Browse Source

Initial commit.

tags/afp-UPF_Firewall-current-Isabelle2016-1
Achim D. Brucker 4 years ago
commit
671debf879
49 changed files with 12267 additions and 0 deletions
  1. +75
    -0
      Examples/DMZ/DMZ.thy
  2. +120
    -0
      Examples/DMZ/DMZDatatype.thy
  3. +133
    -0
      Examples/DMZ/DMZInteger.thy
  4. +50
    -0
      Examples/Examples.thy
  5. +292
    -0
      Examples/NAT-FW/NAT-FW.thy
  6. +45
    -0
      Examples/PersonalFirewall/PersonalFirewall.thy
  7. +108
    -0
      Examples/PersonalFirewall/PersonalFirewallDatatype.thy
  8. +113
    -0
      Examples/PersonalFirewall/PersonalFirewallInt.thy
  9. +103
    -0
      Examples/PersonalFirewall/PersonalFirewallIpv4.thy
  10. +44
    -0
      Examples/Transformation/Transformation.thy
  11. +268
    -0
      Examples/Transformation/Transformation01.thy
  12. +219
    -0
      Examples/Transformation/Transformation02.thy
  13. +136
    -0
      Examples/VoIP/VoIP.thy
  14. +76
    -0
      FWNormalisation/ElementaryRules.thy
  15. +42
    -0
      FWNormalisation/FWNormalisation.thy
  16. +654
    -0
      FWNormalisation/FWNormalisationCore.thy
  17. +2397
    -0
      FWNormalisation/NormalisationGenericProofs.thy
  18. +1959
    -0
      FWNormalisation/NormalisationIPPProofs.thy
  19. +1971
    -0
      FWNormalisation/NormalisationIntegerPortProof.thy
  20. +34
    -0
      LICENSE
  21. +170
    -0
      NAT/NAT.thy
  22. +62
    -0
      PacketFilter/DatatypeAddress.thy
  23. +93
    -0
      PacketFilter/DatatypePort.thy
  24. +88
    -0
      PacketFilter/IPv4.thy
  25. +83
    -0
      PacketFilter/IPv4_TCPUDP.thy
  26. +48
    -0
      PacketFilter/IntegerAddress.thy
  27. +85
    -0
      PacketFilter/IntegerPort.thy
  28. +111
    -0
      PacketFilter/IntegerPort_TCPUDP.thy
  29. +182
    -0
      PacketFilter/NetworkCore.thy
  30. +79
    -0
      PacketFilter/NetworkModels.thy
  31. +45
    -0
      PacketFilter/PacketFilter.thy
  32. +86
    -0
      PacketFilter/PolicyCombinators.thy
  33. +70
    -0
      PacketFilter/PolicyCore.thy
  34. +183
    -0
      PacketFilter/PortCombinators.thy
  35. +78
    -0
      PacketFilter/Ports.thy
  36. +180
    -0
      PacketFilter/ProtocolPortCombinators.thy
  37. +31
    -0
      README.md
  38. +11
    -0
      ROOT
  39. +248
    -0
      StatefulFW/FTP.thy
  40. +314
    -0
      StatefulFW/FTPVOIP.thy
  41. +77
    -0
      StatefulFW/FTP_WithPolicy.thy
  42. +160
    -0
      StatefulFW/LTL_alike.thy
  43. +106
    -0
      StatefulFW/Stateful.thy
  44. +44
    -0
      StatefulFW/StatefulFW.thy
  45. +321
    -0
      StatefulFW/VOIP.thy
  46. +48
    -0
      UPF-Firewall.thy
  47. +12
    -0
      document/introduction.tex
  48. +254
    -0
      document/root.bib
  49. +159
    -0
      document/root.tex

+ 75
- 0
Examples/DMZ/DMZ.thy View File

@@ -0,0 +1,75 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

section {* A Simple DMZ Setup *}
theory
DMZ
imports
DMZDatatype
DMZInteger
begin

text{* This scenario is slightly more complicated than the SimpleDMZ
one, as we now also model specific servers within one
network. Therefore, we cannot use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).

The scenario is the following:

\begin{labeling}{Networks:}
\item[Networks:]
\begin{itemize}
\item Intranet (Company intern network)
\item DMZ (demilitarised zone, servers, etc), containing
at least two distinct servers ``mail'' and ``web''
\item Internet (``all others'')
\end{itemize}
\item[Policy:]
\begin{itemize}
\item allow http(s) from Intranet to Internet
\item deny all trafic from Internet to Intranet
\item allo imaps and smtp from intranet to mailserver
\item allow smtp from Internet to mailserver
\item allow http(s) from Internet to webserver
\item deny everything else
\end{itemize}
\end{labeling}
*}

end

+ 120
- 0
Examples/DMZ/DMZDatatype.thy View File

@@ -0,0 +1,120 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* DMZ Datatype *}
theory
DMZDatatype
imports
"../../UPF-Firewall"
begin

text{* This is the fourth scenario, slightly more complicated than the
previous one, as we now also model specific servers within one
network. Therefore, we could not use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).

Just for comparison, this theory is the same scenario with datatype synonym
anyway, but with four distinct networks instead of one contained in
another. As there is no corresponding network model included, we need
to define a custom one. *}


datatype Adr = Intranet | Internet | Mail | Web | DMZ
instance Adr::adr ..
type_synonym port = int
type_synonym Networks = "Adr \<times> port"


definition
intranet::"Networks net" where
"intranet = {{(a,b). a= Intranet}}"
definition
dmz :: "Networks net" where
"dmz = {{(a,b). a= DMZ}}"
definition
mail :: "Networks net" where
"mail = {{(a,b). a=Mail}}"
definition
web :: "Networks net" where
"web = {{(a,b). a=Web}}"
definition
internet :: "Networks net" where
"internet = {{(a,b). a= Internet}}"

definition
Intranet_mail_port :: "(Networks ,DummyContent) FWPolicy" where
"Intranet_mail_port = (allow_from_ports_to {21::port,14} intranet mail)"

definition
Intranet_Internet_port :: "(Networks,DummyContent) FWPolicy" where
"Intranet_Internet_port = allow_from_ports_to {80::port,90} intranet internet"
definition
Internet_web_port :: "(Networks,DummyContent) FWPolicy" where
"Internet_web_port = (allow_from_ports_to {80::port,90} internet web)"
definition
Internet_mail_port :: "(Networks,DummyContent) FWPolicy" where
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz)"

definition
policyPort :: "(Networks, DummyContent) FWPolicy" where
"policyPort = deny_all ++
Intranet_Internet_port ++
Intranet_mail_port ++
Internet_mail_port ++
Internet_web_port"


text {* We only want to create test cases which are sent between the
three main networks --- e.g. not between the mailserver and the
dmz. Therefore, the constraint looks as follows. *}

definition
not_in_same_net :: "(Networks,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and>
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and>
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"

lemmas PolicyLemmas = dmz_def internet_def intranet_def mail_def web_def
Internet_web_port_def Internet_mail_port_def
Intranet_Internet_port_def Intranet_mail_port_def
src_def dest_def src_port dest_port in_subnet_def


end

+ 133
- 0
Examples/DMZ/DMZInteger.thy View File

@@ -0,0 +1,133 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* DMZ: Integer *}
theory
DMZInteger
imports
"../../UPF-Firewall"
begin

text{* This scenario is slightly more complicated than the SimpleDMZ
one, as we now also model specific servers within one
network. Therefore, we cannot use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).

The scenario is the following:

\begin{labeling}{Networks:}
\item[Networks:]
\begin{itemize}
\item Intranet (Company intern network)
\item DMZ (demilitarised zone, servers, etc), containing
at least two distinct servers ``mail'' and ``web''
\item Internet (``all others'')
\end{itemize}
\item[Policy:]
\begin{itemize}
\item allow http(s) from Intranet to Internet
\item deny all trafic from Internet to Intranet
\item allo imaps and smtp from intranet to mailserver
\item allow smtp from Internet to mailserver
\item allow http(s) from Internet to webserver
\item deny everything else
\end{itemize}
\end{labeling}
*}


definition
intranet::"adr\<^sub>i\<^sub>p net" where
"intranet = {{(a,b) . (a > 1 \<and> a < 4) }}"
definition
dmz :: "adr\<^sub>i\<^sub>p net" where
"dmz = {{(a,b). (a > 6) \<and> (a < 11)}}"
definition
mail :: "adr\<^sub>i\<^sub>p net" where
"mail = {{(a,b). a = 7}}"
definition
web :: "adr\<^sub>i\<^sub>p net" where
"web = {{(a,b). a = 8 }}"
definition
internet :: "adr\<^sub>i\<^sub>p net" where
"internet = {{(a,b). \<not> ( (a > 1 \<and> a < 4) \<or> (a > 6) \<and> (a < 11)) }}"


definition
Intranet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Intranet_mail_port = (allow_from_to_ports {21::port,14} intranet mail)"

definition
Intranet_Internet_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Intranet_Internet_port = allow_from_to_ports {80::port,90} intranet internet"
definition
Internet_web_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Internet_web_port = (allow_from_to_ports {80::port,90} internet web)"
definition
Internet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz )"



definition
policyPort :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
"policyPort = deny_all ++
Intranet_Internet_port ++
Intranet_mail_port ++
Internet_mail_port ++
Internet_web_port"


text {* We only want to create test cases which are sent between the three main networks ---
e.g. not between the mailserver and the dmz. Therefore, the constraint looks as follows. *}

definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and>
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and>
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"

lemmas PolicyLemmas = policyPort_def dmz_def internet_def intranet_def mail_def web_def
Intranet_Internet_port_def Intranet_mail_port_def Internet_web_port_def
Internet_mail_port_def src_def dest_def IntegerPort.src_port
in_subnet_def IntegerPort.dest_port

end

+ 50
- 0
Examples/Examples.thy View File

@@ -0,0 +1,50 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

chapter {* Examples *}
theory
Examples
imports
"DMZ/DMZ"
"VoIP/VoIP"
"Transformation/Transformation"
"NAT-FW/NAT-FW"
"PersonalFirewall/PersonalFirewall"
begin

end


+ 292
- 0
Examples/NAT-FW/NAT-FW.thy View File

@@ -0,0 +1,292 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

section {* Example: NAT *}
theory
"NAT-FW"
imports
"../../UPF-Firewall"
begin


definition subnet1 :: "adr\<^sub>i\<^sub>p net" where
"subnet1 = {{(d,e). d > 1 \<and> d < 256}}"

definition subnet2 :: "adr\<^sub>i\<^sub>p net" where
"subnet2 = {{(d,e). d > 500 \<and> d < 1256}}"


definition
"accross_subnets x \<equiv>
((src x \<sqsubset> subnet1 \<and> (dest x \<sqsubset> subnet2)) \<or>
(src x \<sqsubset> subnet2 \<and> (dest x \<sqsubset> subnet1)))"

definition
filter :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
"filter = allow_from_port_to (1::port) subnet1 subnet2 ++
allow_from_port_to (2::port) subnet1 subnet2 ++
allow_from_port_to (3::port) subnet1 subnet2 ++ deny_all"

definition
nat_0 where
"nat_0 = (A\<^sub>f(\<lambda>x. {x}))"


lemmas UnfoldPolicy0 =filter_def nat_0_def
NATLemmas
ProtocolPortCombinators.ProtocolCombinators
adr\<^sub>i\<^sub>pLemmas
packet_defs accross_subnets_def
subnet1_def subnet2_def


lemmas subnets = subnet1_def subnet2_def





definition Adr11 :: "int set"
where "Adr11 = {d. d > 2 \<and> d < 3}"

definition Adr21 :: "int set" where
"Adr21 = {d. d > 502 \<and> d < 503}"


definition nat_1 where
"nat_1 = nat_0 ++ (srcPat2pool_IntPort Adr11 Adr21)"


definition policy_1 where
"policy_1 = ((\<lambda> (x,y). x) o_f
((nat_1 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy1 = UnfoldPolicy0 nat_1_def Adr11_def Adr21_def policy_1_def




definition Adr12 :: "int set"
where "Adr12 = {d. d > 4 \<and> d < 6}"

definition Adr22 :: "int set" where
"Adr22 = {d. d > 504 \<and> d < 506}"


definition nat_2 where
"nat_2 = nat_1 ++ (srcPat2pool_IntPort Adr12 Adr22)"


definition policy_2 where
"policy_2 = ((\<lambda> (x,y). x) o_f
((nat_2 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy2 = UnfoldPolicy1 nat_2_def Adr12_def Adr22_def policy_2_def




definition Adr13 :: "int set"
where "Adr13 = {d. d > 6 \<and> d < 9}"

definition Adr23 :: "int set" where
"Adr23 = {d. d > 506 \<and> d < 509}"


definition nat_3 where
"nat_3 = nat_2 ++ (srcPat2pool_IntPort Adr13 Adr23)"


definition policy_3 where
"policy_3 = ((\<lambda> (x,y). x) o_f
((nat_3 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy3 = UnfoldPolicy2 nat_3_def Adr13_def Adr23_def policy_3_def




definition Adr14 :: "int set"
where "Adr14 = {d. d > 8 \<and> d < 12}"

definition Adr24 :: "int set" where
"Adr24 = {d. d > 508 \<and> d < 512}"


definition nat_4 where
"nat_4 = nat_3 ++ (srcPat2pool_IntPort Adr14 Adr24)"


definition policy_4 where
"policy_4 = ((\<lambda> (x,y). x) o_f
((nat_4 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy4 = UnfoldPolicy3 nat_4_def Adr14_def Adr24_def policy_4_def




definition Adr15 :: "int set"
where "Adr15 = {d. d > 10 \<and> d < 15}"

definition Adr25 :: "int set" where
"Adr25 = {d. d > 510 \<and> d < 515}"


definition nat_5 where
"nat_5 = nat_4 ++ (srcPat2pool_IntPort Adr15 Adr25)"


definition policy_5 where
"policy_5 = ((\<lambda> (x,y). x) o_f
((nat_5 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy5 = UnfoldPolicy4 nat_5_def Adr15_def Adr25_def policy_5_def




definition Adr16 :: "int set"
where "Adr16 = {d. d > 12 \<and> d < 18}"

definition Adr26 :: "int set" where
"Adr26 = {d. d > 512 \<and> d < 518}"


definition nat_6 where
"nat_6 = nat_5 ++ (srcPat2pool_IntPort Adr16 Adr26)"


definition policy_6 where
"policy_6 = ((\<lambda> (x,y). x) o_f
((nat_6 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy6 = UnfoldPolicy5 nat_6_def Adr16_def Adr26_def policy_6_def




definition Adr17 :: "int set"
where "Adr17 = {d. d > 14 \<and> d < 21}"

definition Adr27 :: "int set" where
"Adr27 = {d. d > 514 \<and> d < 521}"


definition nat_7 where
"nat_7 = nat_6 ++ (srcPat2pool_IntPort Adr17 Adr27)"


definition policy_7 where
"policy_7 = ((\<lambda> (x,y). x) o_f
((nat_7 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy7 = UnfoldPolicy6 nat_7_def Adr17_def Adr27_def policy_7_def




definition Adr18 :: "int set"
where "Adr18 = {d. d > 16 \<and> d < 24}"

definition Adr28 :: "int set" where
"Adr28 = {d. d > 516 \<and> d < 524}"


definition nat_8 where
"nat_8 = nat_7 ++ (srcPat2pool_IntPort Adr18 Adr28)"


definition policy_8 where
"policy_8 = ((\<lambda> (x,y). x) o_f
((nat_8 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy8 = UnfoldPolicy7 nat_8_def Adr18_def Adr28_def policy_8_def




definition Adr19 :: "int set"
where "Adr19 = {d. d > 18 \<and> d < 27}"

definition Adr29 :: "int set" where
"Adr29 = {d. d > 518 \<and> d < 527}"


definition nat_9 where
"nat_9 = nat_8 ++ (srcPat2pool_IntPort Adr19 Adr29)"


definition policy_9 where
"policy_9 = ((\<lambda> (x,y). x) o_f
((nat_9 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy9 = UnfoldPolicy8 nat_9_def Adr19_def Adr29_def policy_9_def




definition Adr110 :: "int set"
where "Adr110 = {d. d > 20 \<and> d < 30}"

definition Adr210 :: "int set" where
"Adr210 = {d. d > 520 \<and> d < 530}"


definition nat_10 where
"nat_10 = nat_9 ++ (srcPat2pool_IntPort Adr110 Adr210)"


definition policy_10 where
"policy_10 = ((\<lambda> (x,y). x) o_f
((nat_10 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"


lemmas UnfoldPolicy10 = UnfoldPolicy9 nat_10_def Adr110_def Adr210_def policy_10_def



end

+ 45
- 0
Examples/PersonalFirewall/PersonalFirewall.thy View File

@@ -0,0 +1,45 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

section {* Personal Firewall *}
theory
PersonalFirewall
imports
PersonalFirewallInt
PersonalFirewallIpv4
begin
end

+ 108
- 0
Examples/PersonalFirewall/PersonalFirewallDatatype.thy View File

@@ -0,0 +1,108 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* Personal Firewall: Datatype *}
theory
PersonalFirewallDatatype
imports
FWTesting
begin

text{* The most basic firewall scenario; there is a personal PC on one
side and the Internet on the other. There are two policies: the first
one allows all traffic from the PC to the Internet and denies all
coming into the PC. The second policy only allows specific ports from
the PC. This scenario comes in three variants: the first one specifies
the allowed protocols directly, the second together with their
respective port numbers, the third one only with the port numbers. *}

datatype Adr = pc | internet

type_synonym DatatypeTwoNets = "Adr \<times> int"

instance Adr::adr ..

defs (overloaded)
src_port_def: "src_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (src x)"
dest_port_def: "dest_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (dest x)"

definition
PC :: "DatatypeTwoNets net" where
"PC = {{(a,b). a = pc}}"

definition
Internet :: "DatatypeTwoNets net" where
"Internet = {{(a,b). a = internet}}"


text{*
Definition of the testing constraint
*}

definition
not_in_same_net :: "(DatatypeTwoNets,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"

text {*
Definitions of the policies

In fact, the short definitions wouldn't have to be written down - they
are the automatically simplified versions of their big counterparts.

*}

definition
strictPolicy :: "(DatatypeTwoNets,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"

definition
PortPolicy :: "(DatatypeTwoNets,'b) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"

definition
PortPolicyBig :: "(DatatypeTwoNets,'b) FWPolicy" where
"PortPolicyBig =
allow_from_port_to (80::port) PC Internet \<Oplus>
allow_from_port_to (24::port) PC Internet \<Oplus>
allow_from_port_to (21::port) PC Internet \<Oplus>
deny_all"


lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def Internet_def PortPolicyBig_def src_def dest_def src_port_def dest_port_def
PolicyCombinators PortCombinators in_subnet_def

end

+ 113
- 0
Examples/PersonalFirewall/PersonalFirewallInt.thy View File

@@ -0,0 +1,113 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection{* Personal Firewall: Integer *}
theory
PersonalFirewallInt
imports
"../../UPF-Firewall"
begin

text{*
The most basic firewall scenario; there is a personal PC on one side and the Internet on the other.
There are two policies: the first one allows all traffic from the PC to the Internet and denies
all coming into the PC. The second policy only allows specific ports from the PC. This scenario
comes in three variants: the first one specifies the allowed protocols directly, the second together
with their respective port numbers, the third one only with the port numbers.
*}



text{*
Definitions of the subnets
*}

definition
PC :: "(adr\<^sub>i\<^sub>p net)" where
"PC = {{(a,b). a = 3}}"

definition
Internet :: "adr\<^sub>i\<^sub>p net" where
"Internet = {{(a,b). \<not> (a = 3)}}"



text{*
Definition of the testing constraint
*}



definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"

text {*
Definitions of the policies
*}



definition
strictPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"

definition
PortPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {http,smtp,ftp} PC Internet"

definition
PortPolicyBig :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"PortPolicyBig = deny_all ++
allow_from_port_to http PC Internet ++
allow_from_port_to smtp PC Internet ++
allow_from_port_to ftp PC Internet"


lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
Internet_def PortPolicyBig_def src_def dest_def
adr\<^sub>i\<^sub>pLemmas content_def
PortCombinators in_subnet_def PortPolicyBig_def id_def


declare Ports [simp add]

definition wellformed_packet::"(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"wellformed_packet p = (content p = data)"


end

+ 103
- 0
Examples/PersonalFirewall/PersonalFirewallIpv4.thy View File

@@ -0,0 +1,103 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* Personal Firewall IPv4 *}
theory
PersonalFirewallIpv4
imports
"../../UPF-Firewall"
begin


text{*

The most basic firewall scenario; there is a personal PC on one side and the Internet on the other.
There are two policies: the first one allows all traffic from the PC to the Internet and denies
all coming into the PC. The second policy only allows specific ports from the PC. This scenario
comes in three variants: the first one specifies the allowed protocols directly, the second together
with their respective port numbers, the third one only with the port numbers.

*}


text{*
Definitions of the subnets
*}

definition
PC :: "(ipv4 net)" where
"PC = {{((a,b,c,d),e). a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2}}"

definition
Internet :: "ipv4 net" where
"Internet = {{((a,b,c,d),e). \<not> (a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2)}}"


text{*
Definition of the testing constraint
*}

definition
not_in_same_net :: "(ipv4,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"

text {*
Definitions of the policies
*}

definition
strictPolicy :: "(ipv4,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"

definition
PortPolicy :: "(ipv4,DummyContent) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"

definition
PortPolicyBig :: "(ipv4,DummyContent) FWPolicy" where
"PortPolicyBig = deny_all ++ allow_from_port_to (80::port) PC Internet++ allow_from_port_to (24::port) PC Internet++ allow_from_port_to (21::port) PC Internet"


lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
Internet_def PortPolicyBig_def src_def dest_def
IPv4.src_port
IPv4.dest_port PolicyCombinators
PortCombinators in_subnet_def PortPolicyBig_def



end

+ 44
- 0
Examples/Transformation/Transformation.thy View File

@@ -0,0 +1,44 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

section {* Demonstrating Policy Transformations *}
theory Transformation
imports
Transformation01
Transformation02
begin
end

+ 268
- 0
Examples/Transformation/Transformation01.thy View File

@@ -0,0 +1,268 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* Transformation Example 1 *}
theory
Transformation01
imports
"../../UPF-Firewall"
begin

definition
FWLink :: "adr\<^sub>i\<^sub>p net" where
"FWLink = {{(a,b). a = 1}}"

definition
any :: "adr\<^sub>i\<^sub>p net" where
"any = {{(a,b). a > 5}}"

definition
i4:: "adr\<^sub>i\<^sub>p net" where
"i4 = {{(a,b). a = 2 }}"

definition
i27:: "adr\<^sub>i\<^sub>p net" where
"i27 = {{(a,b). a = 3 }}"
definition
eth_intern:: "adr\<^sub>i\<^sub>p net" where
"eth_intern = {{(a,b). a = 4 }}"
definition
eth_private:: "adr\<^sub>i\<^sub>p net" where
"eth_private = {{(a,b). a = 5 }}"


definition
(* Mandatory: Global *)

MG2 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG2 = AllowPortFromTo i27 any 1 \<oplus>
AllowPortFromTo i27 any 2 \<oplus>
AllowPortFromTo i27 any 3"

definition
MG3 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG3 = AllowPortFromTo any FWLink 1"

definition
MG4 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG4 = AllowPortFromTo FWLink FWLink 4"
definition
MG7 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG7 = AllowPortFromTo FWLink i4 6 \<oplus>
AllowPortFromTo FWLink i4 7"

definition
MG8 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG8 = AllowPortFromTo FWLink i4 6 \<oplus>
AllowPortFromTo FWLink i4 7"

(* Default Global *)

definition
DG3:: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"DG3 = AllowPortFromTo any any 7"


definition
"Policy = DenyAll \<oplus> MG8 \<oplus> MG7 \<oplus> MG4 \<oplus> MG3 \<oplus> MG2 \<oplus> DG3"

lemmas PolicyLemmas = Policy_def
FWLink_def
any_def
i27_def
i4_def
eth_intern_def
eth_private_def
MG2_def MG3_def MG4_def MG7_def MG8_def
DG3_def

lemmas PolicyL = MG2_def MG3_def MG4_def MG7_def MG8_def
DG3_def Policy_def

definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = (((src x \<sqsubset> i27) \<longrightarrow> ( \<not> (dest x \<sqsubset> i27))) \<and>
((src x \<sqsubset> i4) \<longrightarrow> ( \<not> (dest x \<sqsubset> i4))) \<and>
((src x \<sqsubset> eth_intern) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_intern))) \<and>
((src x \<sqsubset> eth_private) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_private))))"
consts fixID :: id
consts fixContent :: DummyContent

definition "fixElements p = (id p = fixID \<and> content p = fixContent)"

lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def



lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done

lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done



lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
apply auto
done


lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
apply auto
done


lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
apply auto
done


lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}"
apply (auto simp: sets_distinct3)
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
apply (erule aux)
apply assumption+
apply simp
by blast


lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}"
apply (rule not_sym)
apply (rule sets_distinct5)
by simp


lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4 \<and> FWLink \<noteq> i27 \<and> FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and>
any \<noteq> FWLink \<and> any \<noteq> i4 \<and> any \<noteq> i27 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4 \<noteq> FWLink \<and>
i4 \<noteq> any \<and> i4 \<noteq> i27 \<and> i4 \<noteq> eth_intern \<and> i4 \<noteq> eth_private \<and> i27 \<noteq> FWLink \<and> i27 \<noteq> any \<and>
i27 \<noteq> i4 \<and> i27 \<noteq> eth_intern \<and> i27 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern \<noteq> any \<and>
eth_intern \<noteq> i4 \<and> eth_intern \<noteq> i27 \<and> eth_intern \<noteq> eth_private \<and> eth_private \<noteq> FWLink \<and>
eth_private \<noteq> any \<and> eth_private \<noteq> i4 \<and> eth_private \<noteq> i27 \<and> eth_private \<noteq> eth_intern"
apply (simp add: PolicyLemmas sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6)
done



lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
apply auto
done


lemma aux2: "{a,b} = {b,a}"
apply auto
done

(*
lemma noMT: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
apply (simp add: PolicyLemmas)
apply (simp add: PLemmas PolicyLemmas)
by arith
*)


lemma ANDex: "allNetsDistinct (policy2list Policy)"
apply (simp add: PolicyL allNetsDistinct_def distinctNets)
apply (auto simp: PLemmas PolicyLemmas netsDistinct_def sets_distinct5 sets_distinct6)
done

(*
lemma count_the_rules: "(int (length(policy2list (list2FWpolicy(normalize Policy)))) = post) \<and>
(int(length (policy2list Policy)) = pre) \<and>
(int (length((normalize Policy))) = Partitions)"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops



lemma normedPolicy: "normalize Policy = X"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
*)

fun (sequential) numberOfRules where
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
|"numberOfRules a = (1::int)"




fun numberOfRulesList where
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
|"numberOfRulesList [] = []"

(*
lemma "numberOfRulesList (normalize Policy) = X"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
*)

lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
apply (simp add: PolicyL)
apply (unfold Nets_List_def)
apply (unfold bothNets_def)
apply (insert distinctNets)
apply simp
done

lemmas normalizeUnfold = normalize_def Policy_def Nets_List_def bothNets_def aux aux2 bothNets_def

(*
lemma noMT2: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
apply (simp add: PLemmas normalize_def bothNets_def
PolicyLemmas aux5 aux2 Nets_List_def )
by (metis zless_add1_eq)
*)


end

+ 219
- 0
Examples/Transformation/Transformation02.thy View File

@@ -0,0 +1,219 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* Transforamtion Example 2 *}
theory
Transformation02
imports
"../../UPF-Firewall"
begin

definition
FWLink :: "adr\<^sub>i\<^sub>p net" where
"FWLink = {{(a,b). a = 1}}"

definition
any :: "adr\<^sub>i\<^sub>p net" where
"any = {{(a,b). a > 5}}"

definition
i4_32:: "adr\<^sub>i\<^sub>p net" where
"i4_32 = {{(a,b). a = 2 }}"

definition
i10_32:: "adr\<^sub>i\<^sub>p net" where
"i10_32 = {{(a,b). a = 3 }}"
definition
eth_intern:: "adr\<^sub>i\<^sub>p net" where
"eth_intern = {{(a,b). a = 4 }}"
definition
eth_private:: "adr\<^sub>i\<^sub>p net" where
"eth_private = {{(a,b). a = 5 }}"



definition
D1a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D1a = AllowPortFromTo eth_intern any 1 \<oplus>
AllowPortFromTo eth_intern any 2"


definition
D1b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D1b = AllowPortFromTo eth_private any 1 \<oplus>
AllowPortFromTo eth_private any 2"

definition
D2a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D2a = AllowPortFromTo any i4_32 21"


definition
D2b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D2b = AllowPortFromTo any i10_32 21 \<oplus>
AllowPortFromTo any i10_32 43"



definition
Policy :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"Policy = DenyAll \<oplus> D2b \<oplus> D2a \<oplus> D1b \<oplus> D1a"

lemmas PolicyLemmas = Policy_def D1a_def D1b_def D2a_def D2b_def

lemmas PolicyL = Policy_def
FWLink_def
any_def
i10_32_def
i4_32_def
eth_intern_def
eth_private_def
D1a_def D1b_def D2a_def D2b_def
consts fixID :: id
consts fixContent :: DummyContent

definition "fixElements p = (id p = fixID \<and> content p = fixContent)"

lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def



lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done

lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done



lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
apply auto
done


lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
apply auto
done


lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
apply auto
done


lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}"
apply (auto simp: sets_distinct3)
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
apply (erule aux)
apply assumption+
apply simp
by blast

lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}"
apply (rule not_sym)
apply (rule sets_distinct5)
by simp


lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4_32 \<and> FWLink \<noteq> i10_32 \<and>
FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and> any \<noteq> FWLink \<and> any \<noteq>
i4_32 \<and> any \<noteq> i10_32 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4_32 \<noteq>
FWLink \<and> i4_32 \<noteq> any \<and> i4_32 \<noteq> i10_32 \<and> i4_32 \<noteq> eth_intern \<and> i4_32 \<noteq>
eth_private \<and> i10_32 \<noteq> FWLink \<and> i10_32 \<noteq> any \<and> i10_32 \<noteq> i4_32 \<and> i10_32
\<noteq> eth_intern \<and> i10_32 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern
\<noteq> any \<and> eth_intern \<noteq> i4_32 \<and> eth_intern \<noteq> i10_32 \<and> eth_intern \<noteq>
eth_private \<and> eth_private \<noteq> FWLink \<and> eth_private \<noteq> any \<and> eth_private \<noteq>
i4_32 \<and> eth_private \<noteq> i10_32 \<and> eth_private \<noteq> eth_intern "
apply (simp add: PolicyL sets_distinct1 sets_distinct2 sets_distinct3
sets_distinct4 sets_distinct5 sets_distinct6)
done



lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
apply auto
done


lemma aux2: "{a,b} = {b,a}"
apply auto
done




lemma ANDex: "allNetsDistinct (policy2list Policy)"
apply (simp add: PolicyLemmas allNetsDistinct_def distinctNets)
apply (simp add: PolicyL)
apply (auto simp: PLemmas PolicyL netsDistinct_def sets_distinct5 sets_distinct6 sets_distinct1 sets_distinct2)
done

fun (sequential) numberOfRules where
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
|"numberOfRules a = (1::int)"




fun numberOfRulesList where
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
|"numberOfRulesList [] = []"



lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
apply (simp add: PolicyLemmas)
apply (unfold Nets_List_def)
apply (unfold bothNets_def)
apply (insert distinctNets)
apply simp
done


lemmas normalizeUnfold = normalize_def PolicyL Nets_List_def bothNets_def aux aux2 bothNets_def sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6 aux5 aux2


end



+ 136
- 0
Examples/VoIP/VoIP.thy View File

@@ -0,0 +1,136 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

section {* Voice over IP *}
theory VoIP
imports
"../../UPF-Firewall"
begin


text{* In this theory we generate the test data for correct runs of
the FTP protocol. As usual, we start with definining the networks and
the policy. We use a rather simple policy which allows only FTP
connections starting from the Intranet and going to the Internet, and
deny everything else. *}

definition
intranet :: "adr\<^sub>i\<^sub>p net" where
"intranet = {{(a,e) . a = 3}}"

definition
internet :: "adr\<^sub>i\<^sub>p net" where
"internet = {{(a,c). a > 4}}"

definition
gatekeeper :: "adr\<^sub>i\<^sub>p net" where
"gatekeeper = {{(a,c). a =4}}"


definition
voip_policy :: "(adr\<^sub>i\<^sub>p,address voip_msg) FWPolicy" where
"voip_policy = A\<^sub>U"


text{* The next two constants check if an address is in the Intranet
or in the Internet respectively.*}

definition
is_in_intranet :: "address \<Rightarrow> bool" where
"is_in_intranet a = (a = 3)"

definition
is_gatekeeper :: "address \<Rightarrow> bool" where
"is_gatekeeper a = (a = 4)"

definition
is_in_internet :: "address \<Rightarrow> bool" where
"is_in_internet a = (a > 4)"


text{*
The next definition is our starting state: an empty trace and the just defined policy.*}

definition
"\<sigma>_0_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<times>
(adr\<^sub>i\<^sub>p, address voip_msg) FWPolicy"
where
"\<sigma>_0_voip = ([],voip_policy)"

text{*Next we state the conditions we have on our trace: a normal
behaviour FTP run from the intranet to some server in the internet on
port 21.*}

definition "accept_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<Rightarrow> bool" where
"accept_voip t =
(\<exists> c s g i p1 p2. t \<in> NB_voip c s g i p1 p2 \<and> is_in_intranet c \<and> is_in_internet s
\<and> is_gatekeeper g)"



fun packet_with_id where
"packet_with_id [] i = []"
|"packet_with_id (x#xs) i =
(if id x = i then (x#(packet_with_id xs i)) else (packet_with_id xs i))"


text{*The depth of the test case generation corresponds to the maximal
length of generated traces. 4 is the minimum to get a full FTP
protocol run. *}





fun ids1 where
"ids1 i (x#xs) = (id x = i \<and> ids1 i xs)"
|"ids1 i [] = True"

lemmas ST_simps = Let_def valid_SE_def unit_SE_def bind_SE_def
subnet_of_int_def p_accept_def content_def
is_in_intranet_def is_in_internet_def intranet_def internet_def exI
subnetOf_lemma subnetOf_lemma2 subnetOf_lemma3 subnetOf_lemma4 voip_policy_def
NetworkCore.id_def is_arq_def is_fin_def
is_connect_def is_setup_def ports_open_def subnet_of_adr_def
VOIP.NB_voip_def \<sigma>_0_voip_def PLemmas VOIP_TRPolicy_def
policy2MON_def applyPolicy_def





end

+ 76
- 0
FWNormalisation/ElementaryRules.thy View File

@@ -0,0 +1,76 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* Elementary Firewall Policy Transformation Rules *}
theory ElementaryRules
imports FWNormalisationCore
begin


text{*
This theory contains those elementary transformation rules which are presented in the ICST
2010 paper~\cite{brucker.ea:firewall:2010}. They are not used elsewhere.
*}

lemma elem1:
"C (AllowPortFromTo x y p \<oplus> DenyAllFromTo x y) = C (DenyAllFromTo x y)"
by (rule ext, auto simp: PLemmas)


lemma elem2:
"C ((a \<oplus> b) \<oplus> c) = C (a \<oplus> (b \<oplus> c))"
by (simp add: C.simps)

lemma elem3:
"C (AllowPortFromTo x y a \<oplus> AllowPortFromTo x y b) =
C (AllowPortFromTo x y b \<oplus> AllowPortFromTo x y a)"
by (rule ext, auto simp: PLemmas)

lemma elem4:
"C (a \<oplus> DenyAll) = C DenyAll"
by (rule ext, auto simp: PLemmas)

lemma elem5:
"C (DenyAllFromTo x y \<oplus> DenyAllFromTo u v) = C (DenyAllFromTo u v \<oplus> DenyAllFromTo x y)"
by (rule ext, auto simp: PLemmas)


lemma elem6:
"dom (C a) \<inter> dom (C b) = {} \<Longrightarrow> C (a \<oplus> b) = C (b \<oplus> a)"
by (rule ext, metis C.simps(4) map_add_comm)

end

+ 42
- 0
FWNormalisation/FWNormalisation.thy View File

@@ -0,0 +1,42 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

chapter {* Firewall Policy Normalisation *}
theory FWNormalisation
imports NormalisationIPPProofs
begin

end

+ 654
- 0
FWNormalisation/FWNormalisationCore.thy View File

@@ -0,0 +1,654 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)

subsection {* Policy Normalisation: Core Definitions *}
theory
FWNormalisationCore
imports
"../PacketFilter/PacketFilter"
begin

text{*
This theory contains all the definitions used for policy normalisation as described
in~\cite{brucker.ea:icst:2010,brucker.ea:formal-fw-testing:2014}.

The normalisation procedure transforms policies into semantically equivalent ones which are
``easier'' to test. It is organized into nine phases. We impose the following two restrictions
on the input policies:
\begin{itemize}
\item Each policy must contain a $\mathtt{DenyAll}$ rule. If this restriction were to be lifted,
the $\mathtt{insertDenies}$ phase would have to be adjusted accordingly.
\item For each pair of networks $n_1$ and $n_2$, the networks are either disjoint or equal. If
this restriction were to be lifted, we would need some additional phases before the start
of the normalisation procedure presented below. This rule would split single rules into
several by splitting up the networks such that they are all pairwise disjoint or equal.
Such a transformation is clearly semantics-preserving and the condition would hold after
these phases.
\end{itemize}
As a result, the procedure generates a list of policies, in which:
\begin{itemize}
\item each element of the list contains a policy which completely specifies the blocking behavior
between two networks, and
\item there are no shadowed rules.
\end{itemize}
This result is desirable since the test case generation for rules between networks $A$ and $B$
is independent of the rules that specify the behavior for traffic flowing between networks $C$
and $D$. Thus, the different segments of the policy can be processed individually. The
normalization procedure does not aim to minimize the number of rules. While it does remove
unnecessary ones, it also adds new ones, enabling a policy to be split into several independent
parts.
*}

text{*
Policy transformations are functions that map policies to policies. We decided to represent
policy transformations as \emph{syntactic rules}; this choice paves the way for expressing the
entire normalisation process inside HOL by functions manipulating abstract policy syntax.
*}


subsubsection{* Basics *}
text{* We define a very simple policy language: *}

datatype ('\<alpha>,'\<beta>) Combinators =
DenyAll
| DenyAllFromTo '\<alpha> '\<alpha>
| AllowPortFromTo '\<alpha> '\<alpha> '\<beta>
| Conc "(('\<alpha>,'\<beta>) Combinators)" "(('\<alpha>,'\<beta>) Combinators)" (infixr "\<oplus>" 80)

text{*
And define the semantic interpretation of it. For technical reasons, we fix here the type to
policies over IntegerPort addresses. However, we could easily provide definitions for other
address types as well, using a generic consts for the type definition and a primitive recursive
definition for each desired address model. *}

subsubsection{* Auxiliary definitions and functions. *}
text{*
This subsubsection defines several functions which are useful later for the combinators, invariants,
and proofs.
*}
fun srcNet where
"srcNet (DenyAllFromTo x y) = x"
|"srcNet (AllowPortFromTo x y p) = x"
|"srcNet DenyAll = undefined"
|"srcNet (v \<oplus> va) = undefined"

fun destNet where
"destNet (DenyAllFromTo x y) = y"
|"destNet (AllowPortFromTo x y p) = y"
|"destNet DenyAll = undefined"
|"destNet (v \<oplus> va) = undefined"

fun srcnets where
"srcnets DenyAll = [] "
|"srcnets (DenyAllFromTo x y) = [x] "
|"srcnets (AllowPortFromTo x y p) = [x] "
|"(srcnets (x \<oplus> y)) = (srcnets x)@(srcnets y)"

fun destnets where
"destnets DenyAll = [] "
|"destnets (DenyAllFromTo x y) = [y] "
|"destnets (AllowPortFromTo x y p) = [y] "
|"(destnets (x \<oplus> y)) = (destnets x)@(destnets y)"

fun (sequential) net_list_aux where
"net_list_aux [] = []"
|"net_list_aux (DenyAll#xs) = net_list_aux xs"
|"net_list_aux ((DenyAllFromTo x y)#xs) = x#y#(net_list_aux xs)"
|"net_list_aux ((AllowPortFromTo x y p)#xs) = x#y#(net_list_aux xs)"
|"net_list_aux ((x\<oplus>y)#xs) = (net_list_aux [x])@(net_list_aux [y])@(net_list_aux xs)"

fun net_list where "net_list p = remdups (net_list_aux p)"

definition bothNets where "bothNets x = (zip (srcnets x) (destnets x))"

fun (sequential) normBothNets where
"normBothNets ((a,b)#xs) = (if ((b,a) \<in> set xs) \<or> (a,b) \<in> set (xs)
then (normBothNets xs)
else (a,b)#(normBothNets xs))"
|"normBothNets x = x"

fun makeSets where
"makeSets ((a,b)#xs) = ({a,b}#(makeSets xs))"
|"makeSets [] = []"

fun bothNet where
"bothNet DenyAll = {}"
|"bothNet (DenyAllFromTo a b) = {a,b}"
|"bothNet (AllowPortFromTo a b p) = {a,b}"
|"bothNet (v \<oplus> va) = undefined "

text{*
$Nets\_List$ provides from a list of rules a list where the entries are the appearing sets of
source and destination network of each rule.
*}

definition Nets_List
where
"Nets_List x = makeSets (normBothNets (bothNets x))"

fun (sequential) first_srcNet where
"first_srcNet (x\<oplus>y) = first_srcNet x"
| "first_srcNet x = srcNet x"

fun (sequential) first_destNet where
"first_destNet (x\<oplus>y) = first_destNet x"
| "first_destNet x = destNet x"

fun (sequential) first_bothNet where
"first_bothNet (x\<oplus>y) = first_bothNet x"
|"first_bothNet x = bothNet x"

fun (sequential) in_list where
"in_list DenyAll l = True"
|"in_list x l = (bothNet x \<in> set l)"

fun all_in_list where
"all_in_list [] l = True"
|"all_in_list (x#xs) l = (in_list x l \<and> all_in_list xs l)"

fun (sequential) member where
"member a (x\<oplus>xs) = ((member a x) \<or> (member a xs))"
|"member a x = (a = x)"

fun sdnets where
"sdnets DenyAll = {}"
| "sdnets (DenyAllFromTo a b) = {(a,b)}"
| "sdnets (AllowPortFromTo a b c) = {(a,b)}"
| "sdnets (a \<oplus> b) = sdnets a \<union> sdnets b"

definition packet_Nets where "packet_Nets x a b = ((src x \<sqsubset> a \<and> dest x \<sqsubset> b) \<or>
(src x \<sqsubset> b \<and> dest x \<sqsubset> a))"

definition subnetsOfAdr where "subnetsOfAdr a = {x. a \<sqsubset> x}"

definition fst_set where "fst_set s = {a. \<exists> b. (a,b) \<in> s}"

definition snd_set where "snd_set s = {a. \<exists> b. (b,a) \<in> s}"

fun memberP where
"memberP r (x#xs) = (member r x \<or> memberP r xs)"
|"memberP r [] = False"

fun firstList where
"firstList (x#xs) = (first_bothNet x)"
|"firstList [] = {}"

subsubsection{* Invariants *}

text{* If there is a DenyAll, it is at the first position *}
fun wellformed_policy1:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool" where
"wellformed_policy1 [] = True"
| "wellformed_policy1 (x#xs) = (DenyAll \<notin> (set xs))"

text{* There is a DenyAll at the first position *}
fun wellformed_policy1_strong:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool"
where
"wellformed_policy1_strong [] = False"
| "wellformed_policy1_strong (x#xs) = (x=DenyAll \<and> (DenyAll \<notin> (set xs)))"


text{* All two networks are either disjoint or equal. *}
definition netsDistinct where "netsDistinct a b = (\<not> (\<exists> x. x \<sqsubset> a \<and> x \<sqsubset> b))"

definition twoNetsDistinct where
"twoNetsDistinct a b c d = (netsDistinct a c \<or> netsDistinct b d)"

definition allNetsDistinct where
"allNetsDistinct p = (\<forall> a b. (a \<noteq> b \<and> a \<in> set (net_list p) \<and>
b \<in> set (net_list p)) \<longrightarrow> netsDistinct a b)"

definition disjSD_2 where
"disjSD_2 x y = (\<forall> a b c d. ((a,b)\<in>sdnets x \<and> (c,d) \<in>sdnets y \<longrightarrow>
(twoNetsDistinct a b c d \<and> twoNetsDistinct a b d c)))"

text{* The policy is given as a list of single rules. *}
fun singleCombinators where
"singleCombinators [] = True"
|"singleCombinators ((x\<oplus>y)#xs) = False"
|"singleCombinators (x#xs) = singleCombinators xs"

definition onlyTwoNets where
"onlyTwoNets x = ((\<exists> a b. (sdnets x = {(a,b)})) \<or> (\<exists> a b. sdnet