@@ -0,0 +1,75 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
section {* A Simple DMZ Setup *} | |||
theory | |||
DMZ | |||
imports | |||
DMZDatatype | |||
DMZInteger | |||
begin | |||
text{* This scenario is slightly more complicated than the SimpleDMZ | |||
one, as we now also model specific servers within one | |||
network. Therefore, we cannot use anymore the modelling using | |||
datatype synonym, but only use the one where an address is modelled as an | |||
integer (with ports). | |||
The scenario is the following: | |||
\begin{labeling}{Networks:} | |||
\item[Networks:] | |||
\begin{itemize} | |||
\item Intranet (Company intern network) | |||
\item DMZ (demilitarised zone, servers, etc), containing | |||
at least two distinct servers ``mail'' and ``web'' | |||
\item Internet (``all others'') | |||
\end{itemize} | |||
\item[Policy:] | |||
\begin{itemize} | |||
\item allow http(s) from Intranet to Internet | |||
\item deny all trafic from Internet to Intranet | |||
\item allo imaps and smtp from intranet to mailserver | |||
\item allow smtp from Internet to mailserver | |||
\item allow http(s) from Internet to webserver | |||
\item deny everything else | |||
\end{itemize} | |||
\end{labeling} | |||
*} | |||
end |
@@ -0,0 +1,120 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* DMZ Datatype *} | |||
theory | |||
DMZDatatype | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
text{* This is the fourth scenario, slightly more complicated than the | |||
previous one, as we now also model specific servers within one | |||
network. Therefore, we could not use anymore the modelling using | |||
datatype synonym, but only use the one where an address is modelled as an | |||
integer (with ports). | |||
Just for comparison, this theory is the same scenario with datatype synonym | |||
anyway, but with four distinct networks instead of one contained in | |||
another. As there is no corresponding network model included, we need | |||
to define a custom one. *} | |||
datatype Adr = Intranet | Internet | Mail | Web | DMZ | |||
instance Adr::adr .. | |||
type_synonym port = int | |||
type_synonym Networks = "Adr \<times> port" | |||
definition | |||
intranet::"Networks net" where | |||
"intranet = {{(a,b). a= Intranet}}" | |||
definition | |||
dmz :: "Networks net" where | |||
"dmz = {{(a,b). a= DMZ}}" | |||
definition | |||
mail :: "Networks net" where | |||
"mail = {{(a,b). a=Mail}}" | |||
definition | |||
web :: "Networks net" where | |||
"web = {{(a,b). a=Web}}" | |||
definition | |||
internet :: "Networks net" where | |||
"internet = {{(a,b). a= Internet}}" | |||
definition | |||
Intranet_mail_port :: "(Networks ,DummyContent) FWPolicy" where | |||
"Intranet_mail_port = (allow_from_ports_to {21::port,14} intranet mail)" | |||
definition | |||
Intranet_Internet_port :: "(Networks,DummyContent) FWPolicy" where | |||
"Intranet_Internet_port = allow_from_ports_to {80::port,90} intranet internet" | |||
definition | |||
Internet_web_port :: "(Networks,DummyContent) FWPolicy" where | |||
"Internet_web_port = (allow_from_ports_to {80::port,90} internet web)" | |||
definition | |||
Internet_mail_port :: "(Networks,DummyContent) FWPolicy" where | |||
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz)" | |||
definition | |||
policyPort :: "(Networks, DummyContent) FWPolicy" where | |||
"policyPort = deny_all ++ | |||
Intranet_Internet_port ++ | |||
Intranet_mail_port ++ | |||
Internet_mail_port ++ | |||
Internet_web_port" | |||
text {* We only want to create test cases which are sent between the | |||
three main networks --- e.g. not between the mailserver and the | |||
dmz. Therefore, the constraint looks as follows. *} | |||
definition | |||
not_in_same_net :: "(Networks,DummyContent) packet \<Rightarrow> bool" where | |||
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and> | |||
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and> | |||
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))" | |||
lemmas PolicyLemmas = dmz_def internet_def intranet_def mail_def web_def | |||
Internet_web_port_def Internet_mail_port_def | |||
Intranet_Internet_port_def Intranet_mail_port_def | |||
src_def dest_def src_port dest_port in_subnet_def | |||
end |
@@ -0,0 +1,133 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* DMZ: Integer *} | |||
theory | |||
DMZInteger | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
text{* This scenario is slightly more complicated than the SimpleDMZ | |||
one, as we now also model specific servers within one | |||
network. Therefore, we cannot use anymore the modelling using | |||
datatype synonym, but only use the one where an address is modelled as an | |||
integer (with ports). | |||
The scenario is the following: | |||
\begin{labeling}{Networks:} | |||
\item[Networks:] | |||
\begin{itemize} | |||
\item Intranet (Company intern network) | |||
\item DMZ (demilitarised zone, servers, etc), containing | |||
at least two distinct servers ``mail'' and ``web'' | |||
\item Internet (``all others'') | |||
\end{itemize} | |||
\item[Policy:] | |||
\begin{itemize} | |||
\item allow http(s) from Intranet to Internet | |||
\item deny all trafic from Internet to Intranet | |||
\item allo imaps and smtp from intranet to mailserver | |||
\item allow smtp from Internet to mailserver | |||
\item allow http(s) from Internet to webserver | |||
\item deny everything else | |||
\end{itemize} | |||
\end{labeling} | |||
*} | |||
definition | |||
intranet::"adr\<^sub>i\<^sub>p net" where | |||
"intranet = {{(a,b) . (a > 1 \<and> a < 4) }}" | |||
definition | |||
dmz :: "adr\<^sub>i\<^sub>p net" where | |||
"dmz = {{(a,b). (a > 6) \<and> (a < 11)}}" | |||
definition | |||
mail :: "adr\<^sub>i\<^sub>p net" where | |||
"mail = {{(a,b). a = 7}}" | |||
definition | |||
web :: "adr\<^sub>i\<^sub>p net" where | |||
"web = {{(a,b). a = 8 }}" | |||
definition | |||
internet :: "adr\<^sub>i\<^sub>p net" where | |||
"internet = {{(a,b). \<not> ( (a > 1 \<and> a < 4) \<or> (a > 6) \<and> (a < 11)) }}" | |||
definition | |||
Intranet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where | |||
"Intranet_mail_port = (allow_from_to_ports {21::port,14} intranet mail)" | |||
definition | |||
Intranet_Internet_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where | |||
"Intranet_Internet_port = allow_from_to_ports {80::port,90} intranet internet" | |||
definition | |||
Internet_web_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where | |||
"Internet_web_port = (allow_from_to_ports {80::port,90} internet web)" | |||
definition | |||
Internet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where | |||
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz )" | |||
definition | |||
policyPort :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where | |||
"policyPort = deny_all ++ | |||
Intranet_Internet_port ++ | |||
Intranet_mail_port ++ | |||
Internet_mail_port ++ | |||
Internet_web_port" | |||
text {* We only want to create test cases which are sent between the three main networks --- | |||
e.g. not between the mailserver and the dmz. Therefore, the constraint looks as follows. *} | |||
definition | |||
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where | |||
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and> | |||
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and> | |||
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))" | |||
lemmas PolicyLemmas = policyPort_def dmz_def internet_def intranet_def mail_def web_def | |||
Intranet_Internet_port_def Intranet_mail_port_def Internet_web_port_def | |||
Internet_mail_port_def src_def dest_def IntegerPort.src_port | |||
in_subnet_def IntegerPort.dest_port | |||
end |
@@ -0,0 +1,50 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
chapter {* Examples *} | |||
theory | |||
Examples | |||
imports | |||
"DMZ/DMZ" | |||
"VoIP/VoIP" | |||
"Transformation/Transformation" | |||
"NAT-FW/NAT-FW" | |||
"PersonalFirewall/PersonalFirewall" | |||
begin | |||
end | |||
@@ -0,0 +1,292 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
section {* Example: NAT *} | |||
theory | |||
"NAT-FW" | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
definition subnet1 :: "adr\<^sub>i\<^sub>p net" where | |||
"subnet1 = {{(d,e). d > 1 \<and> d < 256}}" | |||
definition subnet2 :: "adr\<^sub>i\<^sub>p net" where | |||
"subnet2 = {{(d,e). d > 500 \<and> d < 1256}}" | |||
definition | |||
"accross_subnets x \<equiv> | |||
((src x \<sqsubset> subnet1 \<and> (dest x \<sqsubset> subnet2)) \<or> | |||
(src x \<sqsubset> subnet2 \<and> (dest x \<sqsubset> subnet1)))" | |||
definition | |||
filter :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where | |||
"filter = allow_from_port_to (1::port) subnet1 subnet2 ++ | |||
allow_from_port_to (2::port) subnet1 subnet2 ++ | |||
allow_from_port_to (3::port) subnet1 subnet2 ++ deny_all" | |||
definition | |||
nat_0 where | |||
"nat_0 = (A\<^sub>f(\<lambda>x. {x}))" | |||
lemmas UnfoldPolicy0 =filter_def nat_0_def | |||
NATLemmas | |||
ProtocolPortCombinators.ProtocolCombinators | |||
adr\<^sub>i\<^sub>pLemmas | |||
packet_defs accross_subnets_def | |||
subnet1_def subnet2_def | |||
lemmas subnets = subnet1_def subnet2_def | |||
definition Adr11 :: "int set" | |||
where "Adr11 = {d. d > 2 \<and> d < 3}" | |||
definition Adr21 :: "int set" where | |||
"Adr21 = {d. d > 502 \<and> d < 503}" | |||
definition nat_1 where | |||
"nat_1 = nat_0 ++ (srcPat2pool_IntPort Adr11 Adr21)" | |||
definition policy_1 where | |||
"policy_1 = ((\<lambda> (x,y). x) o_f | |||
((nat_1 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy1 = UnfoldPolicy0 nat_1_def Adr11_def Adr21_def policy_1_def | |||
definition Adr12 :: "int set" | |||
where "Adr12 = {d. d > 4 \<and> d < 6}" | |||
definition Adr22 :: "int set" where | |||
"Adr22 = {d. d > 504 \<and> d < 506}" | |||
definition nat_2 where | |||
"nat_2 = nat_1 ++ (srcPat2pool_IntPort Adr12 Adr22)" | |||
definition policy_2 where | |||
"policy_2 = ((\<lambda> (x,y). x) o_f | |||
((nat_2 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy2 = UnfoldPolicy1 nat_2_def Adr12_def Adr22_def policy_2_def | |||
definition Adr13 :: "int set" | |||
where "Adr13 = {d. d > 6 \<and> d < 9}" | |||
definition Adr23 :: "int set" where | |||
"Adr23 = {d. d > 506 \<and> d < 509}" | |||
definition nat_3 where | |||
"nat_3 = nat_2 ++ (srcPat2pool_IntPort Adr13 Adr23)" | |||
definition policy_3 where | |||
"policy_3 = ((\<lambda> (x,y). x) o_f | |||
((nat_3 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy3 = UnfoldPolicy2 nat_3_def Adr13_def Adr23_def policy_3_def | |||
definition Adr14 :: "int set" | |||
where "Adr14 = {d. d > 8 \<and> d < 12}" | |||
definition Adr24 :: "int set" where | |||
"Adr24 = {d. d > 508 \<and> d < 512}" | |||
definition nat_4 where | |||
"nat_4 = nat_3 ++ (srcPat2pool_IntPort Adr14 Adr24)" | |||
definition policy_4 where | |||
"policy_4 = ((\<lambda> (x,y). x) o_f | |||
((nat_4 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy4 = UnfoldPolicy3 nat_4_def Adr14_def Adr24_def policy_4_def | |||
definition Adr15 :: "int set" | |||
where "Adr15 = {d. d > 10 \<and> d < 15}" | |||
definition Adr25 :: "int set" where | |||
"Adr25 = {d. d > 510 \<and> d < 515}" | |||
definition nat_5 where | |||
"nat_5 = nat_4 ++ (srcPat2pool_IntPort Adr15 Adr25)" | |||
definition policy_5 where | |||
"policy_5 = ((\<lambda> (x,y). x) o_f | |||
((nat_5 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy5 = UnfoldPolicy4 nat_5_def Adr15_def Adr25_def policy_5_def | |||
definition Adr16 :: "int set" | |||
where "Adr16 = {d. d > 12 \<and> d < 18}" | |||
definition Adr26 :: "int set" where | |||
"Adr26 = {d. d > 512 \<and> d < 518}" | |||
definition nat_6 where | |||
"nat_6 = nat_5 ++ (srcPat2pool_IntPort Adr16 Adr26)" | |||
definition policy_6 where | |||
"policy_6 = ((\<lambda> (x,y). x) o_f | |||
((nat_6 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy6 = UnfoldPolicy5 nat_6_def Adr16_def Adr26_def policy_6_def | |||
definition Adr17 :: "int set" | |||
where "Adr17 = {d. d > 14 \<and> d < 21}" | |||
definition Adr27 :: "int set" where | |||
"Adr27 = {d. d > 514 \<and> d < 521}" | |||
definition nat_7 where | |||
"nat_7 = nat_6 ++ (srcPat2pool_IntPort Adr17 Adr27)" | |||
definition policy_7 where | |||
"policy_7 = ((\<lambda> (x,y). x) o_f | |||
((nat_7 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy7 = UnfoldPolicy6 nat_7_def Adr17_def Adr27_def policy_7_def | |||
definition Adr18 :: "int set" | |||
where "Adr18 = {d. d > 16 \<and> d < 24}" | |||
definition Adr28 :: "int set" where | |||
"Adr28 = {d. d > 516 \<and> d < 524}" | |||
definition nat_8 where | |||
"nat_8 = nat_7 ++ (srcPat2pool_IntPort Adr18 Adr28)" | |||
definition policy_8 where | |||
"policy_8 = ((\<lambda> (x,y). x) o_f | |||
((nat_8 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy8 = UnfoldPolicy7 nat_8_def Adr18_def Adr28_def policy_8_def | |||
definition Adr19 :: "int set" | |||
where "Adr19 = {d. d > 18 \<and> d < 27}" | |||
definition Adr29 :: "int set" where | |||
"Adr29 = {d. d > 518 \<and> d < 527}" | |||
definition nat_9 where | |||
"nat_9 = nat_8 ++ (srcPat2pool_IntPort Adr19 Adr29)" | |||
definition policy_9 where | |||
"policy_9 = ((\<lambda> (x,y). x) o_f | |||
((nat_9 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy9 = UnfoldPolicy8 nat_9_def Adr19_def Adr29_def policy_9_def | |||
definition Adr110 :: "int set" | |||
where "Adr110 = {d. d > 20 \<and> d < 30}" | |||
definition Adr210 :: "int set" where | |||
"Adr210 = {d. d > 520 \<and> d < 530}" | |||
definition nat_10 where | |||
"nat_10 = nat_9 ++ (srcPat2pool_IntPort Adr110 Adr210)" | |||
definition policy_10 where | |||
"policy_10 = ((\<lambda> (x,y). x) o_f | |||
((nat_10 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))" | |||
lemmas UnfoldPolicy10 = UnfoldPolicy9 nat_10_def Adr110_def Adr210_def policy_10_def | |||
end |
@@ -0,0 +1,45 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
section {* Personal Firewall *} | |||
theory | |||
PersonalFirewall | |||
imports | |||
PersonalFirewallInt | |||
PersonalFirewallIpv4 | |||
begin | |||
end |
@@ -0,0 +1,108 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* Personal Firewall: Datatype *} | |||
theory | |||
PersonalFirewallDatatype | |||
imports | |||
FWTesting | |||
begin | |||
text{* The most basic firewall scenario; there is a personal PC on one | |||
side and the Internet on the other. There are two policies: the first | |||
one allows all traffic from the PC to the Internet and denies all | |||
coming into the PC. The second policy only allows specific ports from | |||
the PC. This scenario comes in three variants: the first one specifies | |||
the allowed protocols directly, the second together with their | |||
respective port numbers, the third one only with the port numbers. *} | |||
datatype Adr = pc | internet | |||
type_synonym DatatypeTwoNets = "Adr \<times> int" | |||
instance Adr::adr .. | |||
defs (overloaded) | |||
src_port_def: "src_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (src x)" | |||
dest_port_def: "dest_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (dest x)" | |||
definition | |||
PC :: "DatatypeTwoNets net" where | |||
"PC = {{(a,b). a = pc}}" | |||
definition | |||
Internet :: "DatatypeTwoNets net" where | |||
"Internet = {{(a,b). a = internet}}" | |||
text{* | |||
Definition of the testing constraint | |||
*} | |||
definition | |||
not_in_same_net :: "(DatatypeTwoNets,DummyContent) packet \<Rightarrow> bool" where | |||
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))" | |||
text {* | |||
Definitions of the policies | |||
In fact, the short definitions wouldn't have to be written down - they | |||
are the automatically simplified versions of their big counterparts. | |||
*} | |||
definition | |||
strictPolicy :: "(DatatypeTwoNets,DummyContent) FWPolicy" where | |||
"strictPolicy = deny_all ++ allow_all_from_to PC Internet" | |||
definition | |||
PortPolicy :: "(DatatypeTwoNets,'b) FWPolicy" where | |||
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet" | |||
definition | |||
PortPolicyBig :: "(DatatypeTwoNets,'b) FWPolicy" where | |||
"PortPolicyBig = | |||
allow_from_port_to (80::port) PC Internet \<Oplus> | |||
allow_from_port_to (24::port) PC Internet \<Oplus> | |||
allow_from_port_to (21::port) PC Internet \<Oplus> | |||
deny_all" | |||
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def Internet_def PortPolicyBig_def src_def dest_def src_port_def dest_port_def | |||
PolicyCombinators PortCombinators in_subnet_def | |||
end |
@@ -0,0 +1,113 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection{* Personal Firewall: Integer *} | |||
theory | |||
PersonalFirewallInt | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
text{* | |||
The most basic firewall scenario; there is a personal PC on one side and the Internet on the other. | |||
There are two policies: the first one allows all traffic from the PC to the Internet and denies | |||
all coming into the PC. The second policy only allows specific ports from the PC. This scenario | |||
comes in three variants: the first one specifies the allowed protocols directly, the second together | |||
with their respective port numbers, the third one only with the port numbers. | |||
*} | |||
text{* | |||
Definitions of the subnets | |||
*} | |||
definition | |||
PC :: "(adr\<^sub>i\<^sub>p net)" where | |||
"PC = {{(a,b). a = 3}}" | |||
definition | |||
Internet :: "adr\<^sub>i\<^sub>p net" where | |||
"Internet = {{(a,b). \<not> (a = 3)}}" | |||
text{* | |||
Definition of the testing constraint | |||
*} | |||
definition | |||
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where | |||
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))" | |||
text {* | |||
Definitions of the policies | |||
*} | |||
definition | |||
strictPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where | |||
"strictPolicy = deny_all ++ allow_all_from_to PC Internet" | |||
definition | |||
PortPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where | |||
"PortPolicy = deny_all ++ allow_from_ports_to {http,smtp,ftp} PC Internet" | |||
definition | |||
PortPolicyBig :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where | |||
"PortPolicyBig = deny_all ++ | |||
allow_from_port_to http PC Internet ++ | |||
allow_from_port_to smtp PC Internet ++ | |||
allow_from_port_to ftp PC Internet" | |||
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def | |||
Internet_def PortPolicyBig_def src_def dest_def | |||
adr\<^sub>i\<^sub>pLemmas content_def | |||
PortCombinators in_subnet_def PortPolicyBig_def id_def | |||
declare Ports [simp add] | |||
definition wellformed_packet::"(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where | |||
"wellformed_packet p = (content p = data)" | |||
end |
@@ -0,0 +1,103 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* Personal Firewall IPv4 *} | |||
theory | |||
PersonalFirewallIpv4 | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
text{* | |||
The most basic firewall scenario; there is a personal PC on one side and the Internet on the other. | |||
There are two policies: the first one allows all traffic from the PC to the Internet and denies | |||
all coming into the PC. The second policy only allows specific ports from the PC. This scenario | |||
comes in three variants: the first one specifies the allowed protocols directly, the second together | |||
with their respective port numbers, the third one only with the port numbers. | |||
*} | |||
text{* | |||
Definitions of the subnets | |||
*} | |||
definition | |||
PC :: "(ipv4 net)" where | |||
"PC = {{((a,b,c,d),e). a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2}}" | |||
definition | |||
Internet :: "ipv4 net" where | |||
"Internet = {{((a,b,c,d),e). \<not> (a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2)}}" | |||
text{* | |||
Definition of the testing constraint | |||
*} | |||
definition | |||
not_in_same_net :: "(ipv4,DummyContent) packet \<Rightarrow> bool" where | |||
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))" | |||
text {* | |||
Definitions of the policies | |||
*} | |||
definition | |||
strictPolicy :: "(ipv4,DummyContent) FWPolicy" where | |||
"strictPolicy = deny_all ++ allow_all_from_to PC Internet" | |||
definition | |||
PortPolicy :: "(ipv4,DummyContent) FWPolicy" where | |||
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet" | |||
definition | |||
PortPolicyBig :: "(ipv4,DummyContent) FWPolicy" where | |||
"PortPolicyBig = deny_all ++ allow_from_port_to (80::port) PC Internet++ allow_from_port_to (24::port) PC Internet++ allow_from_port_to (21::port) PC Internet" | |||
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def | |||
Internet_def PortPolicyBig_def src_def dest_def | |||
IPv4.src_port | |||
IPv4.dest_port PolicyCombinators | |||
PortCombinators in_subnet_def PortPolicyBig_def | |||
end |
@@ -0,0 +1,44 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
section {* Demonstrating Policy Transformations *} | |||
theory Transformation | |||
imports | |||
Transformation01 | |||
Transformation02 | |||
begin | |||
end |
@@ -0,0 +1,268 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* Transformation Example 1 *} | |||
theory | |||
Transformation01 | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
definition | |||
FWLink :: "adr\<^sub>i\<^sub>p net" where | |||
"FWLink = {{(a,b). a = 1}}" | |||
definition | |||
any :: "adr\<^sub>i\<^sub>p net" where | |||
"any = {{(a,b). a > 5}}" | |||
definition | |||
i4:: "adr\<^sub>i\<^sub>p net" where | |||
"i4 = {{(a,b). a = 2 }}" | |||
definition | |||
i27:: "adr\<^sub>i\<^sub>p net" where | |||
"i27 = {{(a,b). a = 3 }}" | |||
definition | |||
eth_intern:: "adr\<^sub>i\<^sub>p net" where | |||
"eth_intern = {{(a,b). a = 4 }}" | |||
definition | |||
eth_private:: "adr\<^sub>i\<^sub>p net" where | |||
"eth_private = {{(a,b). a = 5 }}" | |||
definition | |||
(* Mandatory: Global *) | |||
MG2 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where | |||
"MG2 = AllowPortFromTo i27 any 1 \<oplus> | |||
AllowPortFromTo i27 any 2 \<oplus> | |||
AllowPortFromTo i27 any 3" | |||
definition | |||
MG3 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where | |||
"MG3 = AllowPortFromTo any FWLink 1" | |||
definition | |||
MG4 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where | |||
"MG4 = AllowPortFromTo FWLink FWLink 4" | |||
definition | |||
MG7 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where | |||
"MG7 = AllowPortFromTo FWLink i4 6 \<oplus> | |||
AllowPortFromTo FWLink i4 7" | |||
definition | |||
MG8 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where | |||
"MG8 = AllowPortFromTo FWLink i4 6 \<oplus> | |||
AllowPortFromTo FWLink i4 7" | |||
(* Default Global *) | |||
definition | |||
DG3:: "(adr\<^sub>i\<^sub>p net,port) Combinators" where | |||
"DG3 = AllowPortFromTo any any 7" | |||
definition | |||
"Policy = DenyAll \<oplus> MG8 \<oplus> MG7 \<oplus> MG4 \<oplus> MG3 \<oplus> MG2 \<oplus> DG3" | |||
lemmas PolicyLemmas = Policy_def | |||
FWLink_def | |||
any_def | |||
i27_def | |||
i4_def | |||
eth_intern_def | |||
eth_private_def | |||
MG2_def MG3_def MG4_def MG7_def MG8_def | |||
DG3_def | |||
lemmas PolicyL = MG2_def MG3_def MG4_def MG7_def MG8_def | |||
DG3_def Policy_def | |||
definition | |||
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where | |||
"not_in_same_net x = (((src x \<sqsubset> i27) \<longrightarrow> ( \<not> (dest x \<sqsubset> i27))) \<and> | |||
((src x \<sqsubset> i4) \<longrightarrow> ( \<not> (dest x \<sqsubset> i4))) \<and> | |||
((src x \<sqsubset> eth_intern) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_intern))) \<and> | |||
((src x \<sqsubset> eth_private) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_private))))" | |||
consts fixID :: id | |||
consts fixContent :: DummyContent | |||
definition "fixElements p = (id p = fixID \<and> content p = fixContent)" | |||
lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def | |||
lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}" | |||
apply auto | |||
done | |||
lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}" | |||
apply auto | |||
done | |||
lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}" | |||
apply auto | |||
done | |||
lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}" | |||
apply auto | |||
done | |||
lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False" | |||
apply auto | |||
done | |||
lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}" | |||
apply (auto simp: sets_distinct3) | |||
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}") | |||
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}") | |||
apply (erule aux) | |||
apply assumption+ | |||
apply simp | |||
by blast | |||
lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}" | |||
apply (rule not_sym) | |||
apply (rule sets_distinct5) | |||
by simp | |||
lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4 \<and> FWLink \<noteq> i27 \<and> FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and> | |||
any \<noteq> FWLink \<and> any \<noteq> i4 \<and> any \<noteq> i27 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4 \<noteq> FWLink \<and> | |||
i4 \<noteq> any \<and> i4 \<noteq> i27 \<and> i4 \<noteq> eth_intern \<and> i4 \<noteq> eth_private \<and> i27 \<noteq> FWLink \<and> i27 \<noteq> any \<and> | |||
i27 \<noteq> i4 \<and> i27 \<noteq> eth_intern \<and> i27 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern \<noteq> any \<and> | |||
eth_intern \<noteq> i4 \<and> eth_intern \<noteq> i27 \<and> eth_intern \<noteq> eth_private \<and> eth_private \<noteq> FWLink \<and> | |||
eth_private \<noteq> any \<and> eth_private \<noteq> i4 \<and> eth_private \<noteq> i27 \<and> eth_private \<noteq> eth_intern" | |||
apply (simp add: PolicyLemmas sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6) | |||
done | |||
lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}" | |||
apply auto | |||
done | |||
lemma aux2: "{a,b} = {b,a}" | |||
apply auto | |||
done | |||
(* | |||
lemma noMT: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}" | |||
apply (simp add: PolicyLemmas) | |||
apply (simp add: PLemmas PolicyLemmas) | |||
by arith | |||
*) | |||
lemma ANDex: "allNetsDistinct (policy2list Policy)" | |||
apply (simp add: PolicyL allNetsDistinct_def distinctNets) | |||
apply (auto simp: PLemmas PolicyLemmas netsDistinct_def sets_distinct5 sets_distinct6) | |||
done | |||
(* | |||
lemma count_the_rules: "(int (length(policy2list (list2FWpolicy(normalize Policy)))) = post) \<and> | |||
(int(length (policy2list Policy)) = pre) \<and> | |||
(int (length((normalize Policy))) = Partitions)" | |||
apply (insert distinctNets noMT) | |||
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S") | |||
oops | |||
lemma normedPolicy: "normalize Policy = X" | |||
apply (insert distinctNets noMT) | |||
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S") | |||
oops | |||
*) | |||
fun (sequential) numberOfRules where | |||
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b" | |||
|"numberOfRules a = (1::int)" | |||
fun numberOfRulesList where | |||
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) " | |||
|"numberOfRulesList [] = []" | |||
(* | |||
lemma "numberOfRulesList (normalize Policy) = X" | |||
apply (insert distinctNets noMT) | |||
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S") | |||
oops | |||
*) | |||
lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)" | |||
apply (simp add: PolicyL) | |||
apply (unfold Nets_List_def) | |||
apply (unfold bothNets_def) | |||
apply (insert distinctNets) | |||
apply simp | |||
done | |||
lemmas normalizeUnfold = normalize_def Policy_def Nets_List_def bothNets_def aux aux2 bothNets_def | |||
(* | |||
lemma noMT2: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}" | |||
apply (simp add: PLemmas normalize_def bothNets_def | |||
PolicyLemmas aux5 aux2 Nets_List_def ) | |||
by (metis zless_add1_eq) | |||
*) | |||
end |
@@ -0,0 +1,219 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* Transforamtion Example 2 *} | |||
theory | |||
Transformation02 | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
definition | |||
FWLink :: "adr\<^sub>i\<^sub>p net" where | |||
"FWLink = {{(a,b). a = 1}}" | |||
definition | |||
any :: "adr\<^sub>i\<^sub>p net" where | |||
"any = {{(a,b). a > 5}}" | |||
definition | |||
i4_32:: "adr\<^sub>i\<^sub>p net" where | |||
"i4_32 = {{(a,b). a = 2 }}" | |||
definition | |||
i10_32:: "adr\<^sub>i\<^sub>p net" where | |||
"i10_32 = {{(a,b). a = 3 }}" | |||
definition | |||
eth_intern:: "adr\<^sub>i\<^sub>p net" where | |||
"eth_intern = {{(a,b). a = 4 }}" | |||
definition | |||
eth_private:: "adr\<^sub>i\<^sub>p net" where | |||
"eth_private = {{(a,b). a = 5 }}" | |||
definition | |||
D1a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where | |||
"D1a = AllowPortFromTo eth_intern any 1 \<oplus> | |||
AllowPortFromTo eth_intern any 2" | |||
definition | |||
D1b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where | |||
"D1b = AllowPortFromTo eth_private any 1 \<oplus> | |||
AllowPortFromTo eth_private any 2" | |||
definition | |||
D2a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where | |||
"D2a = AllowPortFromTo any i4_32 21" | |||
definition | |||
D2b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where | |||
"D2b = AllowPortFromTo any i10_32 21 \<oplus> | |||
AllowPortFromTo any i10_32 43" | |||
definition | |||
Policy :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where | |||
"Policy = DenyAll \<oplus> D2b \<oplus> D2a \<oplus> D1b \<oplus> D1a" | |||
lemmas PolicyLemmas = Policy_def D1a_def D1b_def D2a_def D2b_def | |||
lemmas PolicyL = Policy_def | |||
FWLink_def | |||
any_def | |||
i10_32_def | |||
i4_32_def | |||
eth_intern_def | |||
eth_private_def | |||
D1a_def D1b_def D2a_def D2b_def | |||
consts fixID :: id | |||
consts fixContent :: DummyContent | |||
definition "fixElements p = (id p = fixID \<and> content p = fixContent)" | |||
lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def | |||
lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}" | |||
apply auto | |||
done | |||
lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}" | |||
apply auto | |||
done | |||
lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}" | |||
apply auto | |||
done | |||
lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}" | |||
apply auto | |||
done | |||
lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False" | |||
apply auto | |||
done | |||
lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}" | |||
apply (auto simp: sets_distinct3) | |||
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}") | |||
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}") | |||
apply (erule aux) | |||
apply assumption+ | |||
apply simp | |||
by blast | |||
lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}" | |||
apply (rule not_sym) | |||
apply (rule sets_distinct5) | |||
by simp | |||
lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4_32 \<and> FWLink \<noteq> i10_32 \<and> | |||
FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and> any \<noteq> FWLink \<and> any \<noteq> | |||
i4_32 \<and> any \<noteq> i10_32 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4_32 \<noteq> | |||
FWLink \<and> i4_32 \<noteq> any \<and> i4_32 \<noteq> i10_32 \<and> i4_32 \<noteq> eth_intern \<and> i4_32 \<noteq> | |||
eth_private \<and> i10_32 \<noteq> FWLink \<and> i10_32 \<noteq> any \<and> i10_32 \<noteq> i4_32 \<and> i10_32 | |||
\<noteq> eth_intern \<and> i10_32 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern | |||
\<noteq> any \<and> eth_intern \<noteq> i4_32 \<and> eth_intern \<noteq> i10_32 \<and> eth_intern \<noteq> | |||
eth_private \<and> eth_private \<noteq> FWLink \<and> eth_private \<noteq> any \<and> eth_private \<noteq> | |||
i4_32 \<and> eth_private \<noteq> i10_32 \<and> eth_private \<noteq> eth_intern " | |||
apply (simp add: PolicyL sets_distinct1 sets_distinct2 sets_distinct3 | |||
sets_distinct4 sets_distinct5 sets_distinct6) | |||
done | |||
lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}" | |||
apply auto | |||
done | |||
lemma aux2: "{a,b} = {b,a}" | |||
apply auto | |||
done | |||
lemma ANDex: "allNetsDistinct (policy2list Policy)" | |||
apply (simp add: PolicyLemmas allNetsDistinct_def distinctNets) | |||
apply (simp add: PolicyL) | |||
apply (auto simp: PLemmas PolicyL netsDistinct_def sets_distinct5 sets_distinct6 sets_distinct1 sets_distinct2) | |||
done | |||
fun (sequential) numberOfRules where | |||
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b" | |||
|"numberOfRules a = (1::int)" | |||
fun numberOfRulesList where | |||
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) " | |||
|"numberOfRulesList [] = []" | |||
lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)" | |||
apply (simp add: PolicyLemmas) | |||
apply (unfold Nets_List_def) | |||
apply (unfold bothNets_def) | |||
apply (insert distinctNets) | |||
apply simp | |||
done | |||
lemmas normalizeUnfold = normalize_def PolicyL Nets_List_def bothNets_def aux aux2 bothNets_def sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6 aux5 aux2 | |||
end | |||
@@ -0,0 +1,136 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
section {* Voice over IP *} | |||
theory VoIP | |||
imports | |||
"../../UPF-Firewall" | |||
begin | |||
text{* In this theory we generate the test data for correct runs of | |||
the FTP protocol. As usual, we start with definining the networks and | |||
the policy. We use a rather simple policy which allows only FTP | |||
connections starting from the Intranet and going to the Internet, and | |||
deny everything else. *} | |||
definition | |||
intranet :: "adr\<^sub>i\<^sub>p net" where | |||
"intranet = {{(a,e) . a = 3}}" | |||
definition | |||
internet :: "adr\<^sub>i\<^sub>p net" where | |||
"internet = {{(a,c). a > 4}}" | |||
definition | |||
gatekeeper :: "adr\<^sub>i\<^sub>p net" where | |||
"gatekeeper = {{(a,c). a =4}}" | |||
definition | |||
voip_policy :: "(adr\<^sub>i\<^sub>p,address voip_msg) FWPolicy" where | |||
"voip_policy = A\<^sub>U" | |||
text{* The next two constants check if an address is in the Intranet | |||
or in the Internet respectively.*} | |||
definition | |||
is_in_intranet :: "address \<Rightarrow> bool" where | |||
"is_in_intranet a = (a = 3)" | |||
definition | |||
is_gatekeeper :: "address \<Rightarrow> bool" where | |||
"is_gatekeeper a = (a = 4)" | |||
definition | |||
is_in_internet :: "address \<Rightarrow> bool" where | |||
"is_in_internet a = (a > 4)" | |||
text{* | |||
The next definition is our starting state: an empty trace and the just defined policy.*} | |||
definition | |||
"\<sigma>_0_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<times> | |||
(adr\<^sub>i\<^sub>p, address voip_msg) FWPolicy" | |||
where | |||
"\<sigma>_0_voip = ([],voip_policy)" | |||
text{*Next we state the conditions we have on our trace: a normal | |||
behaviour FTP run from the intranet to some server in the internet on | |||
port 21.*} | |||
definition "accept_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<Rightarrow> bool" where | |||
"accept_voip t = | |||
(\<exists> c s g i p1 p2. t \<in> NB_voip c s g i p1 p2 \<and> is_in_intranet c \<and> is_in_internet s | |||
\<and> is_gatekeeper g)" | |||
fun packet_with_id where | |||
"packet_with_id [] i = []" | |||
|"packet_with_id (x#xs) i = | |||
(if id x = i then (x#(packet_with_id xs i)) else (packet_with_id xs i))" | |||
text{*The depth of the test case generation corresponds to the maximal | |||
length of generated traces. 4 is the minimum to get a full FTP | |||
protocol run. *} | |||
fun ids1 where | |||
"ids1 i (x#xs) = (id x = i \<and> ids1 i xs)" | |||
|"ids1 i [] = True" | |||
lemmas ST_simps = Let_def valid_SE_def unit_SE_def bind_SE_def | |||
subnet_of_int_def p_accept_def content_def | |||
is_in_intranet_def is_in_internet_def intranet_def internet_def exI | |||
subnetOf_lemma subnetOf_lemma2 subnetOf_lemma3 subnetOf_lemma4 voip_policy_def | |||
NetworkCore.id_def is_arq_def is_fin_def | |||
is_connect_def is_setup_def ports_open_def subnet_of_adr_def | |||
VOIP.NB_voip_def \<sigma>_0_voip_def PLemmas VOIP_TRPolicy_def | |||
policy2MON_def applyPolicy_def | |||
end |
@@ -0,0 +1,76 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* Elementary Firewall Policy Transformation Rules *} | |||
theory ElementaryRules | |||
imports FWNormalisationCore | |||
begin | |||
text{* | |||
This theory contains those elementary transformation rules which are presented in the ICST | |||
2010 paper~\cite{brucker.ea:firewall:2010}. They are not used elsewhere. | |||
*} | |||
lemma elem1: | |||
"C (AllowPortFromTo x y p \<oplus> DenyAllFromTo x y) = C (DenyAllFromTo x y)" | |||
by (rule ext, auto simp: PLemmas) | |||
lemma elem2: | |||
"C ((a \<oplus> b) \<oplus> c) = C (a \<oplus> (b \<oplus> c))" | |||
by (simp add: C.simps) | |||
lemma elem3: | |||
"C (AllowPortFromTo x y a \<oplus> AllowPortFromTo x y b) = | |||
C (AllowPortFromTo x y b \<oplus> AllowPortFromTo x y a)" | |||
by (rule ext, auto simp: PLemmas) | |||
lemma elem4: | |||
"C (a \<oplus> DenyAll) = C DenyAll" | |||
by (rule ext, auto simp: PLemmas) | |||
lemma elem5: | |||
"C (DenyAllFromTo x y \<oplus> DenyAllFromTo u v) = C (DenyAllFromTo u v \<oplus> DenyAllFromTo x y)" | |||
by (rule ext, auto simp: PLemmas) | |||
lemma elem6: | |||
"dom (C a) \<inter> dom (C b) = {} \<Longrightarrow> C (a \<oplus> b) = C (b \<oplus> a)" | |||
by (rule ext, metis C.simps(4) map_add_comm) | |||
end |
@@ -0,0 +1,42 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
chapter {* Firewall Policy Normalisation *} | |||
theory FWNormalisation | |||
imports NormalisationIPPProofs | |||
begin | |||
end |
@@ -0,0 +1,654 @@ | |||
(***************************************************************************** | |||
* Copyright (c) 2005-2010 ETH Zurich, Switzerland | |||
* 2008-2015 Achim D. Brucker, Germany | |||
* 2009-2016 Université Paris-Sud, France | |||
* 2015-2016 The University of Sheffield, UK | |||
* | |||
* All rights reserved. | |||
* | |||
* Redistribution and use in source and binary forms, with or without | |||
* modification, are permitted provided that the following conditions are | |||
* met: | |||
* | |||
* * Redistributions of source code must retain the above copyright | |||
* notice, this list of conditions and the following disclaimer. | |||
* | |||
* * Redistributions in binary form must reproduce the above | |||
* copyright notice, this list of conditions and the following | |||
* disclaimer in the documentation and/or other materials provided | |||
* with the distribution. | |||
* | |||
* * Neither the name of the copyright holders nor the names of its | |||
* contributors may be used to endorse or promote products derived | |||
* from this software without specific prior written permission. | |||
* | |||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | |||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | |||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | |||
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | |||
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | |||
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |||
*****************************************************************************) | |||
subsection {* Policy Normalisation: Core Definitions *} | |||
theory | |||
FWNormalisationCore | |||
imports | |||
"../PacketFilter/PacketFilter" | |||
begin | |||
text{* | |||
This theory contains all the definitions used for policy normalisation as described | |||
in~\cite{brucker.ea:icst:2010,brucker.ea:formal-fw-testing:2014}. | |||
The normalisation procedure transforms policies into semantically equivalent ones which are | |||
``easier'' to test. It is organized into nine phases. We impose the following two restrictions | |||
on the input policies: | |||
\begin{itemize} | |||
\item Each policy must contain a $\mathtt{DenyAll}$ rule. If this restriction were to be lifted, | |||
the $\mathtt{insertDenies}$ phase would have to be adjusted accordingly. | |||
\item For each pair of networks $n_1$ and $n_2$, the networks are either disjoint or equal. If | |||
this restriction were to be lifted, we would need some additional phases before the start | |||
of the normalisation procedure presented below. This rule would split single rules into | |||
several by splitting up the networks such that they are all pairwise disjoint or equal. | |||
Such a transformation is clearly semantics-preserving and the condition would hold after | |||
these phases. | |||
\end{itemize} | |||
As a result, the procedure generates a list of policies, in which: | |||
\begin{itemize} | |||
\item each element of the list contains a policy which completely specifies the blocking behavior | |||
between two networks, and | |||
\item there are no shadowed rules. | |||
\end{itemize} | |||
This result is desirable since the test case generation for rules between networks $A$ and $B$ | |||
is independent of the rules that specify the behavior for traffic flowing between networks $C$ | |||
and $D$. Thus, the different segments of the policy can be processed individually. The | |||
normalization procedure does not aim to minimize the number of rules. While it does remove | |||
unnecessary ones, it also adds new ones, enabling a policy to be split into several independent | |||
parts. | |||
*} | |||
text{* | |||
Policy transformations are functions that map policies to policies. We decided to represent | |||
policy transformations as \emph{syntactic rules}; this choice paves the way for expressing the | |||
entire normalisation process inside HOL by functions manipulating abstract policy syntax. | |||
*} | |||
subsubsection{* Basics *} | |||
text{* We define a very simple policy language: *} | |||
datatype ('\<alpha>,'\<beta>) Combinators = | |||
DenyAll | |||
| DenyAllFromTo '\<alpha> '\<alpha> | |||
| AllowPortFromTo '\<alpha> '\<alpha> '\<beta> | |||
| Conc "(('\<alpha>,'\<beta>) Combinators)" "(('\<alpha>,'\<beta>) Combinators)" (infixr "\<oplus>" 80) | |||
text{* | |||
And define the semantic interpretation of it. For technical reasons, we fix here the type to | |||
policies over IntegerPort addresses. However, we could easily provide definitions for other | |||
address types as well, using a generic consts for the type definition and a primitive recursive | |||
definition for each desired address model. *} | |||
subsubsection{* Auxiliary definitions and functions. *} | |||
text{* | |||
This subsubsection defines several functions which are useful later for the combinators, invariants, | |||
and proofs. | |||
*} | |||
fun srcNet where | |||
"srcNet (DenyAllFromTo x y) = x" | |||
|"srcNet (AllowPortFromTo x y p) = x" | |||
|"srcNet DenyAll = undefined" | |||
|"srcNet (v \<oplus> va) = undefined" | |||
fun destNet where | |||
"destNet (DenyAllFromTo x y) = y" | |||
|"destNet (AllowPortFromTo x y p) = y" | |||
|"destNet DenyAll = undefined" | |||
|"destNet (v \<oplus> va) = undefined" | |||
fun srcnets where | |||
"srcnets DenyAll = [] " | |||
|"srcnets (DenyAllFromTo x y) = [x] " | |||
|"srcnets (AllowPortFromTo x y p) = [x] " | |||
|"(srcnets (x \<oplus> y)) = (srcnets x)@(srcnets y)" | |||
fun destnets where | |||
"destnets DenyAll = [] " | |||
|"destnets (DenyAllFromTo x y) = [y] " | |||
|"destnets (AllowPortFromTo x y p) = [y] " | |||
|"(destnets (x \<oplus> y)) = (destnets x)@(destnets y)" | |||
fun (sequential) net_list_aux where | |||
"net_list_aux [] = []" | |||
|"net_list_aux (DenyAll#xs) = net_list_aux xs" | |||
|"net_list_aux ((DenyAllFromTo x y)#xs) = x#y#(net_list_aux xs)" | |||
|"net_list_aux ((AllowPortFromTo x y p)#xs) = x#y#(net_list_aux xs)" | |||
|"net_list_aux ((x\<oplus>y)#xs) = (net_list_aux [x])@(net_list_aux [y])@(net_list_aux xs)" | |||
fun net_list where "net_list p = remdups (net_list_aux p)" | |||
definition bothNets where "bothNets x = (zip (srcnets x) (destnets x))" | |||
fun (sequential) normBothNets where | |||
"normBothNets ((a,b)#xs) = (if ((b,a) \<in> set xs) \<or> (a,b) \<in> set (xs) | |||
then (normBothNets xs) | |||
else (a,b)#(normBothNets xs))" | |||
|"normBothNets x = x" | |||
fun makeSets where | |||
"makeSets ((a,b)#xs) = ({a,b}#(makeSets xs))" | |||
|"makeSets [] = []" | |||
fun bothNet where | |||
"bothNet DenyAll = {}" | |||
|"bothNet (DenyAllFromTo a b) = {a,b}" | |||
|"bothNet (AllowPortFromTo a b p) = {a,b}" | |||
|"bothNet (v \<oplus> va) = undefined " | |||
text{* | |||
$Nets\_List$ provides from a list of rules a list where the entries are the appearing sets of | |||
source and destination network of each rule. | |||
*} | |||
definition Nets_List | |||
where | |||
"Nets_List x = makeSets (normBothNets (bothNets x))" | |||
fun (sequential) first_srcNet where | |||
"first_srcNet (x\<oplus>y) = first_srcNet x" | |||
| "first_srcNet x = srcNet x" | |||
fun (sequential) first_destNet where | |||
"first_destNet (x\<oplus>y) = first_destNet x" | |||
| "first_destNet x = destNet x" | |||
fun (sequential) first_bothNet where | |||
"first_bothNet (x\<oplus>y) = first_bothNet x" | |||
|"first_bothNet x = bothNet x" | |||
fun (sequential) in_list where | |||
"in_list DenyAll l = True" | |||
|"in_list x l = (bothNet x \<in> set l)" | |||
fun all_in_list where | |||
"all_in_list [] l = True" | |||
|"all_in_list (x#xs) l = (in_list x l \<and> all_in_list xs l)" | |||
fun (sequential) member where | |||
"member a (x\<oplus>xs) = ((member a x) \<or> (member a xs))" | |||
|"member a x = (a = x)" | |||
fun sdnets where | |||
"sdnets DenyAll = {}" | |||
| "sdnets (DenyAllFromTo a b) = {(a,b)}" | |||
| "sdnets (AllowPortFromTo a b c) = {(a,b)}" | |||
| "sdnets (a \<oplus> b) = sdnets a \<union> sdnets b" | |||
definition packet_Nets where "packet_Nets x a b = ((src x \<sqsubset> a \<and> dest x \<sqsubset> b) \<or> | |||
(src x \<sqsubset> b \<and> dest x \<sqsubset> a))" | |||
definition subnetsOfAdr where "subnetsOfAdr a = {x. a \<sqsubset> x}" | |||
definition fst_set where "fst_set s = {a. \<exists> b. (a,b) \<in> s}" | |||
definition snd_set where "snd_set s = {a. \<exists> b. (b,a) \<in> s}" | |||
fun memberP where | |||
"memberP r (x#xs) = (member r x \<or> memberP r xs)" | |||
|"memberP r [] = False" | |||
fun firstList where | |||
"firstList (x#xs) = (first_bothNet x)" | |||
|"firstList [] = {}" | |||
subsubsection{* Invariants *} | |||
text{* If there is a DenyAll, it is at the first position *} | |||
fun wellformed_policy1:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool" where | |||
"wellformed_policy1 [] = True" | |||
| "wellformed_policy1 (x#xs) = (DenyAll \<notin> (set xs))" | |||
text{* There is a DenyAll at the first position *} | |||
fun wellformed_policy1_strong:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool" | |||
where | |||
"wellformed_policy1_strong [] = False" | |||
| "wellformed_policy1_strong (x#xs) = (x=DenyAll \<and> (DenyAll \<notin> (set xs)))" | |||
text{* All two networks are either disjoint or equal. *} | |||
definition netsDistinct where "netsDistinct a b = (\<not> (\<exists> x. x \<sqsubset> a \<and> x \<sqsubset> b))" | |||
definition twoNetsDistinct where | |||
"twoNetsDistinct a b c d = (netsDistinct a c \<or> netsDistinct b d)" | |||
definition allNetsDistinct where | |||
"allNetsDistinct p = (\<forall> a b. (a \<noteq> b \<and> a \<in> set (net_list p) \<and> | |||
b \<in> set (net_list p)) \<longrightarrow> netsDistinct a b)" | |||
definition disjSD_2 where | |||
"disjSD_2 x y = (\<forall> a b c d. ((a,b)\<in>sdnets x \<and> (c,d) \<in>sdnets y \<longrightarrow> | |||
(twoNetsDistinct a b c d \<and> twoNetsDistinct a b d c)))" | |||
text{* The policy is given as a list of single rules. *} | |||
fun singleCombinators where | |||
"singleCombinators [] = True" | |||
|"singleCombinators ((x\<oplus>y)#xs) = False" | |||
|"singleCombinators (x#xs) = singleCombinators xs" | |||
definition onlyTwoNets where | |||
"onlyTwoNets x = ((\<exists> a b. (sdnets x = {(a,b)})) \<or> (\<exists> a b. sdnet |