end
--- a/Examples/PersonalFirewall/PersonalFirewallIpv4.thy
+++ b/Examples/PersonalFirewall/PersonalFirewallIpv4.thy
@@ -0,0 +1,103 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* Personal Firewall IPv4 *}
 theory 
  PersonalFirewallIpv4
 imports 
  "../../UPF-Firewall"
 begin


 text{*

 The most basic firewall scenario; there is a personal PC on one side and the Internet on the other. 
 There are two policies: the first one allows all traffic from the PC to the Internet and denies
 all coming into the PC. The second policy only allows specific ports from the PC. This scenario
 comes in three variants: the first one specifies the allowed protocols directly, the second together 
 with their respective port numbers, the third one only with the port numbers.

 *}


 text{*
 Definitions of the subnets 
 *}

 definition 
 PC :: "(ipv4 net)" where
 "PC = {{((a,b,c,d),e). a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2}}"

 definition
 Internet :: "ipv4 net" where
 "Internet = {{((a,b,c,d),e). \<not> (a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2)}}"


 text{*
 Definition of the testing constraint
 *}

 definition
 not_in_same_net :: "(ipv4,DummyContent) packet \<Rightarrow> bool" where
 "not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))" 

 text {*
 Definitions of the policies 
 *}

 definition
 strictPolicy :: "(ipv4,DummyContent) FWPolicy" where
 "strictPolicy = deny_all ++ allow_all_from_to PC Internet"

 definition
 PortPolicy :: "(ipv4,DummyContent) FWPolicy" where
 "PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"

 definition
 PortPolicyBig :: "(ipv4,DummyContent) FWPolicy" where
 "PortPolicyBig = deny_all ++ allow_from_port_to (80::port) PC Internet++ allow_from_port_to (24::port) PC Internet++ allow_from_port_to (21::port) PC Internet"


 lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
                      Internet_def PortPolicyBig_def src_def dest_def
                      IPv4.src_port
                      IPv4.dest_port PolicyCombinators
                      PortCombinators in_subnet_def PortPolicyBig_def



 end
--- a/Examples/Transformation/Transformation.thy
+++ b/Examples/Transformation/Transformation.thy
@@ -0,0 +1,44 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 section {* Demonstrating Policy Transformations *}
 theory Transformation
 imports 
  Transformation01
  Transformation02
 begin
 end
--- a/Examples/Transformation/Transformation01.thy
+++ b/Examples/Transformation/Transformation01.thy
@@ -0,0 +1,268 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* Transformation Example 1 *}
 theory 
  Transformation01
 imports 
  "../../UPF-Firewall"
 begin

 definition
 FWLink :: "adr\<^sub>i\<^sub>p net" where
 "FWLink = {{(a,b). a = 1}}"

 definition
 any :: "adr\<^sub>i\<^sub>p net" where
 "any = {{(a,b). a > 5}}"

 definition
 i4:: "adr\<^sub>i\<^sub>p net" where
 "i4 = {{(a,b). a = 2 }}" 

 definition
 i27:: "adr\<^sub>i\<^sub>p net" where
 "i27 = {{(a,b). a = 3 }}" 
 
 definition
 eth_intern:: "adr\<^sub>i\<^sub>p net" where
 "eth_intern = {{(a,b). a = 4 }}"
 
 definition
 eth_private:: "adr\<^sub>i\<^sub>p net" where
 "eth_private = {{(a,b). a = 5 }}"


 definition
 (* Mandatory: Global *)

 MG2 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
 "MG2 = AllowPortFromTo i27 any 1 \<oplus> 
       AllowPortFromTo i27 any 2 \<oplus>
       AllowPortFromTo i27 any 3"

 definition
 MG3 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
 "MG3 = AllowPortFromTo any FWLink 1"

 definition
 MG4 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
 "MG4 = AllowPortFromTo FWLink FWLink 4"
 
 definition
 MG7 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
 "MG7 = AllowPortFromTo FWLink i4 6 \<oplus>
       AllowPortFromTo FWLink i4 7"

 definition
 MG8 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
 "MG8 = AllowPortFromTo FWLink i4 6 \<oplus>
       AllowPortFromTo FWLink i4 7"

 (* Default Global *)

 definition
 DG3:: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
 "DG3 = AllowPortFromTo any any 7"

 

 definition
 "Policy = DenyAll \<oplus> MG8 \<oplus>  MG7 \<oplus> MG4 \<oplus> MG3 \<oplus> MG2 \<oplus> DG3"   
 
 

 lemmas PolicyLemmas =  Policy_def
 FWLink_def
 any_def
 
 i27_def
 i4_def
 
 eth_intern_def
 eth_private_def
 
 MG2_def MG3_def MG4_def MG7_def MG8_def  
 DG3_def
 

 lemmas PolicyL =  MG2_def MG3_def MG4_def MG7_def MG8_def  
 DG3_def Policy_def

 definition 
 not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
 "not_in_same_net x =  (((src x \<sqsubset> i27) \<longrightarrow> ( \<not> (dest x \<sqsubset> i27))) \<and>
                      ((src x \<sqsubset>  i4) \<longrightarrow> ( \<not> (dest x \<sqsubset> i4))) \<and>
                      ((src x \<sqsubset>  eth_intern) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_intern))) \<and>
                      ((src x \<sqsubset>  eth_private) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_private))))"
                   
 consts fixID :: id
 consts fixContent :: DummyContent

 definition "fixElements p = (id p = fixID \<and> content p = fixContent)"

 lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def



 lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
 apply auto
 done

 lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
 apply auto
 done



 lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
 apply auto
 done


 lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
 apply auto
 done


 lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
 apply auto
 done


 lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int).  g < a}"
 apply (auto simp: sets_distinct3)
 apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
 apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
 apply (erule aux)
 apply assumption+
 apply simp
 by blast


 lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int).  g < a} \<noteq> {(a::int, b::int).  a = s}"
 apply (rule not_sym)
 apply (rule sets_distinct5)
 by simp


 lemma distinctNets: "FWLink \<noteq>  any \<and> FWLink \<noteq>  i4 \<and> FWLink \<noteq>  i27 \<and> FWLink \<noteq>  eth_intern \<and> FWLink \<noteq>   eth_private \<and> 
 any \<noteq>  FWLink \<and> any \<noteq>  i4 \<and> any \<noteq>  i27 \<and> any \<noteq>  eth_intern \<and> any \<noteq>  eth_private \<and> i4 \<noteq>  FWLink \<and> 
 i4 \<noteq>  any \<and> i4 \<noteq>  i27 \<and> i4 \<noteq>  eth_intern \<and> i4 \<noteq>  eth_private \<and> i27 \<noteq>  FWLink \<and> i27 \<noteq>  any \<and> 
 i27 \<noteq>  i4 \<and> i27 \<noteq>  eth_intern \<and> i27 \<noteq>  eth_private \<and> eth_intern \<noteq>  FWLink \<and> eth_intern \<noteq>  any \<and> 
 eth_intern \<noteq>  i4 \<and> eth_intern \<noteq>  i27 \<and> eth_intern \<noteq>  eth_private \<and> eth_private \<noteq>  FWLink \<and> 
 eth_private \<noteq>  any \<and> eth_private \<noteq>  i4 \<and> eth_private \<noteq>  i27 \<and> eth_private \<noteq>  eth_intern"
 apply (simp add: PolicyLemmas sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6)
 done



 lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or>  (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
  apply auto
 done


 lemma aux2: "{a,b} = {b,a}"
  apply auto
 done

 (*
 lemma noMT: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
 apply (simp add: PolicyLemmas)
 apply (simp add: PLemmas PolicyLemmas)
 by arith
 *)


 lemma ANDex: "allNetsDistinct (policy2list Policy)"
 apply (simp add: PolicyL allNetsDistinct_def distinctNets)
 apply (auto simp: PLemmas PolicyLemmas netsDistinct_def sets_distinct5 sets_distinct6)
 done

 (*
 lemma count_the_rules: "(int (length(policy2list (list2FWpolicy(normalize Policy)))) = post) \<and> 
 (int(length (policy2list Policy)) = pre) \<and>
 (int (length((normalize Policy))) = Partitions)"
 apply (insert distinctNets noMT)
 apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
 oops



 lemma normedPolicy: "normalize Policy = X"
 apply (insert distinctNets noMT)
 apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
 oops
 *)

 fun (sequential) numberOfRules where 
 "numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
 |"numberOfRules a = (1::int)" 




 fun numberOfRulesList where 
 "numberOfRulesList  (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
 |"numberOfRulesList [] = []" 

 (*
 lemma "numberOfRulesList (normalize Policy) = X"
 apply (insert distinctNets noMT)
 apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
 oops
 *)

 lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
 apply (simp add: PolicyL)
 apply (unfold Nets_List_def)
 apply (unfold bothNets_def)
 apply (insert distinctNets)
 apply simp
 done

 lemmas normalizeUnfold =   normalize_def Policy_def Nets_List_def bothNets_def aux aux2 bothNets_def

 (*
 lemma noMT2: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
 apply (simp add: PLemmas  normalize_def bothNets_def
                 PolicyLemmas aux5 aux2 Nets_List_def ) 
 by (metis zless_add1_eq)
 *)


 end
--- a/Examples/Transformation/Transformation02.thy
+++ b/Examples/Transformation/Transformation02.thy
@@ -0,0 +1,219 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* Transforamtion Example 2 *}
 theory 
  Transformation02
 imports 
   "../../UPF-Firewall"
 begin

 definition
 FWLink :: "adr\<^sub>i\<^sub>p net" where
 "FWLink = {{(a,b). a = 1}}"

 definition
 any :: "adr\<^sub>i\<^sub>p net" where
 "any = {{(a,b). a > 5}}"

 definition
 i4_32:: "adr\<^sub>i\<^sub>p net" where
 "i4_32 = {{(a,b). a = 2 }}" 

 definition
 i10_32:: "adr\<^sub>i\<^sub>p net" where
 "i10_32 = {{(a,b). a = 3 }}" 
 
 definition
 eth_intern:: "adr\<^sub>i\<^sub>p net" where
 "eth_intern = {{(a,b). a = 4 }}"
 
 definition
 eth_private:: "adr\<^sub>i\<^sub>p net" where
 "eth_private = {{(a,b). a = 5 }}"



 definition
 D1a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
 "D1a = AllowPortFromTo eth_intern any 1 \<oplus> 
       AllowPortFromTo eth_intern any 2"


 definition
 D1b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
 "D1b = AllowPortFromTo eth_private any 1 \<oplus>
       AllowPortFromTo eth_private any 2"

 definition
 D2a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
 "D2a = AllowPortFromTo  any i4_32 21"


 definition
 D2b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
 "D2b = AllowPortFromTo any i10_32 21 \<oplus> 
       AllowPortFromTo any i10_32 43"



 definition
 Policy :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
 "Policy = DenyAll \<oplus> D2b \<oplus> D2a \<oplus> D1b \<oplus> D1a"

 lemmas PolicyLemmas = Policy_def D1a_def D1b_def D2a_def D2b_def 
 

 lemmas PolicyL =  Policy_def
 FWLink_def
 any_def
 i10_32_def
 i4_32_def
 eth_intern_def
 eth_private_def
 D1a_def D1b_def D2a_def D2b_def 
                    
 consts fixID :: id
 consts fixContent :: DummyContent

 definition "fixElements p = (id p = fixID \<and> content p = fixContent)"

 lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def



 lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
 apply auto
 done

 lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
 apply auto
 done



 lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
 apply auto
 done


 lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
 apply auto
 done


 lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
 apply auto
 done


 lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int).  g < a}"
 apply (auto simp: sets_distinct3)
 apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
 apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
 apply (erule aux)
 apply assumption+
 apply simp
 by blast

 lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int).  g < a} \<noteq> {(a::int, b::int).  a = s}"
 apply (rule not_sym)
 apply (rule sets_distinct5)
 by simp


 lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4_32 \<and> FWLink \<noteq> i10_32 \<and>
 FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and> any \<noteq> FWLink \<and> any \<noteq>
 i4_32 \<and> any \<noteq> i10_32 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4_32 \<noteq>
 FWLink \<and> i4_32 \<noteq> any \<and> i4_32 \<noteq> i10_32 \<and> i4_32 \<noteq> eth_intern \<and> i4_32 \<noteq>
 eth_private \<and> i10_32 \<noteq> FWLink \<and> i10_32 \<noteq> any \<and> i10_32 \<noteq> i4_32 \<and> i10_32
 \<noteq> eth_intern \<and> i10_32 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern
 \<noteq> any \<and> eth_intern \<noteq> i4_32 \<and> eth_intern \<noteq> i10_32 \<and> eth_intern \<noteq>
 eth_private \<and> eth_private \<noteq> FWLink \<and> eth_private \<noteq> any \<and> eth_private \<noteq>
 i4_32 \<and> eth_private \<noteq> i10_32 \<and> eth_private \<noteq> eth_intern " 
 apply (simp add: PolicyL sets_distinct1 sets_distinct2 sets_distinct3
  sets_distinct4 sets_distinct5 sets_distinct6) 
 done



 lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or>  (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
  apply auto
 done


 lemma aux2: "{a,b} = {b,a}"
  apply auto
 done




 lemma ANDex: "allNetsDistinct (policy2list Policy)"
 apply (simp add: PolicyLemmas allNetsDistinct_def distinctNets)
 apply (simp add: PolicyL)
 apply (auto simp: PLemmas PolicyL netsDistinct_def sets_distinct5 sets_distinct6 sets_distinct1 sets_distinct2)
 done

 fun (sequential) numberOfRules where 
 "numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
 |"numberOfRules a = (1::int)" 




 fun numberOfRulesList where 
 "numberOfRulesList  (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
 |"numberOfRulesList [] = []" 



 lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
 apply (simp add: PolicyLemmas)
 apply (unfold Nets_List_def)
 apply (unfold bothNets_def)
 apply (insert distinctNets)
 apply simp
 done


 lemmas normalizeUnfold =   normalize_def PolicyL Nets_List_def bothNets_def aux aux2 bothNets_def sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6  aux5 aux2


 end


--- a/Examples/VoIP/VoIP.thy
+++ b/Examples/VoIP/VoIP.thy
@@ -0,0 +1,136 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 section {* Voice over IP *}
 theory VoIP
 imports 
  "../../UPF-Firewall"
 begin


 text{* In this theory we generate the test data for correct runs of
 the FTP protocol. As usual, we start with definining the networks and
 the policy. We use a rather simple policy which allows only FTP
 connections starting from the Intranet and going to the Internet, and
 deny everything else. *}

 definition 
  intranet :: "adr\<^sub>i\<^sub>p net" where
  "intranet = {{(a,e) . a = 3}}"

 definition 
  internet :: "adr\<^sub>i\<^sub>p net" where
  "internet = {{(a,c). a > 4}}"

 definition 
  gatekeeper :: "adr\<^sub>i\<^sub>p net" where
  "gatekeeper = {{(a,c). a =4}}"


 definition 
  voip_policy :: "(adr\<^sub>i\<^sub>p,address voip_msg) FWPolicy" where
  "voip_policy = A\<^sub>U"


 text{* The next two constants check if an address is in the Intranet
 or in the Internet respectively.*}

 definition 
  is_in_intranet :: "address  \<Rightarrow> bool" where
  "is_in_intranet a = (a = 3)"

 definition 
  is_gatekeeper :: "address \<Rightarrow> bool" where
  "is_gatekeeper a =  (a = 4)"

 definition 
  is_in_internet :: "address \<Rightarrow> bool" where
  "is_in_internet a =  (a > 4)"


 text{*
 The next definition is our starting state: an empty trace and the just defined policy.*}

 definition 
  "\<sigma>_0_voip" ::  "(adr\<^sub>i\<^sub>p, address voip_msg) history \<times>
                 (adr\<^sub>i\<^sub>p, address voip_msg) FWPolicy" 
 where                                     
  "\<sigma>_0_voip = ([],voip_policy)"

 text{*Next we state the conditions we have on our trace: a normal
 behaviour FTP run from the intranet to some server in the internet on
 port 21.*}

 definition "accept_voip" ::  "(adr\<^sub>i\<^sub>p, address voip_msg) history \<Rightarrow> bool" where
          "accept_voip t = 
  (\<exists> c s g i p1 p2. t \<in> NB_voip c s g i p1 p2 \<and> is_in_intranet c \<and> is_in_internet s
                                              \<and> is_gatekeeper g)"



 fun packet_with_id where
 "packet_with_id [] i = []"
 |"packet_with_id (x#xs) i = 
  (if id x = i then (x#(packet_with_id xs i)) else (packet_with_id xs i))"


 text{*The depth of the test case generation corresponds to the maximal
 length of generated traces. 4 is the minimum to get a full FTP
 protocol run.  *}





 fun ids1 where
 "ids1 i (x#xs) = (id x = i \<and> ids1 i xs)"
 |"ids1 i [] = True"

 lemmas ST_simps = Let_def valid_SE_def unit_SE_def bind_SE_def
 subnet_of_int_def  p_accept_def content_def
 is_in_intranet_def is_in_internet_def intranet_def internet_def exI
 subnetOf_lemma subnetOf_lemma2 subnetOf_lemma3 subnetOf_lemma4 voip_policy_def
 NetworkCore.id_def  is_arq_def is_fin_def
 is_connect_def is_setup_def ports_open_def subnet_of_adr_def
 VOIP.NB_voip_def \<sigma>_0_voip_def PLemmas VOIP_TRPolicy_def
 policy2MON_def applyPolicy_def 





 end
--- a/FWNormalisation/ElementaryRules.thy
+++ b/FWNormalisation/ElementaryRules.thy
@@ -0,0 +1,76 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* Elementary Firewall Policy Transformation Rules *} 
 theory ElementaryRules
 imports FWNormalisationCore
 begin


 text{* 
  This theory contains those elementary transformation rules which are presented in the ICST 
  2010 paper~\cite{brucker.ea:firewall:2010}. They are not used elsewhere.
 *}

 lemma elem1:
 "C (AllowPortFromTo x y p \<oplus> DenyAllFromTo x y) = C (DenyAllFromTo x y)"
 by (rule ext, auto simp: PLemmas)


 lemma elem2:
 "C ((a \<oplus> b) \<oplus> c) = C (a \<oplus> (b \<oplus> c))"
 by (simp add: C.simps) 

 lemma elem3:
 "C (AllowPortFromTo x y a \<oplus> AllowPortFromTo x y b) = 
  C (AllowPortFromTo x y b \<oplus> AllowPortFromTo x y a)"
 by (rule ext, auto simp: PLemmas)

 lemma elem4:
 "C (a \<oplus> DenyAll) = C DenyAll"
 by (rule ext, auto simp: PLemmas)

 lemma elem5:
 "C (DenyAllFromTo x y \<oplus> DenyAllFromTo u v) = C (DenyAllFromTo u v \<oplus> DenyAllFromTo x y)"
 by (rule ext, auto simp: PLemmas)


 lemma elem6: 
 "dom (C a) \<inter> dom (C b) = {} \<Longrightarrow> C (a \<oplus> b) = C (b \<oplus> a)"
 by (rule ext, metis C.simps(4) map_add_comm)

 end
--- a/FWNormalisation/FWNormalisation.thy
+++ b/FWNormalisation/FWNormalisation.thy
@@ -0,0 +1,42 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 chapter {* Firewall Policy Normalisation *}
 theory  FWNormalisation
 imports NormalisationIPPProofs
 begin

 end
--- a/FWNormalisation/FWNormalisationCore.thy
+++ b/FWNormalisation/FWNormalisationCore.thy
@@ -0,0 +1,654 @@
 (*****************************************************************************
 * Copyright (c) 2005-2010 ETH Zurich, Switzerland
 *               2008-2015 Achim D. Brucker, Germany
 *               2009-2016 Université Paris-Sud, France
 *               2015-2016 The University of Sheffield, UK
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 *
 *     * Redistributions of source code must retain the above copyright
 *       notice, this list of conditions and the following disclaimer.
 *
 *     * Redistributions in binary form must reproduce the above
 *       copyright notice, this list of conditions and the following
 *       disclaimer in the documentation and/or other materials provided
 *       with the distribution.
 *
 *     * Neither the name of the copyright holders nor the names of its
 *       contributors may be used to endorse or promote products derived
 *       from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *****************************************************************************)

 subsection {* Policy Normalisation: Core Definitions *}
 theory
  FWNormalisationCore
 imports
  "../PacketFilter/PacketFilter"
 begin

 text{* 
  This theory contains all the definitions used for policy normalisation as described 
  in~\cite{brucker.ea:icst:2010,brucker.ea:formal-fw-testing:2014}.

  The normalisation procedure transforms policies into semantically equivalent  ones which are 
  ``easier'' to test. It is organized into nine phases. We impose the following two restrictions 
  on the input policies: 
  \begin{itemize}
  \item Each policy must contain a $\mathtt{DenyAll}$ rule. If this restriction were to be lifted, 
        the $\mathtt{insertDenies}$ phase would have to be adjusted accordingly.
  \item For each pair of networks $n_1$ and $n_2$, the networks are either disjoint or equal. If 
        this restriction were to be lifted, we would need some additional phases before the start 
        of the normalisation procedure presented below. This rule would split single rules into 
        several by splitting up the networks such that they are all pairwise disjoint or equal. 
        Such a transformation is clearly semantics-preserving and the condition would hold after
        these phases.
  \end{itemize}
  As a result, the procedure generates a list of policies, in which:
  \begin{itemize}
  \item each element of the list contains a policy which completely specifies the blocking behavior 
        between two networks, and
  \item there are no shadowed rules.
  \end{itemize}
  This result is desirable since the test case generation for rules between networks $A$ and $B$ 
  is independent of the rules that specify the behavior for traffic flowing between networks $C$ 
  and $D$. Thus, the different segments of the policy can be processed individually. The 
  normalization procedure does not aim to minimize the number of rules. While it does remove 
  unnecessary ones, it also adds new ones, enabling a policy to be split into several independent
  parts.
 *}

 text{* 
  Policy transformations are functions that map policies to policies.  We decided to represent
  policy transformations as \emph{syntactic rules}; this choice paves the way for expressing the 
  entire normalisation process inside HOL by functions manipulating abstract policy syntax. 
 *}


 subsubsection{* Basics *}
 text{* We define a very simple policy language: *}

 datatype ('\<alpha>,'\<beta>) Combinators = 
  DenyAll
 | DenyAllFromTo '\<alpha> '\<alpha> 
 | AllowPortFromTo '\<alpha> '\<alpha> '\<beta> 
 | Conc "(('\<alpha>,'\<beta>) Combinators)" "(('\<alpha>,'\<beta>) Combinators)" (infixr "\<oplus>" 80)

 text{* 
  And define the semantic interpretation of it. For technical reasons, we fix here the type to 
  policies over IntegerPort addresses. However, we could easily provide definitions for other
  address types as well, using a generic consts for the type definition and a primitive recursive 
  definition for each desired address model.  *}

 subsubsection{* Auxiliary definitions and functions. *}
 text{*
  This subsubsection defines several functions which are useful later for the combinators, invariants, 
  and proofs. 
 *}
 fun srcNet where 
 "srcNet (DenyAllFromTo x y) = x"
 |"srcNet (AllowPortFromTo x y p) = x"
 |"srcNet DenyAll = undefined"
 |"srcNet (v \<oplus> va) = undefined" 

 fun destNet where 
 "destNet (DenyAllFromTo x y) = y"
 |"destNet (AllowPortFromTo x y p) = y"
 |"destNet DenyAll = undefined"
 |"destNet (v \<oplus> va) = undefined" 

 fun srcnets where
 "srcnets DenyAll = [] " 
 |"srcnets (DenyAllFromTo x y) = [x] " 
 |"srcnets (AllowPortFromTo x y p) = [x] " 
 |"(srcnets (x \<oplus> y)) = (srcnets x)@(srcnets y)"

 fun destnets where
 "destnets DenyAll = [] " 
 |"destnets (DenyAllFromTo x y) = [y] " 
 |"destnets (AllowPortFromTo x y p) = [y] "
 |"(destnets (x \<oplus> y)) = (destnets x)@(destnets y)"

 fun (sequential) net_list_aux where
 "net_list_aux [] = []"
 |"net_list_aux (DenyAll#xs) = net_list_aux xs"
 |"net_list_aux ((DenyAllFromTo x y)#xs) = x#y#(net_list_aux xs)"
 |"net_list_aux ((AllowPortFromTo x y p)#xs) = x#y#(net_list_aux xs)"
 |"net_list_aux ((x\<oplus>y)#xs) = (net_list_aux [x])@(net_list_aux [y])@(net_list_aux xs)"

 fun net_list where "net_list p = remdups (net_list_aux p)"

 definition bothNets where "bothNets x = (zip (srcnets x) (destnets x))"

 fun (sequential) normBothNets where 
 "normBothNets ((a,b)#xs) = (if ((b,a) \<in> set xs) \<or> (a,b) \<in> set (xs) 
                            then (normBothNets xs)
                            else (a,b)#(normBothNets xs))"
 |"normBothNets x = x" 

 fun makeSets where 
 "makeSets ((a,b)#xs) = ({a,b}#(makeSets xs))"
 |"makeSets [] = []"

 fun bothNet where
 "bothNet DenyAll = {}"
 |"bothNet (DenyAllFromTo a b) = {a,b}"
 |"bothNet (AllowPortFromTo a b p) = {a,b}"
 |"bothNet (v \<oplus> va) = undefined "

 text{* 
  $Nets\_List$ provides from a list of rules a list where the entries are the appearing sets of 
  source and destination network of each rule. 
 *}

 definition Nets_List 
  where 
  "Nets_List x = makeSets (normBothNets (bothNets x))"

 fun (sequential) first_srcNet where 
  "first_srcNet (x\<oplus>y) = first_srcNet x"
 | "first_srcNet x = srcNet x"

 fun (sequential) first_destNet where 
  "first_destNet (x\<oplus>y) = first_destNet x"
 | "first_destNet x = destNet x"

 fun (sequential) first_bothNet where
 "first_bothNet (x\<oplus>y) = first_bothNet x"
 |"first_bothNet x = bothNet x"

 fun (sequential) in_list where 
 "in_list DenyAll l = True"
 |"in_list x l = (bothNet x \<in> set l)"

 fun all_in_list where 
 "all_in_list [] l = True"
 |"all_in_list (x#xs) l = (in_list x l \<and> all_in_list xs l)" 

 fun (sequential) member where
 "member a (x\<oplus>xs) = ((member a x) \<or> (member a xs))"
 |"member a x = (a = x)"

 fun sdnets where
  "sdnets DenyAll = {}"
 | "sdnets (DenyAllFromTo a b) = {(a,b)}"
 | "sdnets (AllowPortFromTo a b c) = {(a,b)}"
 | "sdnets (a \<oplus> b) = sdnets a \<union> sdnets b"

 definition packet_Nets  where "packet_Nets x a b = ((src x \<sqsubset> a \<and> dest x \<sqsubset> b) \<or>
                                                    (src x \<sqsubset> b \<and> dest x \<sqsubset> a))"

 definition subnetsOfAdr where "subnetsOfAdr a = {x. a \<sqsubset> x}"

 definition fst_set where "fst_set s = {a. \<exists> b. (a,b) \<in> s}"

 definition snd_set where "snd_set s = {a. \<exists> b. (b,a) \<in> s}"

 fun memberP where
 "memberP r (x#xs) = (member r x \<or> memberP r xs)"
 |"memberP r [] = False"

 fun firstList where 
 "firstList (x#xs) = (first_bothNet x)"
 |"firstList [] = {}"

 subsubsection{* Invariants *}

 text{* If there is a DenyAll, it is at the first position *}
 fun wellformed_policy1:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool" where 
  "wellformed_policy1 [] = True"
 | "wellformed_policy1 (x#xs) = (DenyAll \<notin> (set xs))" 

 text{* There is a DenyAll at the first position *}
 fun wellformed_policy1_strong:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool"
 where 
  "wellformed_policy1_strong [] = False"
 | "wellformed_policy1_strong (x#xs) = (x=DenyAll \<and> (DenyAll \<notin> (set xs)))" 


 text{* All two networks are either disjoint or equal. *}
 definition netsDistinct where "netsDistinct a b = (\<not> (\<exists> x. x \<sqsubset> a \<and> x \<sqsubset> b))"

 definition twoNetsDistinct where
  "twoNetsDistinct a b c d = (netsDistinct a c \<or> netsDistinct b d)"

 definition allNetsDistinct where 
  "allNetsDistinct p = (\<forall> a b. (a \<noteq> b \<and> a \<in> set (net_list p) \<and>
                        b \<in> set (net_list p)) \<longrightarrow> netsDistinct a b)"

 definition disjSD_2 where 
 "disjSD_2 x y = (\<forall> a b c d. ((a,b)\<in>sdnets x \<and>  (c,d) \<in>sdnets y \<longrightarrow>
      (twoNetsDistinct a b c d \<and> twoNetsDistinct a b d c)))"

 text{* The policy is given as a list of single rules. *}
 fun singleCombinators where 
 "singleCombinators [] = True"
 |"singleCombinators ((x\<oplus>y)#xs) = False"
 |"singleCombinators (x#xs) = singleCombinators xs"

 definition onlyTwoNets where
 "onlyTwoNets x = ((\<exists> a b. (sdnets x = {(a,b)})) \<or> (\<exists> a b. sdnet