afp-mirror
/
UPF_Firewall
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initial commit.

This commit is contained in:
Achim D. Brucker 2016-12-23 10:06:07 +00:00
commit 671debf879
49 changed files with 12267 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
Examples/DMZ/DMZ.thy Normal file
View File

@ -0,0 +1,75 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* A Simple DMZ Setup *}
theory
DMZ
imports
DMZDatatype
DMZInteger
begin
text{* This scenario is slightly more complicated than the SimpleDMZ
one, as we now also model specific servers within one
network. Therefore, we cannot use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).
The scenario is the following:
\begin{labeling}{Networks:}
\item[Networks:]
\begin{itemize}
\item Intranet (Company intern network)
\item DMZ (demilitarised zone, servers, etc), containing
at least two distinct servers ``mail'' and ``web''
\item Internet (``all others'')
\end{itemize}
\item[Policy:]
\begin{itemize}
\item allow http(s) from Intranet to Internet
\item deny all trafic from Internet to Intranet
\item allo imaps and smtp from intranet to mailserver
\item allow smtp from Internet to mailserver
\item allow http(s) from Internet to webserver
\item deny everything else
\end{itemize}
\end{labeling}
*}
end

120
Examples/DMZ/DMZDatatype.thy Normal file
View File

@ -0,0 +1,120 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* DMZ Datatype *}
theory
DMZDatatype
imports
"../../UPF-Firewall"
begin
text{* This is the fourth scenario, slightly more complicated than the
previous one, as we now also model specific servers within one
network. Therefore, we could not use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).
Just for comparison, this theory is the same scenario with datatype synonym
anyway, but with four distinct networks instead of one contained in
another. As there is no corresponding network model included, we need
to define a custom one. *}
datatype Adr = Intranet | Internet | Mail | Web | DMZ
instance Adr::adr ..
type_synonym port = int
type_synonym Networks = "Adr \<times> port"
definition
intranet::"Networks net" where
"intranet = {{(a,b). a= Intranet}}"
definition
dmz :: "Networks net" where
"dmz = {{(a,b). a= DMZ}}"
definition
mail :: "Networks net" where
"mail = {{(a,b). a=Mail}}"
definition
web :: "Networks net" where
"web = {{(a,b). a=Web}}"
definition
internet :: "Networks net" where
"internet = {{(a,b). a= Internet}}"
definition
Intranet_mail_port :: "(Networks ,DummyContent) FWPolicy" where
"Intranet_mail_port = (allow_from_ports_to {21::port,14} intranet mail)"
definition
Intranet_Internet_port :: "(Networks,DummyContent) FWPolicy" where
"Intranet_Internet_port = allow_from_ports_to {80::port,90} intranet internet"
definition
Internet_web_port :: "(Networks,DummyContent) FWPolicy" where
"Internet_web_port = (allow_from_ports_to {80::port,90} internet web)"
definition
Internet_mail_port :: "(Networks,DummyContent) FWPolicy" where
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz)"
definition
policyPort :: "(Networks, DummyContent) FWPolicy" where
"policyPort = deny_all ++
Intranet_Internet_port ++
Intranet_mail_port ++
Internet_mail_port ++
Internet_web_port"
text {* We only want to create test cases which are sent between the
three main networks --- e.g. not between the mailserver and the
dmz. Therefore, the constraint looks as follows. *}
definition
not_in_same_net :: "(Networks,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and>
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and>
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"
lemmas PolicyLemmas = dmz_def internet_def intranet_def mail_def web_def
Internet_web_port_def Internet_mail_port_def
Intranet_Internet_port_def Intranet_mail_port_def
src_def dest_def src_port dest_port in_subnet_def
end

133
Examples/DMZ/DMZInteger.thy Normal file
View File

@ -0,0 +1,133 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* DMZ: Integer *}
theory
DMZInteger
imports
"../../UPF-Firewall"
begin
text{* This scenario is slightly more complicated than the SimpleDMZ
one, as we now also model specific servers within one
network. Therefore, we cannot use anymore the modelling using
datatype synonym, but only use the one where an address is modelled as an
integer (with ports).
The scenario is the following:
\begin{labeling}{Networks:}
\item[Networks:]
\begin{itemize}
\item Intranet (Company intern network)
\item DMZ (demilitarised zone, servers, etc), containing
at least two distinct servers ``mail'' and ``web''
\item Internet (``all others'')
\end{itemize}
\item[Policy:]
\begin{itemize}
\item allow http(s) from Intranet to Internet
\item deny all trafic from Internet to Intranet
\item allo imaps and smtp from intranet to mailserver
\item allow smtp from Internet to mailserver
\item allow http(s) from Internet to webserver
\item deny everything else
\end{itemize}
\end{labeling}
*}
definition
intranet::"adr\<^sub>i\<^sub>p net" where
"intranet = {{(a,b) . (a > 1 \<and> a < 4) }}"
definition
dmz :: "adr\<^sub>i\<^sub>p net" where
"dmz = {{(a,b). (a > 6) \<and> (a < 11)}}"
definition
mail :: "adr\<^sub>i\<^sub>p net" where
"mail = {{(a,b). a = 7}}"
definition
web :: "adr\<^sub>i\<^sub>p net" where
"web = {{(a,b). a = 8 }}"
definition
internet :: "adr\<^sub>i\<^sub>p net" where
"internet = {{(a,b). \<not> ( (a > 1 \<and> a < 4) \<or> (a > 6) \<and> (a < 11)) }}"
definition
Intranet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Intranet_mail_port = (allow_from_to_ports {21::port,14} intranet mail)"
definition
Intranet_Internet_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Intranet_Internet_port = allow_from_to_ports {80::port,90} intranet internet"
definition
Internet_web_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Internet_web_port = (allow_from_to_ports {80::port,90} internet web)"
definition
Internet_mail_port :: "(adr\<^sub>i\<^sub>p,'b) FWPolicy" where
"Internet_mail_port = (allow_all_from_port_to internet (21::port) dmz )"
definition
policyPort :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
"policyPort = deny_all ++
Intranet_Internet_port ++
Intranet_mail_port ++
Internet_mail_port ++
Internet_web_port"
text {* We only want to create test cases which are sent between the three main networks ---
e.g. not between the mailserver and the dmz. Therefore, the constraint looks as follows. *}
definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> internet \<longrightarrow> \<not> dest x \<sqsubset> internet) \<and>
(src x \<sqsubset> intranet \<longrightarrow> \<not> dest x \<sqsubset> intranet) \<and>
(src x \<sqsubset> dmz \<longrightarrow> \<not> dest x \<sqsubset> dmz))"
lemmas PolicyLemmas = policyPort_def dmz_def internet_def intranet_def mail_def web_def
Intranet_Internet_port_def Intranet_mail_port_def Internet_web_port_def
Internet_mail_port_def src_def dest_def IntegerPort.src_port
in_subnet_def IntegerPort.dest_port
end

50
Examples/Examples.thy Normal file
View File

@ -0,0 +1,50 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
chapter {* Examples *}
theory
Examples
imports
"DMZ/DMZ"
"VoIP/VoIP"
"Transformation/Transformation"
"NAT-FW/NAT-FW"
"PersonalFirewall/PersonalFirewall"
begin
end

292
Examples/NAT-FW/NAT-FW.thy Normal file
View File

@ -0,0 +1,292 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Example: NAT *}
theory
"NAT-FW"
imports
"../../UPF-Firewall"
begin
definition subnet1 :: "adr\<^sub>i\<^sub>p net" where
"subnet1 = {{(d,e). d > 1 \<and> d < 256}}"
definition subnet2 :: "adr\<^sub>i\<^sub>p net" where
"subnet2 = {{(d,e). d > 500 \<and> d < 1256}}"
definition
"accross_subnets x \<equiv>
((src x \<sqsubset> subnet1 \<and> (dest x \<sqsubset> subnet2)) \<or>
(src x \<sqsubset> subnet2 \<and> (dest x \<sqsubset> subnet1)))"
definition
filter :: "(adr\<^sub>i\<^sub>p, DummyContent) FWPolicy" where
"filter = allow_from_port_to (1::port) subnet1 subnet2 ++
allow_from_port_to (2::port) subnet1 subnet2 ++
allow_from_port_to (3::port) subnet1 subnet2 ++ deny_all"
definition
nat_0 where
"nat_0 = (A\<^sub>f(\<lambda>x. {x}))"
lemmas UnfoldPolicy0 =filter_def nat_0_def
NATLemmas
ProtocolPortCombinators.ProtocolCombinators
adr\<^sub>i\<^sub>pLemmas
packet_defs accross_subnets_def
subnet1_def subnet2_def
lemmas subnets = subnet1_def subnet2_def
definition Adr11 :: "int set"
where "Adr11 = {d. d > 2 \<and> d < 3}"
definition Adr21 :: "int set" where
"Adr21 = {d. d > 502 \<and> d < 503}"
definition nat_1 where
"nat_1 = nat_0 ++ (srcPat2pool_IntPort Adr11 Adr21)"
definition policy_1 where
"policy_1 = ((\<lambda> (x,y). x) o_f
((nat_1 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy1 = UnfoldPolicy0 nat_1_def Adr11_def Adr21_def policy_1_def
definition Adr12 :: "int set"
where "Adr12 = {d. d > 4 \<and> d < 6}"
definition Adr22 :: "int set" where
"Adr22 = {d. d > 504 \<and> d < 506}"
definition nat_2 where
"nat_2 = nat_1 ++ (srcPat2pool_IntPort Adr12 Adr22)"
definition policy_2 where
"policy_2 = ((\<lambda> (x,y). x) o_f
((nat_2 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy2 = UnfoldPolicy1 nat_2_def Adr12_def Adr22_def policy_2_def
definition Adr13 :: "int set"
where "Adr13 = {d. d > 6 \<and> d < 9}"
definition Adr23 :: "int set" where
"Adr23 = {d. d > 506 \<and> d < 509}"
definition nat_3 where
"nat_3 = nat_2 ++ (srcPat2pool_IntPort Adr13 Adr23)"
definition policy_3 where
"policy_3 = ((\<lambda> (x,y). x) o_f
((nat_3 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy3 = UnfoldPolicy2 nat_3_def Adr13_def Adr23_def policy_3_def
definition Adr14 :: "int set"
where "Adr14 = {d. d > 8 \<and> d < 12}"
definition Adr24 :: "int set" where
"Adr24 = {d. d > 508 \<and> d < 512}"
definition nat_4 where
"nat_4 = nat_3 ++ (srcPat2pool_IntPort Adr14 Adr24)"
definition policy_4 where
"policy_4 = ((\<lambda> (x,y). x) o_f
((nat_4 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy4 = UnfoldPolicy3 nat_4_def Adr14_def Adr24_def policy_4_def
definition Adr15 :: "int set"
where "Adr15 = {d. d > 10 \<and> d < 15}"
definition Adr25 :: "int set" where
"Adr25 = {d. d > 510 \<and> d < 515}"
definition nat_5 where
"nat_5 = nat_4 ++ (srcPat2pool_IntPort Adr15 Adr25)"
definition policy_5 where
"policy_5 = ((\<lambda> (x,y). x) o_f
((nat_5 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy5 = UnfoldPolicy4 nat_5_def Adr15_def Adr25_def policy_5_def
definition Adr16 :: "int set"
where "Adr16 = {d. d > 12 \<and> d < 18}"
definition Adr26 :: "int set" where
"Adr26 = {d. d > 512 \<and> d < 518}"
definition nat_6 where
"nat_6 = nat_5 ++ (srcPat2pool_IntPort Adr16 Adr26)"
definition policy_6 where
"policy_6 = ((\<lambda> (x,y). x) o_f
((nat_6 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy6 = UnfoldPolicy5 nat_6_def Adr16_def Adr26_def policy_6_def
definition Adr17 :: "int set"
where "Adr17 = {d. d > 14 \<and> d < 21}"
definition Adr27 :: "int set" where
"Adr27 = {d. d > 514 \<and> d < 521}"
definition nat_7 where
"nat_7 = nat_6 ++ (srcPat2pool_IntPort Adr17 Adr27)"
definition policy_7 where
"policy_7 = ((\<lambda> (x,y). x) o_f
((nat_7 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy7 = UnfoldPolicy6 nat_7_def Adr17_def Adr27_def policy_7_def
definition Adr18 :: "int set"
where "Adr18 = {d. d > 16 \<and> d < 24}"
definition Adr28 :: "int set" where
"Adr28 = {d. d > 516 \<and> d < 524}"
definition nat_8 where
"nat_8 = nat_7 ++ (srcPat2pool_IntPort Adr18 Adr28)"
definition policy_8 where
"policy_8 = ((\<lambda> (x,y). x) o_f
((nat_8 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy8 = UnfoldPolicy7 nat_8_def Adr18_def Adr28_def policy_8_def
definition Adr19 :: "int set"
where "Adr19 = {d. d > 18 \<and> d < 27}"
definition Adr29 :: "int set" where
"Adr29 = {d. d > 518 \<and> d < 527}"
definition nat_9 where
"nat_9 = nat_8 ++ (srcPat2pool_IntPort Adr19 Adr29)"
definition policy_9 where
"policy_9 = ((\<lambda> (x,y). x) o_f
((nat_9 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy9 = UnfoldPolicy8 nat_9_def Adr19_def Adr29_def policy_9_def
definition Adr110 :: "int set"
where "Adr110 = {d. d > 20 \<and> d < 30}"
definition Adr210 :: "int set" where
"Adr210 = {d. d > 520 \<and> d < 530}"
definition nat_10 where
"nat_10 = nat_9 ++ (srcPat2pool_IntPort Adr110 Adr210)"
definition policy_10 where
"policy_10 = ((\<lambda> (x,y). x) o_f
((nat_10 \<Otimes>\<^sub>2 filter) o (\<lambda> x. (x,x))))"
lemmas UnfoldPolicy10 = UnfoldPolicy9 nat_10_def Adr110_def Adr210_def policy_10_def
end

45
Examples/PersonalFirewall/PersonalFirewall.thy Normal file
View File

@ -0,0 +1,45 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Personal Firewall *}
theory
PersonalFirewall
imports
PersonalFirewallInt
PersonalFirewallIpv4
begin
end

108
Examples/PersonalFirewall/PersonalFirewallDatatype.thy Normal file
View File

@ -0,0 +1,108 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Personal Firewall: Datatype *}
theory
PersonalFirewallDatatype
imports
FWTesting
begin
text{* The most basic firewall scenario; there is a personal PC on one
side and the Internet on the other. There are two policies: the first
one allows all traffic from the PC to the Internet and denies all
coming into the PC. The second policy only allows specific ports from
the PC. This scenario comes in three variants: the first one specifies
the allowed protocols directly, the second together with their
respective port numbers, the third one only with the port numbers. *}
datatype Adr = pc | internet
type_synonym DatatypeTwoNets = "Adr \<times> int"
instance Adr::adr ..
defs (overloaded)
src_port_def: "src_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (src x)"
dest_port_def: "dest_port (x::(DatatypeTwoNets,'b) packet) \<equiv> snd (dest x)"
definition
PC :: "DatatypeTwoNets net" where
"PC = {{(a,b). a = pc}}"
definition
Internet :: "DatatypeTwoNets net" where
"Internet = {{(a,b). a = internet}}"
text{*
Definition of the testing constraint
*}
definition
not_in_same_net :: "(DatatypeTwoNets,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"
text {*
Definitions of the policies
In fact, the short definitions wouldn't have to be written down - they
are the automatically simplified versions of their big counterparts.
*}
definition
strictPolicy :: "(DatatypeTwoNets,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"
definition
PortPolicy :: "(DatatypeTwoNets,'b) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"
definition
PortPolicyBig :: "(DatatypeTwoNets,'b) FWPolicy" where
"PortPolicyBig =
allow_from_port_to (80::port) PC Internet \<Oplus>
allow_from_port_to (24::port) PC Internet \<Oplus>
allow_from_port_to (21::port) PC Internet \<Oplus>
deny_all"
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def Internet_def PortPolicyBig_def src_def dest_def src_port_def dest_port_def
PolicyCombinators PortCombinators in_subnet_def
end

113
Examples/PersonalFirewall/PersonalFirewallInt.thy Normal file
View File

@ -0,0 +1,113 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection{* Personal Firewall: Integer *}
theory
PersonalFirewallInt
imports
"../../UPF-Firewall"
begin
text{*
The most basic firewall scenario; there is a personal PC on one side and the Internet on the other.
There are two policies: the first one allows all traffic from the PC to the Internet and denies
all coming into the PC. The second policy only allows specific ports from the PC. This scenario
comes in three variants: the first one specifies the allowed protocols directly, the second together
with their respective port numbers, the third one only with the port numbers.
*}
text{*
Definitions of the subnets
*}
definition
PC :: "(adr\<^sub>i\<^sub>p net)" where
"PC = {{(a,b). a = 3}}"
definition
Internet :: "adr\<^sub>i\<^sub>p net" where
"Internet = {{(a,b). \<not> (a = 3)}}"
text{*
Definition of the testing constraint
*}
definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"
text {*
Definitions of the policies
*}
definition
strictPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"
definition
PortPolicy :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {http,smtp,ftp} PC Internet"
definition
PortPolicyBig :: "(adr\<^sub>i\<^sub>p,DummyContent) FWPolicy" where
"PortPolicyBig = deny_all ++
allow_from_port_to http PC Internet ++
allow_from_port_to smtp PC Internet ++
allow_from_port_to ftp PC Internet"
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
Internet_def PortPolicyBig_def src_def dest_def
adr\<^sub>i\<^sub>pLemmas content_def
PortCombinators in_subnet_def PortPolicyBig_def id_def
declare Ports [simp add]
definition wellformed_packet::"(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"wellformed_packet p = (content p = data)"
end

103
Examples/PersonalFirewall/PersonalFirewallIpv4.thy Normal file
View File

@ -0,0 +1,103 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Personal Firewall IPv4 *}
theory
PersonalFirewallIpv4
imports
"../../UPF-Firewall"
begin
text{*
The most basic firewall scenario; there is a personal PC on one side and the Internet on the other.
There are two policies: the first one allows all traffic from the PC to the Internet and denies
all coming into the PC. The second policy only allows specific ports from the PC. This scenario
comes in three variants: the first one specifies the allowed protocols directly, the second together
with their respective port numbers, the third one only with the port numbers.
*}
text{*
Definitions of the subnets
*}
definition
PC :: "(ipv4 net)" where
"PC = {{((a,b,c,d),e). a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2}}"
definition
Internet :: "ipv4 net" where
"Internet = {{((a,b,c,d),e). \<not> (a = 1 \<and> b = 3 \<and> c = 5 \<and> d = 2)}}"
text{*
Definition of the testing constraint
*}
definition
not_in_same_net :: "(ipv4,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = ((src x \<sqsubset> PC \<longrightarrow> dest x \<sqsubset> Internet) \<and> (src x \<sqsubset> Internet \<longrightarrow> dest x \<sqsubset> PC))"
text {*
Definitions of the policies
*}
definition
strictPolicy :: "(ipv4,DummyContent) FWPolicy" where
"strictPolicy = deny_all ++ allow_all_from_to PC Internet"
definition
PortPolicy :: "(ipv4,DummyContent) FWPolicy" where
"PortPolicy = deny_all ++ allow_from_ports_to {80::port,24,21} PC Internet"
definition
PortPolicyBig :: "(ipv4,DummyContent) FWPolicy" where
"PortPolicyBig = deny_all ++ allow_from_port_to (80::port) PC Internet++ allow_from_port_to (24::port) PC Internet++ allow_from_port_to (21::port) PC Internet"
lemmas policyLemmas = strictPolicy_def PortPolicy_def PC_def
Internet_def PortPolicyBig_def src_def dest_def
IPv4.src_port
IPv4.dest_port PolicyCombinators
PortCombinators in_subnet_def PortPolicyBig_def
end

44
Examples/Transformation/Transformation.thy Normal file
View File

@ -0,0 +1,44 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Demonstrating Policy Transformations *}
theory Transformation
imports
Transformation01
Transformation02
begin
end

268
Examples/Transformation/Transformation01.thy Normal file
View File

@ -0,0 +1,268 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Transformation Example 1 *}
theory
Transformation01
imports
"../../UPF-Firewall"
begin
definition
FWLink :: "adr\<^sub>i\<^sub>p net" where
"FWLink = {{(a,b). a = 1}}"
definition
any :: "adr\<^sub>i\<^sub>p net" where
"any = {{(a,b). a > 5}}"
definition
i4:: "adr\<^sub>i\<^sub>p net" where
"i4 = {{(a,b). a = 2 }}"
definition
i27:: "adr\<^sub>i\<^sub>p net" where
"i27 = {{(a,b). a = 3 }}"
definition
eth_intern:: "adr\<^sub>i\<^sub>p net" where
"eth_intern = {{(a,b). a = 4 }}"
definition
eth_private:: "adr\<^sub>i\<^sub>p net" where
"eth_private = {{(a,b). a = 5 }}"
definition
(* Mandatory: Global *)
MG2 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG2 = AllowPortFromTo i27 any 1 \<oplus>
AllowPortFromTo i27 any 2 \<oplus>
AllowPortFromTo i27 any 3"
definition
MG3 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG3 = AllowPortFromTo any FWLink 1"
definition
MG4 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG4 = AllowPortFromTo FWLink FWLink 4"
definition
MG7 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG7 = AllowPortFromTo FWLink i4 6 \<oplus>
AllowPortFromTo FWLink i4 7"
definition
MG8 :: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"MG8 = AllowPortFromTo FWLink i4 6 \<oplus>
AllowPortFromTo FWLink i4 7"
(* Default Global *)
definition
DG3:: "(adr\<^sub>i\<^sub>p net,port) Combinators" where
"DG3 = AllowPortFromTo any any 7"
definition
"Policy = DenyAll \<oplus> MG8 \<oplus> MG7 \<oplus> MG4 \<oplus> MG3 \<oplus> MG2 \<oplus> DG3"
lemmas PolicyLemmas = Policy_def
FWLink_def
any_def
i27_def
i4_def
eth_intern_def
eth_private_def
MG2_def MG3_def MG4_def MG7_def MG8_def
DG3_def
lemmas PolicyL = MG2_def MG3_def MG4_def MG7_def MG8_def
DG3_def Policy_def
definition
not_in_same_net :: "(adr\<^sub>i\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"not_in_same_net x = (((src x \<sqsubset> i27) \<longrightarrow> ( \<not> (dest x \<sqsubset> i27))) \<and>
((src x \<sqsubset> i4) \<longrightarrow> ( \<not> (dest x \<sqsubset> i4))) \<and>
((src x \<sqsubset> eth_intern) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_intern))) \<and>
((src x \<sqsubset> eth_private) \<longrightarrow> ( \<not> (dest x \<sqsubset> eth_private))))"
consts fixID :: id
consts fixContent :: DummyContent
definition "fixElements p = (id p = fixID \<and> content p = fixContent)"
lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def
lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
apply auto
done
lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
apply auto
done
lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
apply auto
done
lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}"
apply (auto simp: sets_distinct3)
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
apply (erule aux)
apply assumption+
apply simp
by blast
lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}"
apply (rule not_sym)
apply (rule sets_distinct5)
by simp
lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4 \<and> FWLink \<noteq> i27 \<and> FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and>
any \<noteq> FWLink \<and> any \<noteq> i4 \<and> any \<noteq> i27 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4 \<noteq> FWLink \<and>
i4 \<noteq> any \<and> i4 \<noteq> i27 \<and> i4 \<noteq> eth_intern \<and> i4 \<noteq> eth_private \<and> i27 \<noteq> FWLink \<and> i27 \<noteq> any \<and>
i27 \<noteq> i4 \<and> i27 \<noteq> eth_intern \<and> i27 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern \<noteq> any \<and>
eth_intern \<noteq> i4 \<and> eth_intern \<noteq> i27 \<and> eth_intern \<noteq> eth_private \<and> eth_private \<noteq> FWLink \<and>
eth_private \<noteq> any \<and> eth_private \<noteq> i4 \<and> eth_private \<noteq> i27 \<and> eth_private \<noteq> eth_intern"
apply (simp add: PolicyLemmas sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6)
done
lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
apply auto
done
lemma aux2: "{a,b} = {b,a}"
apply auto
done
(*
lemma noMT: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
apply (simp add: PolicyLemmas)
apply (simp add: PLemmas PolicyLemmas)
by arith
*)
lemma ANDex: "allNetsDistinct (policy2list Policy)"
apply (simp add: PolicyL allNetsDistinct_def distinctNets)
apply (auto simp: PLemmas PolicyLemmas netsDistinct_def sets_distinct5 sets_distinct6)
done
(*
lemma count_the_rules: "(int (length(policy2list (list2FWpolicy(normalize Policy)))) = post) \<and>
(int(length (policy2list Policy)) = pre) \<and>
(int (length((normalize Policy))) = Partitions)"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
lemma normedPolicy: "normalize Policy = X"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
*)
fun (sequential) numberOfRules where
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
|"numberOfRules a = (1::int)"
fun numberOfRulesList where
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
|"numberOfRulesList [] = []"
(*
lemma "numberOfRulesList (normalize Policy) = X"
apply (insert distinctNets noMT)
apply (simp add: normalize_def PolicyL bothNets_def aux5 aux2 Nets_List_def, thin_tac "?X",thin_tac "?S")
oops
*)
lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
apply (simp add: PolicyL)
apply (unfold Nets_List_def)
apply (unfold bothNets_def)
apply (insert distinctNets)
apply simp
done
lemmas normalizeUnfold = normalize_def Policy_def Nets_List_def bothNets_def aux aux2 bothNets_def
(*
lemma noMT2: "\<forall> x \<in> set (policy2list Policy). dom (C x) \<noteq> {}"
apply (simp add: PLemmas normalize_def bothNets_def
PolicyLemmas aux5 aux2 Nets_List_def )
by (metis zless_add1_eq)
*)
end

219
Examples/Transformation/Transformation02.thy Normal file
View File

@ -0,0 +1,219 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Transforamtion Example 2 *}
theory
Transformation02
imports
"../../UPF-Firewall"
begin
definition
FWLink :: "adr\<^sub>i\<^sub>p net" where
"FWLink = {{(a,b). a = 1}}"
definition
any :: "adr\<^sub>i\<^sub>p net" where
"any = {{(a,b). a > 5}}"
definition
i4_32:: "adr\<^sub>i\<^sub>p net" where
"i4_32 = {{(a,b). a = 2 }}"
definition
i10_32:: "adr\<^sub>i\<^sub>p net" where
"i10_32 = {{(a,b). a = 3 }}"
definition
eth_intern:: "adr\<^sub>i\<^sub>p net" where
"eth_intern = {{(a,b). a = 4 }}"
definition
eth_private:: "adr\<^sub>i\<^sub>p net" where
"eth_private = {{(a,b). a = 5 }}"
definition
D1a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D1a = AllowPortFromTo eth_intern any 1 \<oplus>
AllowPortFromTo eth_intern any 2"
definition
D1b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D1b = AllowPortFromTo eth_private any 1 \<oplus>
AllowPortFromTo eth_private any 2"
definition
D2a :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D2a = AllowPortFromTo any i4_32 21"
definition
D2b :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"D2b = AllowPortFromTo any i10_32 21 \<oplus>
AllowPortFromTo any i10_32 43"
definition
Policy :: "(adr\<^sub>i\<^sub>p net, port) Combinators" where
"Policy = DenyAll \<oplus> D2b \<oplus> D2a \<oplus> D1b \<oplus> D1a"
lemmas PolicyLemmas = Policy_def D1a_def D1b_def D2a_def D2b_def
lemmas PolicyL = Policy_def
FWLink_def
any_def
i10_32_def
i4_32_def
eth_intern_def
eth_private_def
D1a_def D1b_def D2a_def D2b_def
consts fixID :: id
consts fixContent :: DummyContent
definition "fixElements p = (id p = fixID \<and> content p = fixContent)"
lemmas fixDefs = fixElements_def NetworkCore.id_def NetworkCore.content_def
lemma sets_distinct1: "(n::int) \<noteq> m \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct2: "(m::int) \<noteq> n \<Longrightarrow> {(a,b). a = n} \<noteq> {(a,b). a = m}"
apply auto
done
lemma sets_distinct3: "{((a::int),(b::int)). a = n} \<noteq> {(a,b). a > n}"
apply auto
done
lemma sets_distinct4: "{((a::int),(b::int)). a > n} \<noteq> {(a,b). a = n}"
apply auto
done
lemma aux: "\<lbrakk>a \<in> c; a \<notin> d; c = d\<rbrakk> \<Longrightarrow> False"
apply auto
done
lemma sets_distinct5: "(s::int) < g \<Longrightarrow> {(a::int, b::int). a = s} \<noteq> {(a::int, b::int). g < a}"
apply (auto simp: sets_distinct3)
apply (subgoal_tac "(s,4) \<in> {(a::int,b::int). a = (s)}")
apply (subgoal_tac "(s,4) \<notin> {(a::int,b::int). g < a}")
apply (erule aux)
apply assumption+
apply simp
by blast
lemma sets_distinct6: "(s::int) < g \<Longrightarrow> {(a::int, b::int). g < a} \<noteq> {(a::int, b::int). a = s}"
apply (rule not_sym)
apply (rule sets_distinct5)
by simp
lemma distinctNets: "FWLink \<noteq> any \<and> FWLink \<noteq> i4_32 \<and> FWLink \<noteq> i10_32 \<and>
FWLink \<noteq> eth_intern \<and> FWLink \<noteq> eth_private \<and> any \<noteq> FWLink \<and> any \<noteq>
i4_32 \<and> any \<noteq> i10_32 \<and> any \<noteq> eth_intern \<and> any \<noteq> eth_private \<and> i4_32 \<noteq>
FWLink \<and> i4_32 \<noteq> any \<and> i4_32 \<noteq> i10_32 \<and> i4_32 \<noteq> eth_intern \<and> i4_32 \<noteq>
eth_private \<and> i10_32 \<noteq> FWLink \<and> i10_32 \<noteq> any \<and> i10_32 \<noteq> i4_32 \<and> i10_32
\<noteq> eth_intern \<and> i10_32 \<noteq> eth_private \<and> eth_intern \<noteq> FWLink \<and> eth_intern
\<noteq> any \<and> eth_intern \<noteq> i4_32 \<and> eth_intern \<noteq> i10_32 \<and> eth_intern \<noteq>
eth_private \<and> eth_private \<noteq> FWLink \<and> eth_private \<noteq> any \<and> eth_private \<noteq>
i4_32 \<and> eth_private \<noteq> i10_32 \<and> eth_private \<noteq> eth_intern "
apply (simp add: PolicyL sets_distinct1 sets_distinct2 sets_distinct3
sets_distinct4 sets_distinct5 sets_distinct6)
done
lemma aux5: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
apply auto
done
lemma aux2: "{a,b} = {b,a}"
apply auto
done
lemma ANDex: "allNetsDistinct (policy2list Policy)"
apply (simp add: PolicyLemmas allNetsDistinct_def distinctNets)
apply (simp add: PolicyL)
apply (auto simp: PLemmas PolicyL netsDistinct_def sets_distinct5 sets_distinct6 sets_distinct1 sets_distinct2)
done
fun (sequential) numberOfRules where
"numberOfRules (a\<oplus>b) = numberOfRules a + numberOfRules b"
|"numberOfRules a = (1::int)"
fun numberOfRulesList where
"numberOfRulesList (x#xs) = ((numberOfRules x)#(numberOfRulesList xs)) "
|"numberOfRulesList [] = []"
lemma all_in_list: "all_in_list (policy2list Policy) (Nets_List Policy)"
apply (simp add: PolicyLemmas)
apply (unfold Nets_List_def)
apply (unfold bothNets_def)
apply (insert distinctNets)
apply simp
done
lemmas normalizeUnfold = normalize_def PolicyL Nets_List_def bothNets_def aux aux2 bothNets_def sets_distinct1 sets_distinct2 sets_distinct3 sets_distinct4 sets_distinct5 sets_distinct6 aux5 aux2
end

136
Examples/VoIP/VoIP.thy Normal file
View File

@ -0,0 +1,136 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Voice over IP *}
theory VoIP
imports
"../../UPF-Firewall"
begin
text{* In this theory we generate the test data for correct runs of
the FTP protocol. As usual, we start with definining the networks and
the policy. We use a rather simple policy which allows only FTP
connections starting from the Intranet and going to the Internet, and
deny everything else. *}
definition
intranet :: "adr\<^sub>i\<^sub>p net" where
"intranet = {{(a,e) . a = 3}}"
definition
internet :: "adr\<^sub>i\<^sub>p net" where
"internet = {{(a,c). a > 4}}"
definition
gatekeeper :: "adr\<^sub>i\<^sub>p net" where
"gatekeeper = {{(a,c). a =4}}"
definition
voip_policy :: "(adr\<^sub>i\<^sub>p,address voip_msg) FWPolicy" where
"voip_policy = A\<^sub>U"
text{* The next two constants check if an address is in the Intranet
or in the Internet respectively.*}
definition
is_in_intranet :: "address \<Rightarrow> bool" where
"is_in_intranet a = (a = 3)"
definition
is_gatekeeper :: "address \<Rightarrow> bool" where
"is_gatekeeper a = (a = 4)"
definition
is_in_internet :: "address \<Rightarrow> bool" where
"is_in_internet a = (a > 4)"
text{*
The next definition is our starting state: an empty trace and the just defined policy.*}
definition
"\<sigma>_0_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<times>
(adr\<^sub>i\<^sub>p, address voip_msg) FWPolicy"
where
"\<sigma>_0_voip = ([],voip_policy)"
text{*Next we state the conditions we have on our trace: a normal
behaviour FTP run from the intranet to some server in the internet on
port 21.*}
definition "accept_voip" :: "(adr\<^sub>i\<^sub>p, address voip_msg) history \<Rightarrow> bool" where
"accept_voip t =
(\<exists> c s g i p1 p2. t \<in> NB_voip c s g i p1 p2 \<and> is_in_intranet c \<and> is_in_internet s
\<and> is_gatekeeper g)"
fun packet_with_id where
"packet_with_id [] i = []"
|"packet_with_id (x#xs) i =
(if id x = i then (x#(packet_with_id xs i)) else (packet_with_id xs i))"
text{*The depth of the test case generation corresponds to the maximal
length of generated traces. 4 is the minimum to get a full FTP
protocol run. *}
fun ids1 where
"ids1 i (x#xs) = (id x = i \<and> ids1 i xs)"
|"ids1 i [] = True"
lemmas ST_simps = Let_def valid_SE_def unit_SE_def bind_SE_def
subnet_of_int_def p_accept_def content_def
is_in_intranet_def is_in_internet_def intranet_def internet_def exI
subnetOf_lemma subnetOf_lemma2 subnetOf_lemma3 subnetOf_lemma4 voip_policy_def
NetworkCore.id_def is_arq_def is_fin_def
is_connect_def is_setup_def ports_open_def subnet_of_adr_def
VOIP.NB_voip_def \<sigma>_0_voip_def PLemmas VOIP_TRPolicy_def
policy2MON_def applyPolicy_def
end

76
FWNormalisation/ElementaryRules.thy Normal file
View File

@ -0,0 +1,76 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Elementary Firewall Policy Transformation Rules *}
theory ElementaryRules
imports FWNormalisationCore
begin
text{*
This theory contains those elementary transformation rules which are presented in the ICST
2010 paper~\cite{brucker.ea:firewall:2010}. They are not used elsewhere.
*}
lemma elem1:
"C (AllowPortFromTo x y p \<oplus> DenyAllFromTo x y) = C (DenyAllFromTo x y)"
by (rule ext, auto simp: PLemmas)
lemma elem2:
"C ((a \<oplus> b) \<oplus> c) = C (a \<oplus> (b \<oplus> c))"
by (simp add: C.simps)
lemma elem3:
"C (AllowPortFromTo x y a \<oplus> AllowPortFromTo x y b) =
C (AllowPortFromTo x y b \<oplus> AllowPortFromTo x y a)"
by (rule ext, auto simp: PLemmas)
lemma elem4:
"C (a \<oplus> DenyAll) = C DenyAll"
by (rule ext, auto simp: PLemmas)
lemma elem5:
"C (DenyAllFromTo x y \<oplus> DenyAllFromTo u v) = C (DenyAllFromTo u v \<oplus> DenyAllFromTo x y)"
by (rule ext, auto simp: PLemmas)
lemma elem6:
"dom (C a) \<inter> dom (C b) = {} \<Longrightarrow> C (a \<oplus> b) = C (b \<oplus> a)"
by (rule ext, metis C.simps(4) map_add_comm)
end

42
FWNormalisation/FWNormalisation.thy Normal file
View File

@ -0,0 +1,42 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
chapter {* Firewall Policy Normalisation *}
theory FWNormalisation
imports NormalisationIPPProofs
begin
end

654
FWNormalisation/FWNormalisationCore.thy Normal file
View File

@ -0,0 +1,654 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Policy Normalisation: Core Definitions *}
theory
FWNormalisationCore
imports
"../PacketFilter/PacketFilter"
begin
text{*
This theory contains all the definitions used for policy normalisation as described
in~\cite{brucker.ea:icst:2010,brucker.ea:formal-fw-testing:2014}.
The normalisation procedure transforms policies into semantically equivalent ones which are
``easier'' to test. It is organized into nine phases. We impose the following two restrictions
on the input policies:
\begin{itemize}
\item Each policy must contain a $\mathtt{DenyAll}$ rule. If this restriction were to be lifted,
the $\mathtt{insertDenies}$ phase would have to be adjusted accordingly.
\item For each pair of networks $n_1$ and $n_2$, the networks are either disjoint or equal. If
this restriction were to be lifted, we would need some additional phases before the start
of the normalisation procedure presented below. This rule would split single rules into
several by splitting up the networks such that they are all pairwise disjoint or equal.
Such a transformation is clearly semantics-preserving and the condition would hold after
these phases.
\end{itemize}
As a result, the procedure generates a list of policies, in which:
\begin{itemize}
\item each element of the list contains a policy which completely specifies the blocking behavior
between two networks, and
\item there are no shadowed rules.
\end{itemize}
This result is desirable since the test case generation for rules between networks $A$ and $B$
is independent of the rules that specify the behavior for traffic flowing between networks $C$
and $D$. Thus, the different segments of the policy can be processed individually. The
normalization procedure does not aim to minimize the number of rules. While it does remove
unnecessary ones, it also adds new ones, enabling a policy to be split into several independent
parts.
*}
text{*
Policy transformations are functions that map policies to policies. We decided to represent
policy transformations as \emph{syntactic rules}; this choice paves the way for expressing the
entire normalisation process inside HOL by functions manipulating abstract policy syntax.
*}
subsubsection{* Basics *}
text{* We define a very simple policy language: *}
datatype ('\<alpha>,'\<beta>) Combinators =
DenyAll
| DenyAllFromTo '\<alpha> '\<alpha>
| AllowPortFromTo '\<alpha> '\<alpha> '\<beta>
| Conc "(('\<alpha>,'\<beta>) Combinators)" "(('\<alpha>,'\<beta>) Combinators)" (infixr "\<oplus>" 80)
text{*
And define the semantic interpretation of it. For technical reasons, we fix here the type to
policies over IntegerPort addresses. However, we could easily provide definitions for other
address types as well, using a generic consts for the type definition and a primitive recursive
definition for each desired address model. *}
subsubsection{* Auxiliary definitions and functions. *}
text{*
This subsubsection defines several functions which are useful later for the combinators, invariants,
and proofs.
*}
fun srcNet where
"srcNet (DenyAllFromTo x y) = x"
|"srcNet (AllowPortFromTo x y p) = x"
|"srcNet DenyAll = undefined"
|"srcNet (v \<oplus> va) = undefined"
fun destNet where
"destNet (DenyAllFromTo x y) = y"
|"destNet (AllowPortFromTo x y p) = y"
|"destNet DenyAll = undefined"
|"destNet (v \<oplus> va) = undefined"
fun srcnets where
"srcnets DenyAll = [] "
|"srcnets (DenyAllFromTo x y) = [x] "
|"srcnets (AllowPortFromTo x y p) = [x] "
|"(srcnets (x \<oplus> y)) = (srcnets x)@(srcnets y)"
fun destnets where
"destnets DenyAll = [] "
|"destnets (DenyAllFromTo x y) = [y] "
|"destnets (AllowPortFromTo x y p) = [y] "
|"(destnets (x \<oplus> y)) = (destnets x)@(destnets y)"
fun (sequential) net_list_aux where
"net_list_aux [] = []"
|"net_list_aux (DenyAll#xs) = net_list_aux xs"
|"net_list_aux ((DenyAllFromTo x y)#xs) = x#y#(net_list_aux xs)"
|"net_list_aux ((AllowPortFromTo x y p)#xs) = x#y#(net_list_aux xs)"
|"net_list_aux ((x\<oplus>y)#xs) = (net_list_aux [x])@(net_list_aux [y])@(net_list_aux xs)"
fun net_list where "net_list p = remdups (net_list_aux p)"
definition bothNets where "bothNets x = (zip (srcnets x) (destnets x))"
fun (sequential) normBothNets where
"normBothNets ((a,b)#xs) = (if ((b,a) \<in> set xs) \<or> (a,b) \<in> set (xs)
then (normBothNets xs)
else (a,b)#(normBothNets xs))"
|"normBothNets x = x"
fun makeSets where
"makeSets ((a,b)#xs) = ({a,b}#(makeSets xs))"
|"makeSets [] = []"
fun bothNet where
"bothNet DenyAll = {}"
|"bothNet (DenyAllFromTo a b) = {a,b}"
|"bothNet (AllowPortFromTo a b p) = {a,b}"
|"bothNet (v \<oplus> va) = undefined "
text{*
$Nets\_List$ provides from a list of rules a list where the entries are the appearing sets of
source and destination network of each rule.
*}
definition Nets_List
where
"Nets_List x = makeSets (normBothNets (bothNets x))"
fun (sequential) first_srcNet where
"first_srcNet (x\<oplus>y) = first_srcNet x"
| "first_srcNet x = srcNet x"
fun (sequential) first_destNet where
"first_destNet (x\<oplus>y) = first_destNet x"
| "first_destNet x = destNet x"
fun (sequential) first_bothNet where
"first_bothNet (x\<oplus>y) = first_bothNet x"
|"first_bothNet x = bothNet x"
fun (sequential) in_list where
"in_list DenyAll l = True"
|"in_list x l = (bothNet x \<in> set l)"
fun all_in_list where
"all_in_list [] l = True"
|"all_in_list (x#xs) l = (in_list x l \<and> all_in_list xs l)"
fun (sequential) member where
"member a (x\<oplus>xs) = ((member a x) \<or> (member a xs))"
|"member a x = (a = x)"
fun sdnets where
"sdnets DenyAll = {}"
| "sdnets (DenyAllFromTo a b) = {(a,b)}"
| "sdnets (AllowPortFromTo a b c) = {(a,b)}"
| "sdnets (a \<oplus> b) = sdnets a \<union> sdnets b"
definition packet_Nets where "packet_Nets x a b = ((src x \<sqsubset> a \<and> dest x \<sqsubset> b) \<or>
(src x \<sqsubset> b \<and> dest x \<sqsubset> a))"
definition subnetsOfAdr where "subnetsOfAdr a = {x. a \<sqsubset> x}"
definition fst_set where "fst_set s = {a. \<exists> b. (a,b) \<in> s}"
definition snd_set where "snd_set s = {a. \<exists> b. (b,a) \<in> s}"
fun memberP where
"memberP r (x#xs) = (member r x \<or> memberP r xs)"
|"memberP r [] = False"
fun firstList where
"firstList (x#xs) = (first_bothNet x)"
|"firstList [] = {}"
subsubsection{* Invariants *}
text{* If there is a DenyAll, it is at the first position *}
fun wellformed_policy1:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool" where
"wellformed_policy1 [] = True"
| "wellformed_policy1 (x#xs) = (DenyAll \<notin> (set xs))"
text{* There is a DenyAll at the first position *}
fun wellformed_policy1_strong:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow> bool"
where
"wellformed_policy1_strong [] = False"
| "wellformed_policy1_strong (x#xs) = (x=DenyAll \<and> (DenyAll \<notin> (set xs)))"
text{* All two networks are either disjoint or equal. *}
definition netsDistinct where "netsDistinct a b = (\<not> (\<exists> x. x \<sqsubset> a \<and> x \<sqsubset> b))"
definition twoNetsDistinct where
"twoNetsDistinct a b c d = (netsDistinct a c \<or> netsDistinct b d)"
definition allNetsDistinct where
"allNetsDistinct p = (\<forall> a b. (a \<noteq> b \<and> a \<in> set (net_list p) \<and>
b \<in> set (net_list p)) \<longrightarrow> netsDistinct a b)"
definition disjSD_2 where
"disjSD_2 x y = (\<forall> a b c d. ((a,b)\<in>sdnets x \<and> (c,d) \<in>sdnets y \<longrightarrow>
(twoNetsDistinct a b c d \<and> twoNetsDistinct a b d c)))"
text{* The policy is given as a list of single rules. *}
fun singleCombinators where
"singleCombinators [] = True"
|"singleCombinators ((x\<oplus>y)#xs) = False"
|"singleCombinators (x#xs) = singleCombinators xs"
definition onlyTwoNets where
"onlyTwoNets x = ((\<exists> a b. (sdnets x = {(a,b)})) \<or> (\<exists> a b. sdnets x = {(a,b),(b,a)}))"
text{* Each entry of the list contains rules between two networks only. *}
fun OnlyTwoNets where
"OnlyTwoNets (DenyAll#xs) = OnlyTwoNets xs"
|"OnlyTwoNets (x#xs) = (onlyTwoNets x \<and> OnlyTwoNets xs)"
|"OnlyTwoNets [] = True"
fun noDenyAll where
"noDenyAll (x#xs) = ((\<not> member DenyAll x) \<and> noDenyAll xs)"
|"noDenyAll [] = True"
fun noDenyAll1 where
"noDenyAll1 (DenyAll#xs) = noDenyAll xs"
| "noDenyAll1 xs = noDenyAll xs"
fun separated where
"separated (x#xs) = ((\<forall> s. s \<in> set xs \<longrightarrow> disjSD_2 x s) \<and> separated xs)"
| "separated [] = True"
fun NetsCollected where
"NetsCollected (x#xs) = (((first_bothNet x \<noteq> firstList xs) \<longrightarrow>
(\<forall>a\<in>set xs. first_bothNet x \<noteq> first_bothNet a)) \<and> NetsCollected (xs))"
| "NetsCollected [] = True"
fun NetsCollected2 where
"NetsCollected2 (x#xs) = (xs = [] \<or> (first_bothNet x \<noteq> firstList xs \<and>
NetsCollected2 xs))"
|"NetsCollected2 [] = True"
subsubsection{* Transformations *}
text {*
The following two functions transform a policy into a list of single rules and vice-versa - by
staying on the combinator level.
*}
fun policy2list::"('\<alpha>, '\<beta>) Combinators \<Rightarrow>
(('\<alpha>, '\<beta>) Combinators) list" where
"policy2list (x \<oplus> y) = (concat [(policy2list x),(policy2list y)])"
|"policy2list x = [x]"
fun list2FWpolicy::"(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow>
(('\<alpha>, '\<beta>) Combinators)" where
"list2FWpolicy [] = undefined "
|"list2FWpolicy (x#[]) = x"
|"list2FWpolicy (x#y) = x \<oplus> (list2FWpolicy y)"
text{* Remove all the rules appearing before a DenyAll. There are two alternative versions. *}
fun removeShadowRules1 where
"removeShadowRules1 (x#xs) = (if (DenyAll \<in> set xs)
then ((removeShadowRules1 xs))
else x#xs)"
| "removeShadowRules1 [] = []"
fun removeShadowRules1_alternative_rev where
"removeShadowRules1_alternative_rev [] = []"
| "removeShadowRules1_alternative_rev (DenyAll#xs) = [DenyAll]"
| "removeShadowRules1_alternative_rev [x] = [x]"
| "removeShadowRules1_alternative_rev (x#xs)=
x#(removeShadowRules1_alternative_rev xs)"
definition removeShadowRules1_alternative where
"removeShadowRules1_alternative p =
rev (removeShadowRules1_alternative_rev (rev p))"
text{* Remove all the rules which allow a port, but are shadowed by a deny between these subnets *}
fun removeShadowRules2:: "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow>
(('\<alpha>, '\<beta>) Combinators) list"
where
"(removeShadowRules2 ((AllowPortFromTo x y p)#z)) =
(if (((DenyAllFromTo x y) \<in> set z))
then ((removeShadowRules2 z))
else (((AllowPortFromTo x y p)#(removeShadowRules2 z))))"
| "removeShadowRules2 (x#y) = x#(removeShadowRules2 y)"
| "removeShadowRules2 [] = []"
text{* Sorting a pocliy. We first need to define an ordering on
rules. This ordering depends on the $Nets\_List$ of a policy. *}
fun smaller :: "('\<alpha>, '\<beta>) Combinators \<Rightarrow>
('\<alpha>, '\<beta>) Combinators \<Rightarrow>
(('\<alpha>) set) list \<Rightarrow> bool"
where
"smaller DenyAll x l = True"
| "smaller x DenyAll l = False"
| "smaller x y l =
((x = y) \<or> (if (bothNet x) = (bothNet y) then
(case y of (DenyAllFromTo a b) \<Rightarrow> (x = DenyAllFromTo b a)
| _ \<Rightarrow> True)
else
(position (bothNet x) l <= position (bothNet y) l)))"
text{* We provide two different sorting algorithms: Quick Sort (qsort) and Insertion Sort (sort) *}
fun qsort where
"qsort [] l = []"
| "qsort (x#xs) l = (qsort [y\<leftarrow>xs. \<not> (smaller x y l)] l) @ [x] @ (qsort [y\<leftarrow>xs. smaller x y l] l)"
lemma qsort_permutes:
"set (qsort xs l) = set xs"
apply (induct xs l rule: qsort.induct)
apply (simp_all)
apply auto
done
lemma set_qsort [simp]: "set (qsort xs l) = set xs"
apply (induct xs l rule: qsort.induct)
apply (simp_all)
apply auto
done
fun insort where
"insort a [] l = [a]"
| "insort a (x#xs) l = (if (smaller a x l) then a#x#xs else x#(insort a xs l))"
fun sort where
"sort [] l = []"
| "sort (x#xs) l = insort x (sort xs l) l"
fun sorted where
"sorted [] l \<longleftrightarrow> True" |
"sorted [x] l \<longleftrightarrow> True" |
"sorted (x#y#zs) l \<longleftrightarrow> smaller x y l \<and> sorted (y#zs) l"
fun separate where
"separate (DenyAll#x) = DenyAll#(separate x)"
| "separate (x#y#z) = (if (first_bothNet x = first_bothNet y)
then (separate ((x\<oplus>y)#z))
else (x#(separate(y#z))))"
|"separate x = x"
text {*
Insert the DenyAllFromTo rules, such that traffic between two networks can be tested individually
*}
fun insertDenies where
"insertDenies (x#xs) = (case x of DenyAll \<Rightarrow> (DenyAll#(insertDenies xs))
| _ \<Rightarrow> (DenyAllFromTo (first_srcNet x) (first_destNet x) \<oplus>
(DenyAllFromTo (first_destNet x) (first_srcNet x)) \<oplus> x)#
(insertDenies xs))"
| "insertDenies [] = []"
text{* Remove duplicate rules. This is especially necessary as
insertDenies might have inserted duplicate rules.
The second function is supposed to work on a list of policies. Only
rules which are duplicated within the same policy are removed. *}
fun removeDuplicates where
"removeDuplicates (x\<oplus>xs) = (if member x xs then (removeDuplicates xs)
else x\<oplus>(removeDuplicates xs))"
| "removeDuplicates x = x"
fun removeAllDuplicates where
"removeAllDuplicates (x#xs) = ((removeDuplicates (x))#(removeAllDuplicates xs))"
|"removeAllDuplicates x = x"
text {* Insert a DenyAll at the beginning of a policy. *}
fun insertDeny where
"insertDeny (DenyAll#xs) = DenyAll#xs"
|"insertDeny xs = DenyAll#xs"
definition "sort' p l = sort l p"
definition "qsort' p l = qsort l p"
declare dom_eq_empty_conv [simp del]
fun list2policyR::"(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow>
(('\<alpha>, '\<beta>) Combinators)" where
"list2policyR (x#[]) = x"
|"list2policyR (x#y) = (list2policyR y) \<oplus> x"
|"list2policyR [] = undefined "
text{* We provide the definitions for two address representations. *}
subsubsection{* IntPort *}
fun C :: "(adr\<^sub>i\<^sub>p net, port) Combinators \<Rightarrow> (adr\<^sub>i\<^sub>p,DummyContent) packet \<mapsto> unit"
where
" C DenyAll = deny_all"
|"C (DenyAllFromTo x y) = deny_all_from_to x y"
|"C (AllowPortFromTo x y p) = allow_from_to_port p x y"
|"C (x \<oplus> y) = C x ++ C y"
fun CRotate :: "(adr\<^sub>i\<^sub>p net, port) Combinators \<Rightarrow> (adr\<^sub>i\<^sub>p,DummyContent) packet \<mapsto> unit"
where
" CRotate DenyAll = C DenyAll"
|"CRotate (DenyAllFromTo x y) = C (DenyAllFromTo x y)"
|"CRotate (AllowPortFromTo x y p) = C (AllowPortFromTo x y p)"
|"CRotate (x \<oplus> y) = ((CRotate y) ++ ((CRotate x)))"
fun rotatePolicy where
"rotatePolicy DenyAll = DenyAll"
| "rotatePolicy (DenyAllFromTo a b) = DenyAllFromTo a b"
| "rotatePolicy (AllowPortFromTo a b p) = AllowPortFromTo a b p"
| "rotatePolicy (a\<oplus>b) = (rotatePolicy b) \<oplus> (rotatePolicy a)"
lemma check: "rev (policy2list (rotatePolicy p)) = policy2list p"
apply (induct p)
apply simp
apply simp_all
done
text{*
All rules appearing at the left of a DenyAllFromTo, have disjunct domains from it (except DenyAll)
*}
fun (sequential) wellformed_policy2 where
"wellformed_policy2 [] = True"
| "wellformed_policy2 (DenyAll#xs) = wellformed_policy2 xs"
| "wellformed_policy2 (x#xs) = ((\<forall> c a b. c = DenyAllFromTo a b \<and> c \<in> set xs \<longrightarrow>
Map.dom (C x) \<inter> Map.dom (C c) = {}) \<and> wellformed_policy2 xs)"
text{* An allow rule is disjunct with all rules appearing at the right of it. This invariant is not
necessary as it is a consequence from others, but facilitates some proofs. *}
fun (sequential) wellformed_policy3::"((adr\<^sub>i\<^sub>p net,port) Combinators) list \<Rightarrow> bool" where
"wellformed_policy3 [] = True"
| "wellformed_policy3 ((AllowPortFromTo a b p)#xs) = ((\<forall> r. r \<in> set xs \<longrightarrow>
dom (C r) \<inter> dom (C (AllowPortFromTo a b p)) = {}) \<and> wellformed_policy3 xs)"
| "wellformed_policy3 (x#xs) = wellformed_policy3 xs"
definition
"normalize' p = (removeAllDuplicates o insertDenies o separate o
(sort' (Nets_List p)) o removeShadowRules2 o remdups o
(rm_MT_rules C) o insertDeny o removeShadowRules1 o
policy2list) p"
definition
"normalizeQ' p = (removeAllDuplicates o insertDenies o separate o
(qsort' (Nets_List p)) o removeShadowRules2 o remdups o
(rm_MT_rules C) o insertDeny o removeShadowRules1 o
policy2list) p"
definition normalize ::
"(adr\<^sub>i\<^sub>p net, port) Combinators \<Rightarrow>
(adr\<^sub>i\<^sub>p net, port) Combinators list"
where
"normalize p = (removeAllDuplicates (insertDenies (separate (sort
(removeShadowRules2 (remdups ((rm_MT_rules C) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((Nets_List p))))))"
definition
"normalize_manual_order p l = removeAllDuplicates (insertDenies (separate
(sort (removeShadowRules2 (remdups ((rm_MT_rules C) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((l)))))"
definition normalizeQ ::
"(adr\<^sub>i\<^sub>p net, port) Combinators \<Rightarrow>
(adr\<^sub>i\<^sub>p net, port) Combinators list"
where
"normalizeQ p = (removeAllDuplicates (insertDenies (separate (qsort
(removeShadowRules2 (remdups ((rm_MT_rules C) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((Nets_List p))))))"
definition
"normalize_manual_orderQ p l = removeAllDuplicates (insertDenies (separate
(qsort (removeShadowRules2 (remdups ((rm_MT_rules C) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((l)))))"
text{* Of course, normalize is equal to normalize', the latter looks nicer though. *}
lemma "normalize = normalize'"
by (rule ext, simp add: normalize_def normalize'_def sort'_def)
declare C.simps [simp del]
subsubsection{* TCP\_UDP\_IntegerPort *}
fun Cp :: "(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators \<Rightarrow>
(adr\<^sub>i\<^sub>p\<^sub>p,DummyContent) packet \<mapsto> unit"
where
" Cp DenyAll = deny_all"
|"Cp (DenyAllFromTo x y) = deny_all_from_to x y"
|"Cp (AllowPortFromTo x y p) = allow_from_to_port_prot (fst p) (snd p) x y"
|"Cp (x \<oplus> y) = Cp x ++ Cp y"
fun Dp :: "(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators \<Rightarrow>
(adr\<^sub>i\<^sub>p\<^sub>p,DummyContent) packet \<mapsto> unit"
where
" Dp DenyAll = Cp DenyAll"
|"Dp (DenyAllFromTo x y) = Cp (DenyAllFromTo x y)"
|"Dp (AllowPortFromTo x y p) = Cp (AllowPortFromTo x y p)"
|"Dp (x \<oplus> y) = Cp (y \<oplus> x)"
text{* All rules appearing at the left of a DenyAllFromTo, have disjunct domains from it
(except DenyAll) *}
fun (sequential) wellformed_policy2Pr where
"wellformed_policy2Pr [] = True"
| "wellformed_policy2Pr (DenyAll#xs) = wellformed_policy2Pr xs"
| "wellformed_policy2Pr (x#xs) = ((\<forall> c a b. c = DenyAllFromTo a b \<and> c \<in> set xs \<longrightarrow>
Map.dom (Cp x) \<inter> Map.dom (Cp c) = {}) \<and> wellformed_policy2Pr xs)"
text{* An allow rule is disjunct with all rules appearing at the right of it. This invariant is not
necessary as it is a consequence from others, but facilitates some proofs. *}
fun (sequential) wellformed_policy3Pr::"((adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators) list \<Rightarrow> bool" where
"wellformed_policy3Pr [] = True"
| "wellformed_policy3Pr ((AllowPortFromTo a b p)#xs) = ((\<forall> r. r \<in> set xs \<longrightarrow>
dom (Cp r) \<inter> dom (Cp (AllowPortFromTo a b p)) = {}) \<and> wellformed_policy3Pr xs)"
| "wellformed_policy3Pr (x#xs) = wellformed_policy3Pr xs"
definition
normalizePr' :: "(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators
\<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators list" where
"normalizePr' p = (removeAllDuplicates o insertDenies o separate o
(sort' (Nets_List p)) o removeShadowRules2 o remdups o
(rm_MT_rules Cp) o insertDeny o removeShadowRules1 o
policy2list) p"
definition normalizePr ::
"(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators
\<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators list" where
"normalizePr p = (removeAllDuplicates (insertDenies (separate (sort
(removeShadowRules2 (remdups ((rm_MT_rules Cp) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((Nets_List p))))))"
definition
"normalize_manual_orderPr p l = removeAllDuplicates (insertDenies (separate
(sort (removeShadowRules2 (remdups ((rm_MT_rules Cp) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((l)))))"
definition
normalizePrQ' :: "(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators
\<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators list" where
"normalizePrQ' p = (removeAllDuplicates o insertDenies o separate o
(qsort' (Nets_List p)) o removeShadowRules2 o remdups o
(rm_MT_rules Cp) o insertDeny o removeShadowRules1 o
policy2list) p"
definition normalizePrQ ::
"(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators
\<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators list" where
"normalizePrQ p = (removeAllDuplicates (insertDenies (separate (qsort
(removeShadowRules2 (remdups ((rm_MT_rules Cp) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((Nets_List p))))))"
definition
"normalize_manual_orderPrQ p l = removeAllDuplicates (insertDenies (separate
(qsort (removeShadowRules2 (remdups ((rm_MT_rules Cp) (insertDeny
(removeShadowRules1 (policy2list p)))))) ((l)))))"
text{* Of course, normalize is equal to normalize', the latter looks nicer though. *}
lemma "normalizePr = normalizePr'"
by (rule ext, simp add: normalizePr_def normalizePr'_def sort'_def)
text{* The following definition helps in creating the test specification for the individual parts
of a normalized policy. *}
definition makeFUTPr where
"makeFUTPr FUT p x n =
(packet_Nets x (fst (normBothNets (bothNets p)!n))
(snd(normBothNets (bothNets p)!n)) \<longrightarrow>
FUT x = Cp ((normalizePr p)!Suc n) x)"
declare Cp.simps [simp del]
lemmas PLemmas = C.simps Cp.simps dom_def PolicyCombinators.PolicyCombinators
PortCombinators.PortCombinatorsCore aux
ProtocolPortCombinators.ProtocolCombinatorsCore src_def dest_def in_subnet_def
adr\<^sub>i\<^sub>p\<^sub>pLemmas adr\<^sub>i\<^sub>p\<^sub>pLemmas
lemma aux: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or> (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
by (auto)
lemma aux2: "{a,b} = {b,a}"
by auto
end

2397
FWNormalisation/NormalisationGenericProofs.thy Normal file
View File

File diff suppressed because it is too large Load Diff

1959
FWNormalisation/NormalisationIPPProofs.thy Normal file
View File

File diff suppressed because it is too large Load Diff

1971
FWNormalisation/NormalisationIntegerPortProof.thy Normal file
View File

File diff suppressed because it is too large Load Diff

34
LICENSE Normal file
View File

@ -0,0 +1,34 @@
Copyright (c) 2005-2010 ETH Zurich, Switzerland
2008-2015 Achim D. Brucker, Germany
2009-2016 Université Paris-Sud, France
2015-2016 The University of Sheffield, UK
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above
copyright notice, this list of conditions and the following
disclaimer in the documentation and/or other materials provided
with the distribution.
* Neither the name of the copyright holders nor the names of its
contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

170
NAT/NAT.thy Normal file
View File

@ -0,0 +1,170 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection{* Network Address Translation *}
theory
NAT
imports
"../PacketFilter/PacketFilter"
begin
definition src2pool :: "'\<alpha> set \<Rightarrow> ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> ('\<alpha>,'\<beta>) packet set" where
"src2pool t = (\<lambda> p. ({(i,s,d,da). (i = id p \<and> s \<in> t \<and> d = dest p \<and> da = content p)}))"
definition src2poolAP where
"src2poolAP t = A\<^sub>f (src2pool t)"
definition srcNat2pool :: "'\<alpha> set \<Rightarrow> '\<alpha> set \<Rightarrow> ('\<alpha>::adr,'\<beta>) packet \<mapsto> ('\<alpha>,'\<beta>) packet set" where
"srcNat2pool srcs transl = {x. src x \<in> srcs} \<triangleleft> (src2poolAP transl)"
definition src2poolPort :: "int set \<Rightarrow> (adr\<^sub>i\<^sub>p,'\<beta>) packet \<Rightarrow> (adr\<^sub>i\<^sub>p,'\<beta>) packet set" where
"src2poolPort t = (\<lambda> p. ({(i,(s1,s2),(d1,d2),da).
(i = id p \<and> s1 \<in> t \<and> s2 = (snd (src p)) \<and> d1 = (fst (dest p)) \<and>
d2 = snd (dest p) \<and> da = content p)}))"
definition src2poolPort_Protocol :: "int set \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet set" where
"src2poolPort_Protocol t = (\<lambda> p. ({(i,(s1,s2,s3),(d1,d2,d3), da).
(i = id p \<and> s1 \<in> t \<and> s2 = (fst (snd (src p))) \<and> s3 = snd (snd (src p)) \<and>
(d1,d2,d3) = dest p \<and> da = content p)}))"
definition srcNat2pool_IntPort :: "address set \<Rightarrow> address set \<Rightarrow>
(adr\<^sub>i\<^sub>p,'\<beta>) packet \<mapsto> (adr\<^sub>i\<^sub>p,'\<beta>) packet set" where
"srcNat2pool_IntPort srcs transl =
{x. fst (src x) \<in> srcs} \<triangleleft> (A\<^sub>f (src2poolPort transl))"
definition srcNat2pool_IntProtocolPort :: "int set \<Rightarrow> int set \<Rightarrow>
(adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet \<mapsto> (adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet set" where
"srcNat2pool_IntProtocolPort srcs transl =
{x. (fst ( (src x))) \<in> srcs} \<triangleleft> (A\<^sub>f (src2poolPort_Protocol transl))"
definition srcPat2poolPort_t :: "int set \<Rightarrow> (adr\<^sub>i\<^sub>p,'\<beta>) packet \<Rightarrow> (adr\<^sub>i\<^sub>p,'\<beta>) packet set" where
"srcPat2poolPort_t t = (\<lambda> p. ({(i,(s1,s2),(d1,d2),da).
(i = id p \<and> s1 \<in> t \<and> d1 = (fst (dest p)) \<and> d2 = snd (dest p)\<and> da = content p)}))"
definition srcPat2poolPort_Protocol_t :: "int set \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet set" where
"srcPat2poolPort_Protocol_t t = (\<lambda> p. ({(i,(s1,s2,s3),(d1,d2,d3),da).
(i = id p \<and> s1 \<in> t \<and> s3 = src_protocol p \<and> (d1,d2,d3) = dest p \<and> da = content p)}))"
definition srcPat2pool_IntPort :: "int set \<Rightarrow> int set \<Rightarrow> (adr\<^sub>i\<^sub>p,'\<beta>) packet \<mapsto>
(adr\<^sub>i\<^sub>p,'\<beta>) packet set" where
"srcPat2pool_IntPort srcs transl =
{x. (fst (src x)) \<in> srcs} \<triangleleft> (A\<^sub>f (srcPat2poolPort_t transl))"
definition srcPat2pool_IntProtocol ::
"int set \<Rightarrow> int set \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet \<mapsto> (adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet set" where
"srcPat2pool_IntProtocol srcs transl =
{x. (fst (src x)) \<in> srcs} \<triangleleft> (A\<^sub>f (srcPat2poolPort_Protocol_t transl))"
text{*
The following lemmas are used for achieving a normalized output format of packages after
applying NAT. This is used, e.g., by our firewall execution tool.
*}
lemma datasimp: "{(i, (s1, s2, s3), aba).
\<forall>a aa b ba. aba = ((a, aa, b), ba) \<longrightarrow> i = i1 \<and> s1 = i101 \<and>
s3 = iudp \<and> a = i110 \<and> aa = X606X3 \<and> b = X607X4 \<and> ba = data}
= {(i, (s1, s2, s3), aba).
i = i1 \<and> s1 = i101 \<and> s3 = iudp \<and> (\<lambda> ((a,aa,b),ba). a = i110 \<and> aa = X606X3 \<and>
b = X607X4 \<and> ba = data) aba}"
by auto
lemma datasimp2: "{(i, (s1, s2, s3), aba).
\<forall>a aa b ba. aba = ((a, aa, b), ba) \<longrightarrow> i = i1 \<and> s1 = i132 \<and> s3 = iudp \<and>
s2 = i1 \<and> a = i110 \<and> aa = i4 \<and> b = iudp \<and> ba = data}
= {(i, (s1, s2, s3), aba).
i = i1 \<and> s1 = i132 \<and> s3 = iudp \<and> s2 = i1 \<and> (\<lambda> ((a,aa,b),ba). a = i110 \<and>
aa = i4 \<and> b = iudp \<and> ba = data) aba}"
by auto
lemma datasimp3: "{(i, (s1, s2, s3), aba).
\<forall> a aa b ba. aba = ((a, aa, b), ba) \<longrightarrow> i = i1 \<and> i115 < s1 \<and> s1 < i124 \<and>
s3 = iudp \<and> s2 = ii1 \<and> a = i110 \<and> aa = i3 \<and> b = itcp \<and> ba = data}
= {(i, (s1, s2, s3), aba).
i = i1 \<and> i115 < s1 \<and> s1 < i124 \<and> s3 = iudp \<and> s2 = ii1 \<and>
(\<lambda> ((a,aa,b),ba). a = i110 & aa = i3 & b = itcp & ba = data) aba}"
by auto
lemma datasimp4: "{(i, (s1, s2, s3), aba).
\<forall>a aa b ba. aba = ((a, aa, b), ba) \<longrightarrow> i = i1 \<and> s1 = i132 \<and> s3 = iudp \<and>
s2 = ii1 \<and> a = i110 \<and> aa = i7 \<and> b = itcp \<and> ba = data}
= {(i, (s1, s2, s3), aba).
i = i1 \<and> s1 = i132 \<and> s3 = iudp \<and> s2 = ii1 \<and>
(\<lambda> ((a,aa,b),ba). a = i110 \<and> aa = i7 \<and> b = itcp \<and> ba = data) aba}"
by auto
lemma datasimp5: " {(i, (s1, s2, s3), aba).
i = i1 \<and> s1 = i101 \<and> s3 = iudp \<and> (\<lambda> ((a,aa,b),ba). a = i110 \<and> aa = X606X3 \<and>
b = X607X4 \<and> ba = data) aba}
= {(i, (s1, s2, s3), (a,aa,b),ba).
i = i1 \<and> s1 = i101 \<and> s3 = iudp \<and> a = i110 \<and> aa = X606X3 \<and>
b = X607X4 \<and> ba = data}"
by auto
lemma datasimp6: "{(i, (s1, s2, s3), aba).
i = i1 \<and> s1 = i132 \<and> s3 = iudp \<and> s2 = i1 \<and>
(\<lambda> ((a,aa,b),ba). a = i110 \<and> aa = i4 \<and> b = iudp \<and> ba = data) aba}
= {(i, (s1, s2, s3), (a,aa,b),ba).
i = i1 \<and> s1 = i132 \<and> s3 = iudp \<and> s2 = i1 \<and> a = i110 \<and>
aa = i4 \<and> b = iudp \<and> ba = data}"
by auto
lemma datasimp7: "{(i, (s1, s2, s3), aba).
i = i1 \<and> i115 < s1 \<and> s1 < i124 \<and> s3 = iudp \<and> s2 = ii1 \<and>
(\<lambda> ((a,aa,b),ba). a = i110 \<and> aa = i3 \<and> b = itcp \<and> ba = data) aba}
= {(i, (s1, s2, s3), (a,aa,b),ba).
i = i1 \<and> i115 < s1 \<and> s1 < i124 \<and> s3 = iudp \<and> s2 = ii1
\<and> a = i110 \<and> aa = i3 \<and> b = itcp \<and> ba = data}"
by auto
lemma datasimp8: "{(i, (s1, s2, s3), aba). i = i1 \<and> s1 = i132 \<and> s3 = iudp \<and> s2 = ii1 \<and>
(\<lambda> ((a,aa,b),ba). a = i110 \<and> aa = i7 \<and> b = itcp \<and> ba = data) aba}
= {(i, (s1, s2, s3), (a,aa,b),ba). i = i1 \<and> s1 = i132 \<and> s3 = iudp
\<and> s2 = ii1 \<and> a = i110 \<and> aa = i7 \<and> b = itcp \<and> ba = data}"
by auto
lemmas datasimps = datasimp datasimp2 datasimp3 datasimp4
datasimp5 datasimp6 datasimp7 datasimp8
lemmas NATLemmas = src2pool_def src2poolPort_def
src2poolPort_Protocol_def src2poolAP_def srcNat2pool_def
srcNat2pool_IntProtocolPort_def srcNat2pool_IntPort_def
srcPat2poolPort_t_def srcPat2poolPort_Protocol_t_def
srcPat2pool_IntPort_def srcPat2pool_IntProtocol_def
end

62
PacketFilter/DatatypeAddress.thy Normal file
View File

@ -0,0 +1,62 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Datatype Addresses *}
theory
DatatypeAddress
imports
NetworkCore
begin
text{*
A theory describing a network consisting of three subnetworks. Hosts within a network are not
distinguished.
*}
datatype DatatypeAddress = dmz_adr | intranet_adr | internet_adr
definition
dmz::"DatatypeAddress net" where
"dmz = {{dmz_adr}}"
definition
intranet::"DatatypeAddress net" where
"intranet = {{intranet_adr}}"
definition
internet::"DatatypeAddress net" where
"internet = {{internet_adr}}"
end

93
PacketFilter/DatatypePort.thy Normal file
View File

@ -0,0 +1,93 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Datatype Addresses with Ports *}
theory DatatypePort
imports NetworkCore
begin
text{*
A theory describing a network consisting of three subnetworks, including port numbers modelled
as Integers. Hosts within a network are not distinguished.
*}
datatype DatatypeAddress = dmz_adr | intranet_adr | internet_adr
type_synonym
port = int
type_synonym
DatatypePort = "(DatatypeAddress \<times> port)"
instance DatatypeAddress :: adr ..
definition
dmz::"DatatypePort net" where
"dmz = {{(a,b). a = dmz_adr}}"
definition
intranet::"DatatypePort net" where
"intranet = {{(a,b). a = intranet_adr}}"
definition
internet::"DatatypePort net" where
"internet = {{(a,b). a = internet_adr}}"
overloading src_port_datatype \<equiv> "src_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"src_port_datatype (x::(DatatypePort,'\<beta>) packet) \<equiv> (snd o fst o snd) x"
end
overloading dest_port_datatype \<equiv> "dest_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"dest_port_datatype (x::(DatatypePort,'\<beta>) packet) \<equiv>(snd o fst o snd o snd) x"
end
overloading subnet_of_datatype \<equiv> "subnet_of :: '\<alpha>::adr \<Rightarrow> '\<alpha> net"
begin
definition
"subnet_of_datatype (x::DatatypePort) \<equiv> {{(a,b::int). a = fst x}}"
end
lemma src_port : "src_port ((a,x,d,e)::(DatatypePort,'\<beta>) packet) = snd x"
by (simp add: src_port_datatype_def in_subnet)
lemma dest_port : "dest_port ((a,d,x,e)::(DatatypePort,'\<beta>) packet) = snd x"
by (simp add: dest_port_datatype_def in_subnet)
lemmas DatatypePortLemmas = src_port dest_port src_port_datatype_def dest_port_datatype_def
end

88
PacketFilter/IPv4.thy Normal file
View File

@ -0,0 +1,88 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Formalizing IPv4 Addresses *}
theory
IPv4
imports
NetworkCore
begin
text{*
A theory describing IPv4 addresses with ports. The host address is a four-tuple of Integers,
the port number is a single Integer.
*}
type_synonym
ipv4_ip = "(int \<times> int \<times> int \<times> int)"
type_synonym
port = "int"
type_synonym
ipv4 = "(ipv4_ip \<times> port)"
overloading src_port_ipv4 \<equiv> "src_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"src_port_ipv4 (x::(ipv4,'\<beta>) packet) \<equiv> (snd o fst o snd) x"
end
overloading dest_port_ipv4 \<equiv> "dest_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"dest_port_ipv4 (x::(ipv4,'\<beta>) packet) \<equiv> (snd o fst o snd o snd) x"
end
overloading subnet_of_ipv4 \<equiv> "subnet_of :: '\<alpha>::adr \<Rightarrow> '\<alpha> net"
begin
definition
"subnet_of_ipv4 (x::ipv4) \<equiv> {{(a,b::int). a = fst x}}"
end
definition subnet_of_ip :: "ipv4_ip \<Rightarrow> ipv4 net"
where "subnet_of_ip ip = {{(a,b). (a = ip)}}"
lemma src_port: "src_port (a,(x::ipv4),d,e) = snd x"
by (simp add: src_port_ipv4_def in_subnet)
lemma dest_port: "dest_port (a,d,(x::ipv4),e) = snd x"
by (simp add: dest_port_ipv4_def in_subnet)
lemmas IPv4Lemmas = src_port dest_port src_port_ipv4_def dest_port_ipv4_def
end

83
PacketFilter/IPv4_TCPUDP.thy Normal file
View File

@ -0,0 +1,83 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* IPv4 with Ports and Protocols *}
theory IPv4_TCPUDP
imports IPv4
begin
type_synonym
ipv4_TCPUDP = "(ipv4_ip \<times> port \<times> protocol)"
instance protocol :: adr ..
overloading src_port_ipv4_TCPUDP \<equiv> "src_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"src_port_ipv4_TCPUDP (x::(ipv4_TCPUDP,'\<beta>) packet) \<equiv> (fst o snd o fst o snd) x"
end
overloading dest_port_ipv4_TCPUDP \<equiv> "dest_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"dest_port_ipv4_TCPUDP (x::(ipv4_TCPUDP,'\<beta>) packet) \<equiv> (fst o snd o fst o snd o snd) x"
end
overloading subnet_of_ipv4_TCPUDP \<equiv> "subnet_of :: '\<alpha>::adr \<Rightarrow> '\<alpha> net"
begin
definition
"subnet_of_ipv4_TCPUDP (x::ipv4_TCPUDP) \<equiv> {{(a,b). a = fst x}}::(ipv4_TCPUDP net)"
end
overloading dest_protocol_ipv4_TCPUDP \<equiv> "dest_protocol :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> protocol"
begin
definition
"dest_protocol_ipv4_TCPUDP (x::(ipv4_TCPUDP,'\<beta>) packet) \<equiv> (snd o snd o fst o snd o snd) x"
end
definition subnet_of_ip :: "ipv4_ip \<Rightarrow> ipv4_TCPUDP net"
where "subnet_of_ip ip = {{(a,b). (a = ip)}}"
lemma src_port: "src_port (a,(x::ipv4_TCPUDP),d,e) = fst (snd x)"
by (simp add: src_port_ipv4_TCPUDP_def in_subnet)
lemma dest_port: "dest_port (a,d,(x::ipv4_TCPUDP),e) = fst (snd x)"
by (simp add: dest_port_ipv4_TCPUDP_def in_subnet)
lemmas Ipv4_TCPUDPLemmas = src_port dest_port src_port_ipv4_TCPUDP_def dest_port_ipv4_TCPUDP_def
dest_protocol_ipv4_TCPUDP_def subnet_of_ipv4_TCPUDP_def
end

48
PacketFilter/IntegerAddress.thy Normal file
View File

@ -0,0 +1,48 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Integer Addresses *}
theory IntegerAddress
imports NetworkCore
begin
text{* A theory where addresses are modelled as Integers.*}
type_synonym
adr\<^sub>i = "int"
end

85
PacketFilter/IntegerPort.thy Normal file
View File

@ -0,0 +1,85 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection{* Integer Addresses with Ports *}
theory
IntegerPort
imports
NetworkCore
begin
text{*
A theory describing addresses which are modelled as a pair of Integers - the first being the
host address, the second the port number.
*}
type_synonym
address = int
type_synonym
port = int
type_synonym
adr\<^sub>i\<^sub>p = "address \<times> port"
overloading src_port_int \<equiv> "src_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"src_port_int (x::(adr\<^sub>i\<^sub>p,'\<beta>) packet) \<equiv> (snd o fst o snd) x"
end
overloading dest_port_int \<equiv> "dest_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"dest_port_int (x::(adr\<^sub>i\<^sub>p,'\<beta>) packet) \<equiv> (snd o fst o snd o snd) x"
end
overloading subnet_of_int \<equiv> "subnet_of :: '\<alpha>::adr \<Rightarrow> '\<alpha> net"
begin
definition
"subnet_of_int (x::(adr\<^sub>i\<^sub>p)) \<equiv> {{(a,b::int). a = fst x}}"
end
lemma src_port: "src_port (a,x::adr\<^sub>i\<^sub>p,d,e) = snd x"
by (simp add: src_port_int_def in_subnet)
lemma dest_port: "dest_port (a,d,x::adr\<^sub>i\<^sub>p,e) = snd x"
by (simp add: dest_port_int_def in_subnet)
lemmas adr\<^sub>i\<^sub>pLemmas = src_port dest_port src_port_int_def dest_port_int_def
end

111
PacketFilter/IntegerPort_TCPUDP.thy Normal file
View File

@ -0,0 +1,111 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Integer Addresses with Ports and Protocols *}
theory
IntegerPort_TCPUDP
imports
NetworkCore
begin
text{* A theory describing addresses which are modelled as a pair of Integers - the first being
the host address, the second the port number.*}
type_synonym
address = int
type_synonym
port = int
type_synonym
adr\<^sub>i\<^sub>p\<^sub>p = "address \<times> port \<times> protocol"
instance protocol :: adr ..
overloading src_port_int_TCPUDP \<equiv> "src_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"src_port_int_TCPUDP (x::(adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet) \<equiv> (fst o snd o fst o snd) x"
end
overloading dest_port_int_TCPUDP \<equiv> "dest_port :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
begin
definition
"dest_port_int_TCPUDP (x::(adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet) \<equiv> (fst o snd o fst o snd o snd) x"
end
overloading subnet_of_int_TCPUDP \<equiv> "subnet_of :: '\<alpha>::adr \<Rightarrow> '\<alpha> net"
begin
definition
"subnet_of_int_TCPUDP (x::(adr\<^sub>i\<^sub>p\<^sub>p)) \<equiv> {{(a,b,c). a = fst x}}::adr\<^sub>i\<^sub>p\<^sub>p net"
end
overloading src_protocol_int_TCPUDP \<equiv> "src_protocol :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> protocol"
begin
definition
"src_protocol_int_TCPUDP (x::(adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet) \<equiv> (snd o snd o fst o snd) x"
end
overloading dest_protocol_int_TCPUDP \<equiv> "dest_protocol :: ('\<alpha>::adr,'\<beta>) packet \<Rightarrow> protocol"
begin
definition
"dest_protocol_int_TCPUDP (x::(adr\<^sub>i\<^sub>p\<^sub>p,'\<beta>) packet) \<equiv> (snd o snd o fst o snd o snd) x"
end
lemma src_port: "src_port (a,x::adr\<^sub>i\<^sub>p\<^sub>p,d,e) = fst (snd x)"
by (simp add: src_port_int_TCPUDP_def in_subnet)
lemma dest_port: "dest_port (a,d,x::adr\<^sub>i\<^sub>p\<^sub>p,e) = fst (snd x)"
by (simp add: dest_port_int_TCPUDP_def in_subnet)
text {* Common test constraints: *}
definition port_positive :: "(adr\<^sub>i\<^sub>p\<^sub>p,'b) packet \<Rightarrow> bool" where
"port_positive x = (dest_port x > (0::port))"
definition fix_values :: "(adr\<^sub>i\<^sub>p\<^sub>p,DummyContent) packet \<Rightarrow> bool" where
"fix_values x = (src_port x = (1::port) \<and> src_protocol x = udp \<and> content x = data \<and> id x = 1)"
lemmas adr\<^sub>i\<^sub>p\<^sub>pLemmas = src_port dest_port src_port_int_TCPUDP_def dest_port_int_TCPUDP_def
src_protocol_int_TCPUDP_def dest_protocol_int_TCPUDP_def
subnet_of_int_TCPUDP_def
lemmas adr\<^sub>i\<^sub>p\<^sub>pTestConstraints = port_positive_def fix_values_def
end

182
PacketFilter/NetworkCore.thy Normal file
View File

@ -0,0 +1,182 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection{* Packets and Networks *}
theory
NetworkCore
imports
Main
begin
text{*
In networks based e.g. on TCP/IP, a message from A to B is encapsulated in \emph{packets}, which
contain the content of the message and routing information. The routing information mainly
contains its source and its destination address.
In the case of stateless packet filters, a firewall bases its decision upon this routing
information and, in the stateful case, on the content. Thus, we model a packet as a four-tuple of
the mentioned elements, together with an id field.
*}
text{* The ID is an integer: *}
type_synonym id = int
text{*
To enable different representations of addresses (e.g. IPv4 and IPv6, with or without ports),
we model them as an unconstrained type class and directly provide several instances:
*}
class adr
type_synonym '\<alpha> src = "'\<alpha>"
type_synonym '\<alpha> dest = "'\<alpha>"
instance int ::adr ..
instance nat ::adr ..
instance "fun" :: (adr,adr) adr ..
instance prod :: (adr,adr) adr ..
text{*
The content is also specified with an unconstrained generic type:
*}
type_synonym '\<beta> content = "'\<beta>"
text {*
For applications where the concrete representation of the content field does not matter (usually
the case for stateless packet filters), we provide a default type which can be used in those
cases:
*}
datatype DummyContent = data
text{* Finally, a packet is:*}
type_synonym ('\<alpha>,'\<beta>) packet = "id \<times> '\<alpha> src \<times> '\<alpha> dest \<times> '\<beta> content"
text{*
Protocols (e.g. http) are not modelled explicitly. In the case of stateless packet filters, they
are only visible by the destination port of a packet, which are modelled as part of the address.
Additionally, stateful firewalls often determine the protocol by the content of a packet.
*}
definition src :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<alpha>"
where "src = fst o snd "
text{*
Port numbers (which are part of an address) are also modelled in a generic way. The integers and
the naturals are typical representations of port numbers.
*}
class port
instance int ::port ..
instance nat :: port ..
instance "fun" :: (port,port) port ..
instance "prod" :: (port,port) port ..
text{*
A packet therefore has two parameters, the first being the address, the second the content. For
the sake of simplicity, we do not allow to have a different address representation format for the
source and the destination of a packet.
To access the different parts of a packet directly, we define a couple of projectors:
*}
definition id :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> id"
where "id = fst"
definition dest :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<alpha> dest"
where "dest = fst o snd o snd"
definition content :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<beta> content"
where "content = snd o snd o snd"
datatype protocol = tcp | udp
lemma either: "\<lbrakk>a \<noteq> tcp;a \<noteq> udp\<rbrakk> \<Longrightarrow> False"
by (case_tac a,simp_all)
lemma either2[simp]: "(a \<noteq> tcp) = (a = udp)"
by (case_tac a,simp_all)
lemma either3[simp]: "(a \<noteq> udp) = (a = tcp)"
by (case_tac a,simp_all)
text{*
The following two constants give the source and destination port number of a packet. Address
representations using port numbers need to provide a definition for these types.
*}
consts src_port :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
consts dest_port :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> '\<gamma>::port"
consts src_protocol :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> protocol"
consts dest_protocol :: "('\<alpha>::adr,'\<beta>) packet \<Rightarrow> protocol"
text{* A subnetwork (or simply a network) is a set of sets of addresses.*}
type_synonym '\<alpha> net = "'\<alpha> set set"
text{* The relation {in\_subnet} (@{text "\<sqsubset>"}) checks if an address is in a specific network. *}
definition
in_subnet :: "'\<alpha>::adr \<Rightarrow> '\<alpha> net \<Rightarrow> bool" (infixl "\<sqsubset>" 100) where
"in_subnet a S = (\<exists> s \<in> S. a \<in> s)"
text{* The following lemmas will be useful later. *}
lemma in_subnet:
"(a, e) \<sqsubset> {{(x1,y). P x1 y}} = P a e"
by (simp add: in_subnet_def)
lemma src_in_subnet:
"src(q,(a,e),r,t) \<sqsubset> {{(x1,y). P x1 y}} = P a e"
by (simp add: in_subnet_def in_subnet src_def)
lemma dest_in_subnet:
"dest (q,r,((a),e),t) \<sqsubset> {{(x1,y). P x1 y}} = P a e"
by (simp add: in_subnet_def in_subnet dest_def)
text{*
Address models should provide a definition for the following constant, returning a network
consisting of the input address only.
*}
consts subnet_of :: "'\<alpha>::adr \<Rightarrow> '\<alpha> net"
lemmas packet_defs = in_subnet_def id_def content_def src_def dest_def
end

79
PacketFilter/NetworkModels.thy Normal file
View File

@ -0,0 +1,79 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section{* Network Models *}
theory
NetworkModels
imports
DatatypeAddress
DatatypePort
IntegerAddress
IntegerPort
IntegerPort_TCPUDP
IPv4
IPv4_TCPUDP
begin
text{*
One can think of many different possible address representations. In this distribution, we include
seven different variants:
\begin{itemize}
\item DatatypeAddress: Three explicitly named addresses, which build up a network consisting of
three disjunct subnetworks. I.e. there are no overlaps and there is no way to distinguish
between individual hosts within a network.
\item DatatypePort: An address is a pair, with the first element being the same as above, and
the second being a port number modelled as an Integer\footnote{For technical reasons,
we always use Integers instead of Naturals. As a consequence, the (test) specifications
have to be adjusted to eliminate negative numbers.}.
\item adr\_i: An address in an Integer.
\item adr\_ip: An address is a pair of an Integer and a port (which is again an Integer).
\item adr\_ipp: An address is a triple consisting of two Integers modelling the IP address and
the port number, and the specification of the network protocol
\item IPv4: An address is a pair. The first element is a four-tuple of Integers, modelling an
IPv4 address, the second element is an Integer denoting the port number.
\item IPv4\_TCPUDP: The same as above, but including additionally the specification of the
network protocol.
\end{itemize}
The theories of each pf the networks are relatively small. It suffices to provide the required
types, a couple of lemmas, and - if required - a definition for the source and destination ports
of a packet.
*}
end

45
PacketFilter/PacketFilter.thy Normal file
View File

@ -0,0 +1,45 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Network Policies: Packet Filter *}
theory
PacketFilter
imports
NetworkModels
ProtocolPortCombinators
Ports
begin
end

86
PacketFilter/PolicyCombinators.thy Normal file
View File

@ -0,0 +1,86 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Policy Combinators *}
theory PolicyCombinators
imports
PolicyCore
begin
text{* In order to ease the specification of a concrete policy, we
define some combinators. Using these combinators, the specification
of a policy gets very easy, and can be done similarly as in tools
like IPTables. *}
definition
allow_all_from :: "'\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from src_net = {pa. src pa \<sqsubset> src_net} \<triangleleft> A\<^sub>U "
definition
deny_all_from :: "'\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from src_net = {pa. src pa \<sqsubset> src_net} \<triangleleft>D\<^sub>U "
definition
allow_all_to :: "'\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_to dest_net = {pa. dest pa \<sqsubset> dest_net} \<triangleleft> A\<^sub>U"
definition
deny_all_to :: "'\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_to dest_net = {pa. dest pa \<sqsubset> dest_net} \<triangleleft>D\<^sub>U "
definition
allow_all_from_to :: "'\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from_to src_net dest_net =
{pa. src pa \<sqsubset> src_net \<and> dest pa \<sqsubset> dest_net} \<triangleleft> A\<^sub>U "
definition
deny_all_from_to :: "'\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from_to src_net dest_net =
{pa. src pa \<sqsubset> src_net \<and> dest pa \<sqsubset> dest_net} \<triangleleft> D\<^sub>U"
text{* All these combinators and the default rules are put into one
single lemma called @{text PolicyCombinators} to faciliate proving
over policies. *}
lemmas PolicyCombinators = allow_all_from_def deny_all_from_def
allow_all_to_def deny_all_to_def allow_all_from_to_def
deny_all_from_to_def UPFDefs
end

70
PacketFilter/PolicyCore.thy Normal file
View File

@ -0,0 +1,70 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Policy Core *}
theory
PolicyCore
imports NetworkCore
"$AFP/UPF/UPF"
begin
text{* A policy is seen as a partial mapping from packet to packet out. *}
type_synonym ('\<alpha>, '\<beta>) FWPolicy = "('\<alpha>, '\<beta>) packet \<mapsto> unit"
text{*
When combining several rules, the firewall is supposed to apply the
first matching one. In our setting this means the first rule which
maps the packet in question to @{text "Some (packet out)"}. This is
exactly what happens when using the map-add operator (@{text "rule1
++ rule2"}). The only difference is that the rules must be given in
reverse order.
*}
text{*
The constant @{text p_accept} is @{text "True"} iff the policy
accepts the packet.
*}
definition
p_accept :: "('\<alpha>, '\<beta>) packet \<Rightarrow> ('\<alpha>, '\<beta>) FWPolicy \<Rightarrow> bool" where
"p_accept p pol = (pol p = \<lfloor>allow ()\<rfloor>)"
end

183
PacketFilter/PortCombinators.thy Normal file
View File

@ -0,0 +1,183 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Policy Combinators with Ports *}
theory PortCombinators
imports PolicyCombinators
begin
text{*
This theory defines policy combinators for those network models which
have ports. They are provided in addition to the the ones defined in the
PolicyCombinators theory.
This theory requires from the network models a definition for the two following constants:
\begin{itemize}
\item $src\_port :: ('\alpha,'\beta) packet \Rightarrow ('\gamma::port)$
\item $dest\_port :: ('\alpha,'\beta) packet \Rightarrow ('\gamma::port)$
\end{itemize}
*}
definition
allow_all_from_port :: "'\<alpha>::adr net \<Rightarrow> ('\<gamma>::port) \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from_port src_net s_port =
{pa. src_port pa = s_port} \<triangleleft> allow_all_from src_net"
definition
deny_all_from_port :: "'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from_port src_net s_port =
{pa. src_port pa = s_port} \<triangleleft> deny_all_from src_net "
definition
allow_all_to_port :: "'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_to_port dest_net d_port =
{pa. dest_port pa = d_port} \<triangleleft> allow_all_to dest_net"
definition
deny_all_to_port :: "'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_to_port dest_net d_port =
{pa. dest_port pa = d_port} \<triangleleft> deny_all_to dest_net"
definition
allow_all_from_port_to:: "'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"allow_all_from_port_to src_net s_port dest_net
= {pa. src_port pa = s_port} \<triangleleft> allow_all_from_to src_net dest_net"
definition
deny_all_from_port_to::"'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"deny_all_from_port_to src_net s_port dest_net
= {pa. src_port pa = s_port} \<triangleleft> deny_all_from_to src_net dest_net "
definition
allow_all_from_port_to_port::"'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from_port_to_port src_net s_port dest_net d_port =
{pa. dest_port pa = d_port} \<triangleleft> allow_all_from_port_to src_net s_port dest_net"
definition
deny_all_from_port_to_port :: "'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
'\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from_port_to_port src_net s_port dest_net d_port =
{pa. dest_port pa = d_port} \<triangleleft> deny_all_from_port_to src_net s_port dest_net"
definition
allow_all_from_to_port :: "'\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
'\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from_to_port src_net dest_net d_port =
{pa. dest_port pa = d_port} \<triangleleft> allow_all_from_to src_net dest_net"
definition
deny_all_from_to_port :: "'\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from_to_port src_net dest_net d_port = {pa. dest_port pa = d_port} \<triangleleft> deny_all_from_to src_net dest_net"
definition
allow_from_port_to :: "'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"allow_from_port_to port src_net dest_net =
{pa. src_port pa = port} \<triangleleft> allow_all_from_to src_net dest_net"
definition
deny_from_port_to :: "'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"deny_from_port_to port src_net dest_net =
{pa. src_port pa = port} \<triangleleft> deny_all_from_to src_net dest_net"
definition
allow_from_to_port :: "'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"allow_from_to_port port src_net dest_net =
{pa. dest_port pa = port} \<triangleleft> allow_all_from_to src_net dest_net"
definition
deny_from_to_port :: "'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"deny_from_to_port port src_net dest_net =
{pa. dest_port pa = port} \<triangleleft> deny_all_from_to src_net dest_net"
definition
allow_from_ports_to :: "'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_from_ports_to ports src_net dest_net =
{pa. src_port pa \<in> ports} \<triangleleft> allow_all_from_to src_net dest_net"
definition
allow_from_to_ports :: "'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_from_to_ports ports src_net dest_net =
{pa. dest_port pa \<in> ports} \<triangleleft> allow_all_from_to src_net dest_net"
definition
deny_from_ports_to :: "'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_from_ports_to ports src_net dest_net =
{pa. src_port pa \<in> ports} \<triangleleft> deny_all_from_to src_net dest_net"
definition
deny_from_to_ports :: "'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_from_to_ports ports src_net dest_net =
{pa. dest_port pa \<in> ports} \<triangleleft> deny_all_from_to src_net dest_net"
definition
allow_all_from_port_tos:: "'\<alpha>::adr net \<Rightarrow> ('\<gamma>::port) set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"allow_all_from_port_tos src_net s_port dest_net
= {pa. dest_port pa \<in> s_port} \<triangleleft> allow_all_from_to src_net dest_net"
text{*
As before, we put all the rules into one lemma called PortCombinators to ease writing later.
*}
lemmas PortCombinatorsCore =
allow_all_from_port_def deny_all_from_port_def allow_all_to_port_def
deny_all_to_port_def allow_all_from_to_port_def
deny_all_from_to_port_def
allow_from_ports_to_def allow_from_to_ports_def
deny_from_ports_to_def deny_from_to_ports_def
allow_all_from_port_to_def deny_all_from_port_to_def
allow_from_port_to_def allow_from_to_port_def deny_from_to_port_def
deny_from_port_to_def allow_all_from_port_tos_def
lemmas PortCombinators =
PortCombinatorsCore PolicyCombinators
end

78
PacketFilter/Ports.thy Normal file
View File

@ -0,0 +1,78 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Ports *}
theory Ports
imports Main
begin
text{*
This theory can be used if we want to specify the port numbers by names denoting their default
Integer values. If you want to use them, please add @{text Ports} to the simplifier.
*}
definition http::int where "http = 80"
lemma http1: "x \<noteq> 80 \<Longrightarrow> x \<noteq> http"
by (simp add: http_def)
lemma http2: "x \<noteq> 80 \<Longrightarrow> http \<noteq> x"
by (simp add: http_def)
definition smtp::int where "smtp = 25"
lemma smtp1: "x \<noteq> 25 \<Longrightarrow> x \<noteq> smtp"
by (simp add: smtp_def)
lemma smtp2: "x \<noteq> 25 \<Longrightarrow> smtp \<noteq> x"
by (simp add: smtp_def)
definition ftp::int where "ftp = 21"
lemma ftp1: "x \<noteq> 21 \<Longrightarrow> x \<noteq> ftp"
by (simp add: ftp_def)
lemma ftp2: "x \<noteq> 21 \<Longrightarrow> ftp \<noteq> x"
by (simp add: ftp_def)
text{* And so on for all desired port numbers. *}
lemmas Ports = http1 http2 ftp1 ftp2 smtp1 smtp2
end

180
PacketFilter/ProtocolPortCombinators.thy Normal file
View File

@ -0,0 +1,180 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Policy Combinators with Ports and Protocols *}
theory ProtocolPortCombinators
imports PortCombinators
begin
text{*
This theory defines policy combinators for those network models which
have ports. They are provided in addition to the the ones defined in the
PolicyCombinators theory.
This theory requires from the network models a definition for the two following constants:
\begin{itemize}
\item $src\_port :: ('\alpha,'\beta) packet \Rightarrow ('\gamma::port)$
\item $dest\_port :: ('\alpha,'\beta) packet \Rightarrow ('\gamma::port)$
\end{itemize}
*}
definition
allow_all_from_port_prot :: "protocol \<Rightarrow> '\<alpha>::adr net \<Rightarrow> ('\<gamma>::port) \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from_port_prot p src_net s_port =
{pa. dest_protocol pa = p} \<triangleleft> allow_all_from_port src_net s_port"
definition
deny_all_from_port_prot :: "protocol =>'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from_port_prot p src_net s_port =
{pa. dest_protocol pa = p} \<triangleleft> deny_all_from_port src_net s_port"
definition
allow_all_to_port_prot :: "protocol =>'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_to_port_prot p dest_net d_port =
{pa. dest_protocol pa = p} \<triangleleft> allow_all_to_port dest_net d_port"
definition
deny_all_to_port_prot :: "protocol =>'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_to_port_prot p dest_net d_port =
{pa. dest_protocol pa = p} \<triangleleft> deny_all_to_port dest_net d_port"
definition
allow_all_from_port_to_prot:: "protocol =>'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"allow_all_from_port_to_prot p src_net s_port dest_net =
{pa. dest_protocol pa = p} \<triangleleft> allow_all_from_port_to src_net s_port dest_net"
definition
deny_all_from_port_to_prot::"protocol \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"deny_all_from_port_to_prot p src_net s_port dest_net =
{pa. dest_protocol pa = p} \<triangleleft> deny_all_from_port_to src_net s_port dest_net"
definition
allow_all_from_port_to_port_prot::"protocol \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from_port_to_port_prot p src_net s_port dest_net d_port =
{pa. dest_protocol pa = p} \<triangleleft> allow_all_from_port_to_port src_net s_port dest_net d_port "
definition
deny_all_from_port_to_port_prot :: "protocol =>'\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
'\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from_port_to_port_prot p src_net s_port dest_net d_port =
{pa. dest_protocol pa = p} \<triangleleft> deny_all_from_port_to_port src_net s_port dest_net d_port"
definition
allow_all_from_to_port_prot :: "protocol =>'\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
'\<gamma>::port \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_all_from_to_port_prot p src_net dest_net d_port =
{pa. dest_protocol pa = p} \<triangleleft> allow_all_from_to_port src_net dest_net d_port "
definition
deny_all_from_to_port_prot :: "protocol =>'\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<gamma>::port \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_all_from_to_port_prot p src_net dest_net d_port =
{pa. dest_protocol pa = p} \<triangleleft> deny_all_from_to_port src_net dest_net d_port"
definition
allow_from_port_to_prot :: "protocol =>'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"allow_from_port_to_prot p port src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> allow_from_port_to port src_net dest_net"
definition
deny_from_port_to_prot :: "protocol =>'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"deny_from_port_to_prot p port src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> deny_from_port_to port src_net dest_net"
definition
allow_from_to_port_prot :: "protocol =>'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"allow_from_to_port_prot p port src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> allow_from_to_port port src_net dest_net"
definition
deny_from_to_port_prot :: "protocol =>'\<gamma>::port \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow> (('\<alpha>,'\<beta>) packet \<mapsto> unit)"
where
"deny_from_to_port_prot p port src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> deny_from_to_port port src_net dest_net"
definition
allow_from_ports_to_prot :: "protocol =>'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_from_ports_to_prot p ports src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> allow_from_ports_to ports src_net dest_net"
definition
allow_from_to_ports_prot :: "protocol =>'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"allow_from_to_ports_prot p ports src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> allow_from_to_ports ports src_net dest_net"
definition
deny_from_ports_to_prot :: "protocol =>'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_from_ports_to_prot p ports src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> deny_from_ports_to ports src_net dest_net"
definition
deny_from_to_ports_prot :: "protocol =>'\<gamma>::port set \<Rightarrow> '\<alpha>::adr net \<Rightarrow> '\<alpha>::adr net \<Rightarrow>
(('\<alpha>,'\<beta>) packet \<mapsto> unit)" where
"deny_from_to_ports_prot p ports src_net dest_net =
{pa. dest_protocol pa = p} \<triangleleft> deny_from_to_ports ports src_net dest_net"
text{* As before, we put all the rules into one lemma
to ease writing later. *}
lemmas ProtocolCombinatorsCore =
allow_all_from_port_prot_def deny_all_from_port_prot_def allow_all_to_port_prot_def
deny_all_to_port_prot_def allow_all_from_to_port_prot_def
deny_all_from_to_port_prot_def
allow_from_ports_to_prot_def allow_from_to_ports_prot_def
deny_from_ports_to_prot_def deny_from_to_ports_prot_def
allow_all_from_port_to_prot_def deny_all_from_port_to_prot_def
allow_from_port_to_prot_def allow_from_to_port_prot_def deny_from_to_port_prot_def
deny_from_port_to_prot_def
lemmas ProtocolCombinators = PortCombinators.PortCombinators
ProtocolCombinatorsCore
end

31
README.md Normal file
View File

@ -0,0 +1,31 @@
# Formal Network Models and Their Application to Firewall Policies (UPF-Firewall)
This repository contains the development version of the (future)
[Archive of Formal Proofs (AFP)](https://www.isa-afp.org) submission
[A Formal Network Model and Their Application to Firewall Policies](https://www.isa-afp.org/entries/UPF-Firewall.shtml).
## Installation
This project depends on another [AFP](https://www.isa-afp.org) entry:
[The Unified Policy Framework (UPF)](https://www.isa-afp.org/entries/UPF.shtml).
Please follow the [official guidelines](https://www.isa-afp.org/using.shtml)
for installing the AFP locall. For short:
* [Download](https://www.isa-afp.org/release/afp-current.tar.gz) the complete AFP
* Extract the downloaded archive to an directory of your choice
* Let's assume the extracted archive lives in `/home/isabelle/afp`, now execute:
```
mkdir -p ~/.isabelle/Isabelle2016-1/etc
echo "/home/isabelle/afp" >> ~/.isabelle/Isabelle2016-1/etc/components
```
## How to build
```
isabelle build -d . UPF-Firewall
```
## Authors
* [Achim D. Brucker](http://www.brucker.ch/)
* Lukas Brügger
* [Burkhart Wolff](https://www.lri.fr/~wolff/)
## License
This project is licensed under a 3-clause BSD-style license.

11
ROOT Normal file
View File

@ -0,0 +1,11 @@
chapter AFP
session "UPF-Firewall" (AFP) = HOL +
description {* Formal Network Models and Their Application to Firewall Policies *}
options [timeout=600, document=pdf, document_output=document_generated, document_variants="document:outline=/proof,/ML"]
theories
"Examples/Examples"
document_files
"root.tex"
"introduction.tex"
"root.bib"

248
StatefulFW/FTP.thy Normal file
View File

@ -0,0 +1,248 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* The File Transfer Prototol (ftp) *}
theory
FTP
imports
Stateful
begin
subsubsection{* The protocol syntax *}
text{*
The File Transfer Protocol FTP is a well known example of a protocol which uses dynamic ports and
is therefore a natural choice to use as an example for our model.
We model only a simplified version of the FTP protocol over IntegerPort addresses, still
containing all messages that matter for our purposes. It consists of the following four messages:
\begin{enumerate}
\item @{text "init"}: The client contacts the server indicating
his wish to get some data.
\item @{text "ftp_port_request p"}: The client, usually after having
received an acknowledgement of the server, indicates a port
number on which he wants to receive the data.
\item @{text "ftp_ftp_data"}: The server sends the requested data over
the new channel. There might be an arbitrary number of such
messages, including zero.
\item @{text "ftp_close"}: The client closes the connection. The
dynamic port gets closed again.
\end{enumerate}
The content field of a packet therefore now consists of either one of those four messages or a
default one.
*}
datatype msg = ftp_init | ftp_port_request port | ftp_data | ftp_close | ftp_other
text{*
We now also make use of the ID field of a packet. It is used as session ID and we make the
assumption that they are all unique among different protocol runs.
At first, we need some predicates which check if a packet is a specific FTP message and has the
correct session ID.
*}
definition
is_init :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, msg)packet \<Rightarrow> bool" where
"is_init = (\<lambda> i p. (id p = i \<and> content p = ftp_init))"
definition
is_ftp_port_request :: "id \<Rightarrow> port \<Rightarrow>(adr\<^sub>i\<^sub>p, msg) packet \<Rightarrow> bool" where
"is_ftp_port_request = (\<lambda> i port p. (id p = i \<and> content p = ftp_port_request port))"
definition
is_ftp_data :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, msg) packet \<Rightarrow> bool" where
"is_ftp_data = (\<lambda> i p. (id p = i \<and> content p = ftp_data))"
definition
is_ftp_close :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, msg) packet \<Rightarrow> bool" where
"is_ftp_close = (\<lambda> i p. (id p = i \<and> content p = ftp_close))"
definition
port_open :: "(adr\<^sub>i\<^sub>p, msg) history \<Rightarrow> id \<Rightarrow> port \<Rightarrow> bool" where
"port_open = (\<lambda> L a p. (not_before (is_ftp_close a) (is_ftp_port_request a p) L))"
definition
is_ftp_other :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, msg ) packet \<Rightarrow> bool" where
"is_ftp_other = (\<lambda> i p. (id p = i \<and> content p = ftp_other))"
fun are_ftp_other where
"are_ftp_other i (x#xs) = (is_ftp_other i x \<and> are_ftp_other i xs)"
|"are_ftp_other i [] = True"
subsubsection{* The protocol policy specification *}
text{*
We now have to model the respective state transitions. It is important to note that state
transitions themselves allow all packets which are allowed by the policy, not only those which
are allowed by the protocol. Their only task is to change the policy. As an alternative, we could
have decided that they only allow packets which follow the protocol (e.g. come on the correct
ports), but this should in our view rather be reflected in the policy itself.
Of course, not every message changes the policy. In such cases, we do not have to model different
cases, one is enough. In our example, only messages 2 and 4 need special transitions. The default
says that if the policy accepts the packet, it is added to the history, otherwise it is simply
dropped. The policy remains the same in both cases.
*}
fun last_opened_port where
"last_opened_port i ((j,s,d,ftp_port_request p)#xs) = (if i=j then p else last_opened_port i xs)"
| "last_opened_port i (x#xs) = last_opened_port i xs"
| "last_opened_port x [] = undefined"
fun FTP_STA :: "((adr\<^sub>i\<^sub>p,msg) history, adr\<^sub>i\<^sub>p, msg) FWStateTransition"
where
(* FTP_PORT_REQUEST *)
"FTP_STA ((i,s,d,ftp_port_request pr), (log, pol)) =
(if before(Not o is_ftp_close i)(is_init i) log \<and>
dest_port (i,s,d,ftp_port_request pr) = (21::port)
then Some (((i,s,d,ftp_port_request pr)#log,
(allow_from_to_port pr (subnet_of d) (subnet_of s)) \<Oplus> pol))
else Some (((i,s,d,ftp_port_request pr)#log,pol)))"
(* FTP_PORT_CLOSURE *)
|"FTP_STA ((i,s,d,ftp_close), (log,pol)) =
(if (\<exists> p. port_open log i p) \<and> dest_port (i,s,d,ftp_close) = (21::port)
then Some ((i,s,d,ftp_close)#log,
deny_from_to_port (last_opened_port i log) (subnet_of d)(subnet_of s) \<Oplus> pol)
else Some (((i,s,d,ftp_close)#log, pol)))"
(* DEFAULT *)
|"FTP_STA (p, s) = Some (p#(fst s),snd s)"
fun FTP_STD :: "((adr\<^sub>i\<^sub>p,msg) history, adr\<^sub>i\<^sub>p, msg) FWStateTransition"
where "FTP_STD (p,s) = Some s"
definition TRPolicy ::" (adr\<^sub>i\<^sub>p,msg)packet \<times> (adr\<^sub>i\<^sub>p,msg)history \<times> ((adr\<^sub>i\<^sub>p,msg)packet \<mapsto> unit)
\<mapsto> (unit \<times> (adr\<^sub>i\<^sub>p,msg)history \<times> ((adr\<^sub>i\<^sub>p,msg)packet \<mapsto> unit))"
where "TRPolicy = ((FTP_STA,FTP_STD) \<Otimes>\<^sub>\<nabla> applyPolicy) o (\<lambda>(x,(y,z)).((x,z),(x,(y,z))))"
definition TRPolicy\<^sub>M\<^sub>o\<^sub>n
where "TRPolicy\<^sub>M\<^sub>o\<^sub>n = policy2MON(TRPolicy)"
text{* If required to contain the policy in the output *}
definition TRPolicy\<^sub>M\<^sub>o\<^sub>n'
where "TRPolicy\<^sub>M\<^sub>o\<^sub>n' = policy2MON (((\<lambda>(x,y,z). (z,(y,z))) o_f TRPolicy ))"
text{*
Now we specify our test scenario in more detail. We could test:
\begin{itemize}
\item one correct FTP-Protocol run,
\item several runs after another,
\item several runs interleaved,
\item an illegal protocol run, or
\item several illegal protocol runs.
\end{itemize}
We only do the the simplest case here: one correct protocol run.
*}
text{*
There are four different states which are modelled as a datatype.
*}
datatype ftp_states = S0 | S1 | S2 | S3
text{*
The following constant is @{text "True"} for all sets which are correct FTP runs for a given
source and destination address, ID, and data-port number.
*}
fun
is_ftp :: "ftp_states \<Rightarrow> adr\<^sub>i\<^sub>p \<Rightarrow> adr\<^sub>i\<^sub>p \<Rightarrow> id \<Rightarrow> port \<Rightarrow>
(adr\<^sub>i\<^sub>p,msg) history \<Rightarrow> bool"
where
"is_ftp H c s i p [] = (H=S3)"
|"is_ftp H c s i p (x#InL) = (snd s = 21 \<and>((\<lambda> (id,sr,de,co). (((id = i \<and> (
(H=ftp_states.S2 \<and> sr = c \<and> de = s \<and> co = ftp_init \<and> is_ftp S3 c s i p InL) \<or>
(H=ftp_states.S1 \<and> sr = c \<and> de = s \<and> co = ftp_port_request p \<and> is_ftp S2 c s i p InL) \<or>
(H=ftp_states.S1 \<and> sr = s \<and> de = (fst c,p) \<and> co= ftp_data \<and> is_ftp S1 c s i p InL) \<or>
(H=ftp_states.S0 \<and> sr = c \<and> de = s \<and> co = ftp_close \<and> is_ftp S1 c s i p InL) ))))) x))"
definition is_single_ftp_run :: "adr\<^sub>i\<^sub>p src \<Rightarrow> adr\<^sub>i\<^sub>p dest \<Rightarrow> id \<Rightarrow> port \<Rightarrow> (adr\<^sub>i\<^sub>p,msg) history set"
where "is_single_ftp_run s d i p = {x. (is_ftp S0 s d i p x)}"
text{*
The following constant then returns a set of all the historys which denote such a normal
behaviour FTP run, again for a given source and destination address, ID, and data-port.
The following definition returns the set of all possible interleaving of two correct FTP protocol
runs.
*}
definition
ftp_2_interleaved :: "adr\<^sub>i\<^sub>p src \<Rightarrow> adr\<^sub>i\<^sub>p dest \<Rightarrow> id \<Rightarrow> port \<Rightarrow>
adr\<^sub>i\<^sub>p src \<Rightarrow> adr\<^sub>i\<^sub>p dest \<Rightarrow> id \<Rightarrow> port \<Rightarrow>
(adr\<^sub>i\<^sub>p,msg) history set" where
"ftp_2_interleaved s1 d1 i1 p1 s2 d2 i2 p2 =
{x. (is_ftp S0 s1 d1 i1 p1 (packet_with_id x i1)) \<and>
(is_ftp S0 s2 d2 i2 p2 (packet_with_id x i2))}"
lemma subnetOf_lemma: "(a::int) \<noteq> (c::int) \<Longrightarrow> \<forall>x\<in>subnet_of (a, b::port). (c, d) \<notin> x"
apply (rule ballI)
apply (simp add: subnet_of_int_def)
done
lemma subnetOf_lemma2: " \<forall>x\<in>subnet_of (a::int, b::port). (a, b) \<in> x"
apply (rule ballI)
apply (simp add: subnet_of_int_def)
done
lemma subnetOf_lemma3: "(\<exists>x. x \<in> subnet_of (a::int, b::port))"
apply (rule exI)
apply (simp add: subnet_of_int_def)
done
lemma subnetOf_lemma4: "\<exists>x\<in>subnet_of (a::int, b::port). (a, c::port) \<in> x"
apply (rule bexI)
apply (simp_all add: subnet_of_int_def)
done
lemma port_open_lemma: "\<not> (Ex (port_open [] (x::port)))"
apply (simp add: port_open_def)
done
lemmas FTPLemmas = TRPolicy_def applyPolicy_def policy2MON_def
Let_def in_subnet_def src_def
dest_def subnet_of_int_def
is_init_def p_accept_def port_open_def is_ftp_data_def is_ftp_close_def
is_ftp_port_request_def content_def PortCombinators
exI subnetOf_lemma subnetOf_lemma2 subnetOf_lemma3 subnetOf_lemma4
NetworkCore.id_def adr\<^sub>i\<^sub>pLemmas port_open_lemma
bind_SE_def unit_SE_def valid_SE_def
end

314
StatefulFW/FTPVOIP.thy Normal file
View File

@ -0,0 +1,314 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* FTP and VoIP Protocol *}
theory
FTPVOIP
imports
FTP_WithPolicy VOIP
begin
datatype ftpvoip = ARQ
| ACF int
| ARJ
| Setup port
| Connect port
| Stream
| Fin
| ftp_init
| ftp_port_request port
| ftp_data
| ftp_close
| other
text{*
We now also make use of the ID field of a packet. It is used as session ID and we make the
assumption that they are all unique among different protocol runs.
At first, we need some predicates which check if a packet is a specific FTP message and has
the correct session ID.
*}
definition
FTPVOIP_is_init :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, ftpvoip ) packet \<Rightarrow> bool" where
"FTPVOIP_is_init = (\<lambda> i p. (id p = i \<and> content p = ftp_init))"
definition
FTPVOIP_is_port_request :: "id \<Rightarrow> port \<Rightarrow>(adr\<^sub>i\<^sub>p, ftpvoip) packet \<Rightarrow> bool" where
"FTPVOIP_is_port_request = (\<lambda> i port p. (id p = i \<and> content p = ftp_port_request port))"
definition
FTPVOIP_is_data :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, ftpvoip) packet \<Rightarrow> bool" where
"FTPVOIP_is_data = (\<lambda> i p. (id p = i \<and> content p = ftp_data))"
definition
FTPVOIP_is_close :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, ftpvoip) packet \<Rightarrow> bool" where
"FTPVOIP_is_close = (\<lambda> i p. (id p = i \<and> content p = ftp_close))"
definition
FTPVOIP_port_open :: "(adr\<^sub>i\<^sub>p, ftpvoip) history \<Rightarrow> id \<Rightarrow> port \<Rightarrow> bool" where
"FTPVOIP_port_open = (\<lambda> L a p. (not_before (FTPVOIP_is_close a) (FTPVOIP_is_port_request a p) L))"
definition
FTPVOIP_is_other :: "id \<Rightarrow> (adr\<^sub>i\<^sub>p, ftpvoip ) packet \<Rightarrow> bool" where
"FTPVOIP_is_other = (\<lambda> i p. (id p = i \<and> content p = other))"
fun FTPVOIP_are_other where
"FTPVOIP_are_other i (x#xs) = (FTPVOIP_is_other i x \<and> FTPVOIP_are_other i xs)"
|"FTPVOIP_are_other i [] = True"
fun last_opened_port where
"last_opened_port i ((j,s,d,ftp_port_request p)#xs) = (if i=j then p else last_opened_port i xs)"
| "last_opened_port i (x#xs) = last_opened_port i xs"
| "last_opened_port x [] = undefined"
fun FTPVOIP_FTP_STA ::
"((adr\<^sub>i\<^sub>p, ftpvoip) history, adr\<^sub>i\<^sub>p, ftpvoip) FWStateTransition"
where
(* FTP_PORT_REQUEST *)
"FTPVOIP_FTP_STA ((i,s,d,ftp_port_request pr), (InL, policy)) =
(if not_before (FTPVOIP_is_close i) (FTPVOIP_is_init i) InL \<and>
dest_port (i,s,d,ftp_port_request pr) = (21::port) then
Some (((i,s,d,ftp_port_request pr)#InL, policy ++
(allow_from_to_port pr (subnet_of d) (subnet_of s))))
else Some (((i,s,d,ftp_port_request pr)#InL,policy)))"
|"FTPVOIP_FTP_STA ((i,s,d,ftp_close), (InL,policy)) =
(if (\<exists> p. FTPVOIP_port_open InL i p) \<and> dest_port (i,s,d,ftp_close) = (21::port)
then Some ((i,s,d,ftp_close)#InL, policy ++
deny_from_to_port (last_opened_port i InL) (subnet_of d) (subnet_of s))
else Some (((i,s,d,ftp_close)#InL, policy)))"
(* DEFAULT *)
|"FTPVOIP_FTP_STA (p, s) = Some (p#(fst s),snd s)"
fun FTPVOIP_FTP_STD :: "((adr\<^sub>i\<^sub>p, ftpvoip) history, adr\<^sub>i\<^sub>p, ftpvoip) FWStateTransition"
where"FTPVOIP_FTP_STD (p,s) = Some s"
definition
FTPVOIP_is_arq :: "NetworkCore.id \<Rightarrow> ('a::adr, ftpvoip) packet \<Rightarrow> bool" where
"FTPVOIP_is_arq i p = (NetworkCore.id p = i \<and> content p = ARQ)"
definition
FTPVOIP_is_fin :: "id \<Rightarrow> ('a::adr, ftpvoip) packet \<Rightarrow> bool" where
"FTPVOIP_is_fin i p = (id p = i \<and> content p = Fin)"
definition
FTPVOIP_is_connect :: "id \<Rightarrow> port \<Rightarrow> ('a::adr, ftpvoip) packet \<Rightarrow> bool" where
"FTPVOIP_is_connect i port p = (id p = i \<and> content p = Connect port)"
definition
FTPVOIP_is_setup :: "id \<Rightarrow> port \<Rightarrow> ('a::adr, ftpvoip) packet \<Rightarrow> bool" where
"FTPVOIP_is_setup i port p = (id p = i \<and> content p = Setup port)"
text{*
We need also an operator @{text ports_open} to get access to the two
dynamic ports.
*}
definition
FTPVOIP_ports_open :: "id \<Rightarrow> port \<times> port \<Rightarrow> (adr\<^sub>i\<^sub>p, ftpvoip) history \<Rightarrow> bool" where
"FTPVOIP_ports_open i p L = ((not_before (FTPVOIP_is_fin i) (FTPVOIP_is_setup i (fst p)) L) \<and>
not_before (FTPVOIP_is_fin i) (FTPVOIP_is_connect i (snd p)) L)"
text{*
As we do not know which entity closes the connection, we define an
operator which checks if the closer is the caller.
*}
fun
FTPVOIP_src_is_initiator :: "id \<Rightarrow> adr\<^sub>i\<^sub>p \<Rightarrow> (adr\<^sub>i\<^sub>p,ftpvoip) history \<Rightarrow> bool" where
"FTPVOIP_src_is_initiator i a [] = False"
|"FTPVOIP_src_is_initiator i a (p#S) = (((id p = i) \<and>
(\<exists> port. content p = Setup port) \<and>
((fst (src p) = fst a))) \<or>
(FTPVOIP_src_is_initiator i a S))"
definition FTPVOIP_subnet_of_adr :: "int \<Rightarrow> adr\<^sub>i\<^sub>p net" where
"FTPVOIP_subnet_of_adr x = {{(a,b). a = x}}"
fun FTPVOIP_VOIP_STA ::
"((adr\<^sub>i\<^sub>p, ftpvoip) history, adr\<^sub>i\<^sub>p, ftpvoip) FWStateTransition"
where
"FTPVOIP_VOIP_STA ((a,c,d,ARQ), (InL, policy)) =
Some (((a,c,d, ARQ)#InL,
(allow_from_to_port (1719::port)(subnet_of d) (subnet_of c)) \<Oplus> policy))"
|"FTPVOIP_VOIP_STA ((a,c,d,ARJ), (InL, policy)) =
(if (not_before (FTPVOIP_is_fin a) (FTPVOIP_is_arq a) InL)
then Some (((a,c,d,ARJ)#InL,
deny_from_to_port (14::port) (subnet_of c) (subnet_of d) \<Oplus> policy))
else Some (((a,c,d,ARJ)#InL,policy)))"
|"FTPVOIP_VOIP_STA ((a,c,d,ACF callee), (InL, policy)) =
Some (((a,c,d,ACF callee)#InL,
allow_from_to_port (1720::port) (subnet_of_adr callee) (subnet_of d) \<Oplus>
allow_from_to_port (1720::port) (subnet_of d) (subnet_of_adr callee) \<Oplus>
deny_from_to_port (1719::port) (subnet_of d) (subnet_of c) \<Oplus>
policy))"
|"FTPVOIP_VOIP_STA ((a,c,d, Setup port), (InL, policy)) =
Some (((a,c,d,Setup port)#InL,
allow_from_to_port port (subnet_of d) (subnet_of c) \<Oplus> policy))"
|"FTPVOIP_VOIP_STA ((a,c,d, ftpvoip.Connect port), (InL, policy)) =
Some (((a,c,d,ftpvoip.Connect port)#InL,
allow_from_to_port port (subnet_of d) (subnet_of c) \<Oplus> policy))"
|"FTPVOIP_VOIP_STA ((a,c,d,Fin), (InL,policy)) =
(if \<exists> p1 p2. FTPVOIP_ports_open a (p1,p2) InL then (
(if FTPVOIP_src_is_initiator a c InL
then (Some (((a,c,d,Fin)#InL,
(deny_from_to_port (1720::int) (subnet_of c) (subnet_of d) ) \<Oplus>
(deny_from_to_port (snd (SOME p. FTPVOIP_ports_open a p InL))
(subnet_of c) (subnet_of d)) \<Oplus>
(deny_from_to_port (fst (SOME p. FTPVOIP_ports_open a p InL))
(subnet_of d) (subnet_of c)) \<Oplus> policy)))
else (Some (((a,c,d,Fin)#InL,
(deny_from_to_port (1720::int) (subnet_of c) (subnet_of d) ) \<Oplus>
(deny_from_to_port (fst (SOME p. FTPVOIP_ports_open a p InL))
(subnet_of c) (subnet_of d)) \<Oplus>
(deny_from_to_port (snd (SOME p. FTPVOIP_ports_open a p InL))
(subnet_of d) (subnet_of c)) \<Oplus> policy)))))
else
(Some (((a,c,d,Fin)#InL,policy))))"
(* The default action for all other packets *)
| "FTPVOIP_VOIP_STA (p, (InL, policy)) =
Some ((p#InL,policy)) "
fun FTPVOIP_VOIP_STD ::
"((adr\<^sub>i\<^sub>p, ftpvoip) history, adr\<^sub>i\<^sub>p, ftpvoip) FWStateTransition"
where
"FTPVOIP_VOIP_STD (p,s) = Some s"
definition FTP_VOIP_STA :: "((adr\<^sub>i\<^sub>p, ftpvoip) history, adr\<^sub>i\<^sub>p, ftpvoip) FWStateTransition"
where
"FTP_VOIP_STA = ((\<lambda>(x,x). Some x) \<circ>\<^sub>m ((FTPVOIP_FTP_STA \<Otimes>\<^sub>S FTPVOIP_VOIP_STA o (\<lambda> (p,x). (p,x,x)))))"
definition FTP_VOIP_STD :: "((adr\<^sub>i\<^sub>p, ftpvoip) history, adr\<^sub>i\<^sub>p, ftpvoip) FWStateTransition"
where
"FTP_VOIP_STD = (\<lambda>(x,x). Some x) \<circ>\<^sub>m ((FTPVOIP_FTP_STD \<Otimes>\<^sub>S FTPVOIP_VOIP_STD o (\<lambda> (p,x). (p,x,x))))"
definition FTPVOIP_TRPolicy where
"FTPVOIP_TRPolicy = policy2MON (
(((FTP_VOIP_STA,FTP_VOIP_STD) \<Otimes>\<^sub>\<nabla> applyPolicy) o (\<lambda> (x,(y,z)). ((x,z),(x,(y,z))))))"
lemmas FTPVOIP_ST_simps = Let_def in_subnet_def src_def dest_def
subnet_of_int_def id_def FTPVOIP_port_open_def
FTPVOIP_is_init_def FTPVOIP_is_data_def FTPVOIP_is_port_request_def FTPVOIP_is_close_def p_accept_def content_def PortCombinators exI
NetworkCore.id_def adr\<^sub>i\<^sub>pLemmas
datatype ftp_states2 = FS0 | FS1 | FS2 | FS3
datatype voip_states2 = V0 | V1 | V2 | V3 | V4 | V5
text{*
The constant @{text "is_voip"} checks if a trace corresponds to a
legal VoIP protocol, given the IP-addresses of the three entities,
the ID, and the two dynamic ports.
*}
fun FTPVOIP_is_voip :: "voip_states2 \<Rightarrow> address \<Rightarrow> address \<Rightarrow> address \<Rightarrow> id \<Rightarrow> port \<Rightarrow>
port \<Rightarrow> (adr\<^sub>i\<^sub>p, ftpvoip) history \<Rightarrow> bool"
where
"FTPVOIP_is_voip H s d g i p1 p2 [] = (H = V5)"
|"FTPVOIP_is_voip H s d g i p1 p2 (x#InL) =
(((\<lambda> (id,sr,de,co).
(((id = i \<and>
(H = V4 \<and> ((sr = (s,1719) \<and> de = (g,1719) \<and> co = ARQ \<and>
FTPVOIP_is_voip V5 s d g i p1 p2 InL))) \<or>
(H = V0 \<and> sr = (g,1719) \<and> de = (s,1719) \<and> co = ARJ \<and>
FTPVOIP_is_voip V4 s d g i p1 p2 InL) \<or>
(H = V3 \<and> sr = (g,1719) \<and> de = (s,1719) \<and> co = ACF d \<and>
FTPVOIP_is_voip V4 s d g i p1 p2 InL) \<or>
(H = V2 \<and> sr = (s,1720) \<and> de = (d,1720) \<and> co = Setup p1 \<and>
FTPVOIP_is_voip V3 s d g i p1 p2 InL) \<or>
(H = V1 \<and> sr = (d,1720) \<and> de = (s,1720) \<and> co = Connect p2 \<and>
FTPVOIP_is_voip V2 s d g i p1 p2 InL) \<or>
(H = V1 \<and> sr = (s,p1) \<and> de = (d,p2) \<and> co = Stream \<and>
FTPVOIP_is_voip V1 s d g i p1 p2 InL) \<or>
(H = V1 \<and> sr = (d,p2) \<and> de = (s,p1) \<and> co = Stream \<and>
FTPVOIP_is_voip V1 s d g i p1 p2 InL) \<or>
(H = V0 \<and> sr = (d,1720) \<and> de = (s,1720) \<and> co = Fin \<and>
FTPVOIP_is_voip V1 s d g i p1 p2 InL) \<or>
(H = V0 \<and> sr = (s,1720) \<and> de = (d,1720) \<and> co = Fin \<and>
FTPVOIP_is_voip V1 s d g i p1 p2 InL)))))) x)"
text{*
Finally, @{text "NB_voip"} returns the set of protocol traces which
correspond to a correct protocol run given the three addresses, the
ID, and the two dynamic ports.
*}
definition
FTPVOIP_NB_voip :: "address \<Rightarrow> address \<Rightarrow> address \<Rightarrow> id \<Rightarrow> port \<Rightarrow> port \<Rightarrow>
(adr\<^sub>i\<^sub>p, ftpvoip) history set" where
"FTPVOIP_NB_voip s d g i p1 p2= {x. (FTPVOIP_is_voip V0 s d g i p1 p2 x)}"
fun
FTPVOIP_is_ftp :: "ftp_states2 \<Rightarrow> adr\<^sub>i\<^sub>p \<Rightarrow> adr\<^sub>i\<^sub>p \<Rightarrow> id \<Rightarrow> port \<Rightarrow>
(adr\<^sub>i\<^sub>p, ftpvoip) history \<Rightarrow> bool"
where
"FTPVOIP_is_ftp H c s i p [] = (H=FS3)"
|"FTPVOIP_is_ftp H c s i p (x#InL) = (snd s = 21 \<and>((\<lambda> (id,sr,de,co). (((id = i \<and> (
(H=FS2 \<and> sr = c \<and> de = s \<and> co = ftp_init \<and> FTPVOIP_is_ftp FS3 c s i p InL) \<or>
(H=FS1 \<and> sr = c \<and> de = s \<and> co = ftp_port_request p \<and> FTPVOIP_is_ftp FS2 c s i p InL) \<or>
(H=FS1 \<and> sr = s \<and> de = (fst c,p) \<and> co= ftp_data \<and> FTPVOIP_is_ftp FS1 c s i p InL) \<or>
(H=FS0 \<and> sr = c \<and> de = s \<and> co = ftp_close \<and> FTPVOIP_is_ftp FS1 c s i p InL) ))))) x))"
definition
FTPVOIP_NB_ftp :: "adr\<^sub>i\<^sub>p src \<Rightarrow> adr\<^sub>i\<^sub>p dest \<Rightarrow> id \<Rightarrow> port \<Rightarrow> (adr\<^sub>i\<^sub>p, ftpvoip) history set" where
"FTPVOIP_NB_ftp s d i p = {x. (FTPVOIP_is_ftp FS0 s d i p x)}"
definition
ftp_voip_interleaved :: "adr\<^sub>i\<^sub>p src \<Rightarrow> adr\<^sub>i\<^sub>p dest \<Rightarrow> id \<Rightarrow> port \<Rightarrow>
address \<Rightarrow> address \<Rightarrow> address \<Rightarrow> id \<Rightarrow> port \<Rightarrow> port \<Rightarrow>
(adr\<^sub>i\<^sub>p, ftpvoip) history set"
where
"ftp_voip_interleaved s1 d1 i1 p1 vs vd vg vi vp1 vp2 =
{x. (FTPVOIP_is_ftp FS0 s1 d1 i1 p1 (packet_with_id x i1)) \<and>
(FTPVOIP_is_voip V0 vs vd vg vi vp1 vp2 (packet_with_id x vi))}"
end

77
StatefulFW/FTP_WithPolicy.thy Normal file
View File

@ -0,0 +1,77 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* FTP enriched with a security policy *}
theory
FTP_WithPolicy
imports
FTP
begin
text{* FTP where the policy is part of the output. *}
definition POL :: "'a \<Rightarrow> 'a" where "POL x = x"
text{* Variant 2 takes the policy into the output *}
fun FTP_STP ::
"((id \<rightharpoonup> port), adr\<^sub>i\<^sub>p, msg) FWStateTransitionP"
where
(* FTP_PORT_REQUEST *)
"FTP_STP (i,s,d,ftp_port_request pr) (ports, policy) =
(if p_accept (i,s,d,ftp_port_request pr) policy then
Some (allow (POL ((allow_from_to_port pr (subnet_of d) (subnet_of s)) \<Oplus> policy)),
( (ports(i\<mapsto>pr)),(allow_from_to_port pr (subnet_of d) (subnet_of s))
\<Oplus> policy))
else (Some (deny (POL policy),(ports,policy))))"
(* FTP_CLOSE *)
|"FTP_STP (i,s,d,ftp_close) (ports,policy) =
(if (p_accept (i,s,d,ftp_close) policy) then
case ports i of
Some pr \<Rightarrow>
Some(allow (POL (deny_from_to_port pr (subnet_of d) (subnet_of s) \<Oplus> policy)),
ports(i:=None),
deny_from_to_port pr (subnet_of d) (subnet_of s) \<Oplus> policy)
|None \<Rightarrow>Some(allow (POL policy), ports, policy)
else Some (deny (POL policy), ports, policy))"
(* DEFAULT *)
|"FTP_STP p x = (if p_accept p (snd x)
then Some (allow (POL (snd x)),((fst x),snd x))
else Some (deny (POL (snd x)),(fst x,snd x)))"
end

160
StatefulFW/LTL_alike.thy Normal file
View File

@ -0,0 +1,160 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Termporal Combinators *}
theory LTL_alike
imports Main
begin
text{*
In the following, we present a small embbeding of temporal combinators, that may help to
formulate typical temporal properties in traces and protocols concisely. It is based on
\emph{finite} lists, therefore the properties of this logic are not fully compatible with
LTL based on Kripke-structures. For the purpose of this demonstration, however, the difference
does not matter.
*}
fun nxt :: "('\<alpha> list \<Rightarrow> bool) \<Rightarrow> '\<alpha> list \<Rightarrow> bool" ("N")
where
"nxt p [] = False"
| "nxt p (a # S) = (p S)"
text{* Predicate $p$ holds at first position. *}
fun atom :: "('\<alpha> \<Rightarrow> bool) \<Rightarrow> '\<alpha> list \<Rightarrow> bool" ("\<guillemotleft>_\<guillemotright>")
where
"atom p [] = False"
| "atom p (a # S) = (p a)"
lemma holds_mono : "\<guillemotleft>q\<guillemotright> s \<Longrightarrow> \<guillemotleft>q\<guillemotright> (s @ t)"
by(cases s,simp_all)
fun always :: "('\<alpha> list \<Rightarrow> bool) \<Rightarrow> '\<alpha> list \<Rightarrow> bool" ("\<box>")
where
"always p [] = True"
| "always p (a # S) = ((p (a # S)) \<and> always p S)"
text{*
Always is a generalization of the \verb+list_all+ combinator from the List-library; if arguing
locally, this paves the way to a wealth of library lemmas.
*}
lemma always_is_listall : "(\<box> \<guillemotleft>p\<guillemotright>) (t) = list_all (p) (t)"
by(induct t, simp_all)
fun eventually :: "('\<alpha> list \<Rightarrow> bool) \<Rightarrow> '\<alpha> list \<Rightarrow> bool" ("\<diamondsuit>")
where
"eventually p [] = False"
| "eventually p (a # S) = ((p (a # S)) \<or> eventually p S)"
text{*
Eventually is a generalization of the \verb+list_ex+ combinator from the List-library; if arguing
locally, this paves the way to a wealth of library lemmas.
*}
lemma eventually_is_listex : "(\<diamondsuit> \<guillemotleft>p\<guillemotright>) (t) = list_ex (p) (t)"
by(induct t, simp_all)
text{*
The next two constants will help us later in defining the state transitions. The constant
@{text "before"} is @{text "True"} if for all elements which appear before the first element
for which @{text q} holds, @{text p} must hold.
*}
fun before :: "('\<alpha> \<Rightarrow> bool) \<Rightarrow> ('\<alpha> \<Rightarrow> bool) \<Rightarrow> '\<alpha> list \<Rightarrow> bool"
where
"before p q [] = False"
| "before p q (a # S) = (q a \<or> (p a \<and> (before p q S)))"
text{*
Analogously there is an operator @{text not_before} which returns
@{text "True"} if for all elements which appear before the first
element for which @{text q} holds, @{text p} must not hold.
*}
fun not_before :: "('\<alpha> \<Rightarrow> bool) \<Rightarrow> ('\<alpha> \<Rightarrow> bool) \<Rightarrow> '\<alpha> list \<Rightarrow> bool"
where
"not_before p q [] = False"
| "not_before p q (a # S) = (q a \<or> (\<not> (p a) \<and> (not_before p q S)))"
lemma not_before_superfluous:
"not_before p q = before (Not o p) q"
by(rule ext,induct_tac "x", simp_all)
text{*General "before":*}
fun until :: "('\<alpha> list \<Rightarrow> bool) \<Rightarrow> ('\<alpha> list \<Rightarrow> bool) \<Rightarrow> '\<alpha> list \<Rightarrow> bool" (infixl "U" 66)
where
"until p q [] = False"
| "until p q (a # S) = (\<exists> s t. a # S= s @ t \<and> p s \<and> q t)"
text{* This leads to this amazingly tricky proof:*}
lemma before_vs_until:
"(before p q) = ((\<box>\<guillemotleft>p\<guillemotright>) U \<guillemotleft>q\<guillemotright>)"
proof -
have A:"\<And>a. q a \<Longrightarrow> (\<exists>s t. [a] = s @ t \<and> \<box> \<guillemotleft>p\<guillemotright> s \<and> \<guillemotleft>q\<guillemotright> t)"
apply(rule_tac x="[]" in exI)
apply(rule_tac x="[a]" in exI, simp)
done
have B:"\<And>a. (\<exists>s t. [a] = s @ t \<and> \<box> \<guillemotleft>p\<guillemotright> s \<and> \<guillemotleft>q\<guillemotright> t) \<Longrightarrow> q a"
apply auto
apply(case_tac "t=[]", auto simp:List.neq_Nil_conv)
apply(case_tac "s=[]", auto simp:List.neq_Nil_conv)
done
have C:"\<And>a aa list.(q a \<or> p a \<and> (\<exists>s t. aa # list = s @ t \<and> \<box> \<guillemotleft>p\<guillemotright> s \<and> \<guillemotleft>q\<guillemotright> t))
\<Longrightarrow> (\<exists>s t. a # aa # list = s @ t \<and> \<box> \<guillemotleft>p\<guillemotright> s \<and> \<guillemotleft>q\<guillemotright> t)"
apply auto
apply(rule_tac x="[]" in exI)
apply(rule_tac x="a # aa # list" in exI, simp)
apply(rule_tac x="a # s" in exI)
apply(rule_tac x="t" in exI,simp)
done
have D:"\<And>a aa list.(\<exists>s t. a # aa # list = s @ t \<and> \<box> \<guillemotleft>p\<guillemotright> s \<and> \<guillemotleft>q\<guillemotright> t)
\<Longrightarrow> (q a \<or> p a \<and> (\<exists>s t. aa # list = s @ t \<and> \<box> \<guillemotleft>p\<guillemotright> s \<and> \<guillemotleft>q\<guillemotright> t))"
apply auto
apply(case_tac "s", auto simp:List.neq_Nil_conv)
apply(case_tac "s", auto simp:List.neq_Nil_conv)
done
show ?thesis
apply(rule ext,induct_tac "x", simp,
case_tac "list",simp_all)
apply(rule iffI,erule A, erule B)
apply(rule iffI,erule C, erule D)
done
qed
end

106
StatefulFW/Stateful.thy Normal file
View File

@ -0,0 +1,106 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
section {* Stateful Protocols *}
theory
Stateful
imports
"../PacketFilter/PacketFilter"
LTL_alike
begin
text{*
The simple system of a stateless packet filter is not enough to model all common real-world
scenarios. Some protocols need further actions in order to be secured. A prominent example is
the File Transfer Protocol (FTP), which is a popular means to move files across the Internet.
It behaves quite differently from most other application layer protocols as it uses a two-way
connection establishment which opens a dynamic port. A stateless packet filter would only have
the possibility to either always open all the possible dynamic ports or not to allow that
protocol at all. Neither of these options is satisfactory. In the first case, all ports above
1024 would have to be opened which introduces a big security hole in the system, in the second
case users wouldn't be very happy. A firewall which tracks the state of the TCP connections on
a system does not help here either, as the opening and closing of the ports takes place on the
application layer. Therefore, a firewall needs to have some knowledge of the application
protocols being run and track the states of these protocols. We next model this behaviour.
The key point of our model is the idea that a policy remains the same as before: a mapping from
packet to packet out. We still specify for every packet, based on its source and destination
address, the expected action. The only thing that changes now is that this mapping is allowed
to change over time. This indicates that our test data will not consist of single packets but
rather of sequences thereof.
At first we hence need a state. It is a tuple from some memory to be refined later and the
current policy.
*}
type_synonym ('\<alpha>,'\<beta>,'\<gamma>) FWState = "'\<alpha> \<times> (('\<beta>,'\<gamma>) packet \<mapsto> unit)"
text{* Having a state, we need of course some state transitions. Such
a transition can happen every time a new packet arrives. State
transitions can be modelled using a state-exception monad.
We provide two types of firewall monads: one *}
type_synonym ('\<alpha>,'\<beta>,'\<gamma>) FWStateTransitionP =
"('\<beta>,'\<gamma>) packet \<Rightarrow> ((('\<beta>,'\<gamma>) packet \<mapsto> unit) decision, ('\<alpha>,'\<beta>,'\<gamma>) FWState) MON\<^sub>S\<^sub>E"
type_synonym ('\<alpha>,'\<beta>,'\<gamma>) FWStateTransition =
"(('\<beta>,'\<gamma>) packet \<times> ('\<alpha>,'\<beta>,'\<gamma>) FWState) \<rightharpoonup> ('\<alpha>,'\<beta>,'\<gamma>) FWState"
text{* The memory could be modelled as a list of accepted packets. *}
type_synonym ('\<beta>,'\<gamma>) history = "('\<beta>,'\<gamma>) packet list"
fun packet_with_id where
"packet_with_id [] i = []"
|"packet_with_id (x#xs) i = (if id x = i then (x#(packet_with_id xs i)) else (packet_with_id xs i))"
fun ids1 where
"ids1 i (x#xs) = (id x = i \<and> ids1 i xs)"
|"ids1 i [] = True"
fun ids where
"ids a (x#xs) = (NetworkCore.id x \<in> a \<and> ids a xs)"
|"ids a [] = True"
definition applyPolicy:: "('i \<times> ('i \<mapsto> 'o)) \<mapsto> 'o"
where "applyPolicy = (\<lambda> (x,z). z x)"
end

44
StatefulFW/StatefulFW.thy Normal file
View File

@ -0,0 +1,44 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* Stateful Network Protocols *}
theory
StatefulFW
imports
FTPVOIP
begin
end

321
StatefulFW/VOIP.thy Normal file
View File

@ -0,0 +1,321 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
subsection {* A simple voice-over-ip model *}
theory VOIP
imports Stateful
begin
text{*
After the FTP-Protocol which was rather simple we show the strength
of the model with a more current and especially much more
complicated example, namely Voice over IP (VoIP). VoIP is
standardized by the ITU-T under the name H.323, which can be seen as
an "umbrella standard" which aggregates standards for multimedia
conferencing over packet-based networks (for a good overview of the
protocol suite, see \cite{switch_basic}). H.323 poses many problems
to firewalls. These problems include (taken from~\cite{vtel}):
\begin{itemize}
\item An H.323 call is made up of many different simultaneous
connections.
\item Most connections are made to dynamic ports.
\item The addresses and port numbers are exchanged within
the data stream of the next higher connection.
\item Calls can be initiated from outside the firewall.
\end{itemize}
% \begin{figure}
% \centering
% \includegraphics[scale=0.4]{voip}
% \caption {The modelled VoIP-Protocol}
% \label{voip}
% \end{figure}
Again we only consider a simplified VoIP scenario with the following
seven messages which are grouped into four subprotocols (see Figure
\ref{voip}):
\begin{itemize}
\item Registration and Admission (H.225, port 1719): The caller
contacts its gatekeeper with a call request. The gatekeeper
either rejects or confirms the request, returning the
address of the callee in the latter case.
\begin{itemize}
\item Admission Request (ARQ)
\item Admission Reject (ARJ)
\item Admission Confirm (ACF) @{text "'a"}
\end{itemize}
\item Call Signaling (Q.931, port 1720) The caller and the callee
agree on the dynamic ports over which the call will take
place.
\begin{itemize}
\item Setup @{text "port"}
\item Connect @{text "port"}
\end{itemize}
\item Stream (dynamic ports). The call itself. In reality, several
connections are used here.
\item Fin (port 1720).
\end{itemize}
The two main differences to FTP are:
\begin{itemize}
\item In VoIP, we deal with three different entities: the caller,
the callee, and the gatekeeper.
\item We do not know in advance which entity will close the
connection.
\end{itemize}
We model the protocol as seen from a firewall at the caller, namely
we are not interested in the messages from the callee to its
gatekeeper. Incoming calls are not modelled either, they would
require a different set of state transitions.
*}
text{*
The content of a packet now consists of one of the seven messages or
a default one. It is parameterized with the type of the address that
the gatekeeper returns.
*}
datatype 'a voip_msg = ARQ
| ACF 'a
| ARJ
| Setup port
| Connect port
| Stream
| Fin
| other
text{*
As before, we need operators which check if a packet contains a
specific content and ID, respectively if such a packet has appeared
in the trace.
*}
definition
is_arq :: "NetworkCore.id \<Rightarrow> ('a::adr, 'b voip_msg) packet \<Rightarrow> bool" where
"is_arq i p = (NetworkCore.id p = i \<and> content p = ARQ)"
definition
is_fin :: "id \<Rightarrow> ('a::adr, 'b voip_msg) packet \<Rightarrow> bool" where
"is_fin i p = (id p = i \<and> content p = Fin)"
definition
is_connect :: "id \<Rightarrow> port \<Rightarrow> ('a::adr, 'b voip_msg) packet \<Rightarrow> bool" where
"is_connect i port p = (id p = i \<and> content p = Connect port)"
definition
is_setup :: "id \<Rightarrow> port \<Rightarrow> ('a::adr, 'b voip_msg) packet \<Rightarrow> bool" where
"is_setup i port p = (id p = i \<and> content p = Setup port)"
text{*
We need also an operator @{text ports_open} to get access to the two
dynamic ports.
*}
definition
ports_open :: "id \<Rightarrow> port \<times> port \<Rightarrow> (adr\<^sub>i\<^sub>p, 'a voip_msg) history \<Rightarrow> bool" where
"ports_open i p L = ((not_before (is_fin i) (is_setup i (fst p)) L) \<and>
not_before (is_fin i) (is_connect i (snd p)) L)"
text{*
As we do not know which entity closes the connection, we define an
operator which checks if the closer is the caller.
*}
fun
src_is_initiator :: "id \<Rightarrow> adr\<^sub>i\<^sub>p \<Rightarrow> (adr\<^sub>i\<^sub>p,'b voip_msg) history \<Rightarrow> bool" where
"src_is_initiator i a [] = False"
|"src_is_initiator i a (p#S) = (((id p = i) \<and>
(\<exists> port. content p = Setup port) \<and>
((fst (src p) = fst a))) \<or>
(src_is_initiator i a S))"
text{*
The first state transition is for those messages which do not change
the policy. In this scenario, this only happens for the Stream
messages.
*}
definition subnet_of_adr where
"subnet_of_adr x = {{(a,b). a = x}}"
fun VOIP_STA ::
"((adr\<^sub>i\<^sub>p,address voip_msg) history, adr\<^sub>i\<^sub>p, address voip_msg) FWStateTransition"
where
(*
If the policy accepts the ARQ packet, we have to assure that we
will accept the returning packet of the gatekeeper (on port 1719)
*)
"VOIP_STA ((a,c,d,ARQ), (InL, policy)) =
Some (((a,c,d, ARQ)#InL,
(allow_from_to_port (1719::port)(subnet_of d) (subnet_of c)) \<Oplus> policy))"
(*
And if the gatekeeper answers, no matter if it's a good or bad
answer, we can close the channel again. If the answer was positive
(ACF), we allow the caller to contact the callee and get contacted
by him over port 1720.
*)
|"VOIP_STA ((a,c,d,ARJ), (InL, policy)) =
(if (not_before (is_fin a) (is_arq a) InL)
then Some (((a,c,d,ARJ)#InL,
deny_from_to_port (14::port) (subnet_of c) (subnet_of d) \<Oplus> policy))
else Some (((a,c,d,ARJ)#InL,policy)))"
|"VOIP_STA ((a,c,d,ACF callee), (InL, policy)) =
Some (((a,c,d,ACF callee)#InL,
allow_from_to_port (1720::port) (subnet_of_adr callee) (subnet_of d) \<Oplus>
allow_from_to_port (1720::port) (subnet_of d) (subnet_of_adr callee) \<Oplus>
deny_from_to_port (1719::port) (subnet_of d) (subnet_of c) \<Oplus>
policy))"
(*
In the Setup message, the caller specifies the port on which he
wants the connection to take place so we need to open it for
incoming VoIP messages.
*)
|"VOIP_STA ((a,c,d, Setup port), (InL, policy)) =
Some (((a,c,d,Setup port)#InL,
allow_from_to_port port (subnet_of d) (subnet_of c) \<Oplus> policy))"
(*
The same happens after the Connect message of the callee.
*)
|"VOIP_STA ((a,c,d, Connect port), (InL, policy)) =
Some (((a,c,d,Connect port)#InL,
allow_from_to_port port (subnet_of d) (subnet_of c) \<Oplus> policy))"
(*
In the FIN message, we have to close all the previously opened
ports. This works as in the FTP close message, only a little bit
more complicated.
*)
|"VOIP_STA ((a,c,d,Fin), (InL,policy)) =
(if \<exists> p1 p2. ports_open a (p1,p2) InL then (
(if src_is_initiator a c InL
then (Some (((a,c,d,Fin)#InL,
(deny_from_to_port (1720::int) (subnet_of c) (subnet_of d) ) \<Oplus>
(deny_from_to_port (snd (SOME p. ports_open a p InL))
(subnet_of c) (subnet_of d)) \<Oplus>
(deny_from_to_port (fst (SOME p. ports_open a p InL))
(subnet_of d) (subnet_of c)) \<Oplus> policy)))
else (Some (((a,c,d,Fin)#InL,
(deny_from_to_port (1720::int) (subnet_of c) (subnet_of d) ) \<Oplus>
(deny_from_to_port (fst (SOME p. ports_open a p InL))
(subnet_of c) (subnet_of d)) \<Oplus>
(deny_from_to_port (snd (SOME p. ports_open a p InL))
(subnet_of d) (subnet_of c)) \<Oplus> policy)))))
else
(Some (((a,c,d,Fin)#InL,policy))))"
(* The default action for all other packets *)
| "VOIP_STA (p, (InL, policy)) =
Some ((p#InL,policy)) "
fun VOIP_STD where
"VOIP_STD (p,s) = Some s"
definition VOIP_TRPolicy where
"VOIP_TRPolicy = policy2MON (
((VOIP_STA,VOIP_STD) \<Otimes>\<^sub>\<nabla> applyPolicy) o (\<lambda> (x,(y,z)). ((x,z),(x,(y,z)))))"
text{*
For a full protocol run, six states are needed.
*}
datatype voip_states = S0 | S1 | S2 | S3 | S4 | S5
text{*
The constant @{text "is_voip"} checks if a trace corresponds to a
legal VoIP protocol, given the IP-addresses of the three entities,
the ID, and the two dynamic ports.
*}
fun is_voip :: "voip_states \<Rightarrow> address \<Rightarrow> address \<Rightarrow> address \<Rightarrow> id \<Rightarrow> port \<Rightarrow>
port \<Rightarrow> (adr\<^sub>i\<^sub>p, address voip_msg) history \<Rightarrow> bool"
where
"is_voip H s d g i p1 p2 [] = (H = S5)"
|"is_voip H s d g i p1 p2 (x#InL) =
(((\<lambda> (id,sr,de,co).
(((id = i \<and>
(H = S4 \<and> ((sr = (s,1719) \<and> de = (g,1719) \<and> co = ARQ \<and>
is_voip S5 s d g i p1 p2 InL))) \<or>
(H = S0 \<and> sr = (g,1719) \<and> de = (s,1719) \<and> co = ARJ \<and>
is_voip S4 s d g i p1 p2 InL) \<or>
(H = S3 \<and> sr = (g,1719) \<and> de = (s,1719) \<and> co = ACF d \<and>
is_voip S4 s d g i p1 p2 InL) \<or>
(H = S2 \<and> sr = (s,1720) \<and> de = (d,1720) \<and> co = Setup p1 \<and>
is_voip S3 s d g i p1 p2 InL) \<or>
(H = S1 \<and> sr = (d,1720) \<and> de = (s,1720) \<and> co = Connect p2 \<and>
is_voip S2 s d g i p1 p2 InL) \<or>
(H = S1 \<and> sr = (s,p1) \<and> de = (d,p2) \<and> co = Stream \<and>
is_voip S1 s d g i p1 p2 InL) \<or>
(H = S1 \<and> sr = (d,p2) \<and> de = (s,p1) \<and> co = Stream \<and>
is_voip S1 s d g i p1 p2 InL) \<or>
(H = S0 \<and> sr = (d,1720) \<and> de = (s,1720) \<and> co = Fin \<and>
is_voip S1 s d g i p1 p2 InL) \<or>
(H = S0 \<and> sr = (s,1720) \<and> de = (d,1720) \<and> co = Fin \<and>
is_voip S1 s d g i p1 p2 InL)))))) x)"
text{*
Finally, @{text "NB_voip"} returns the set of protocol traces which
correspond to a correct protocol run given the three addresses, the
ID, and the two dynamic ports.
*}
definition
NB_voip :: "address \<Rightarrow> address \<Rightarrow> address \<Rightarrow> id \<Rightarrow> port \<Rightarrow> port \<Rightarrow>
(adr\<^sub>i\<^sub>p, address voip_msg) history set" where
"NB_voip s d g i p1 p2= {x. (is_voip S0 s d g i p1 p2 x)}"
end

48
UPF-Firewall.thy Normal file
View File

@ -0,0 +1,48 @@
(*****************************************************************************
* Copyright (c) 2005-2010 ETH Zurich, Switzerland
* 2008-2015 Achim D. Brucker, Germany
* 2009-2016 Université Paris-Sud, France
* 2015-2016 The University of Sheffield, UK
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*****************************************************************************)
chapter {* UPF Firewall *}
theory
"UPF-Firewall"
imports
"PacketFilter/PacketFilter"
"NAT/NAT"
"FWNormalisation/FWNormalisation"
"StatefulFW/StatefulFW"
begin
text{* This is the main entry point for specifications of firewall policies. *}
end

12
document/introduction.tex Normal file
View File

@ -0,0 +1,12 @@
We present a formal model of network protocols and their application
to modeling firewall policies. The formalization is based on the
\emph{Unified Policy Framework} (UPF)~\cite{brucker.ea:upf:2014}. The
formalization was originally developed with for generating test cases
(see~\cite{brucker.ea:formal-fw-testing:2014} for details) for testing the
security configuration actual firewall and router (middle-boxes) using
HOL-TestGen~\cite{brucker.ea:formal-fw-testing:2014}. Our work focuses
on modeling application level protocols on top of tcp/ip. Thus, its
abstraction level differs from Diekmann's Network Security Policy
Verification
formalization~\cite{Network_Security_Policy_Verification-AFP}.

254
document/root.bib Normal file
View File

@ -0,0 +1,254 @@
@PREAMBLE{ {\providecommand{\ac}[1]{\textsc{#1}} }
# {\providecommand{\acs}[1]{\textsc{#1}} }
# {\providecommand{\acf}[1]{\textsc{#1}} }
# {\providecommand{\TAP}{T\kern-.1em\lower-.5ex\hbox{A}\kern-.1em P} }
# {\providecommand{\leanTAP}{\mbox{\sf lean\it\TAP}} }
# {\providecommand{\holz}{\textsc{hol-z}} }
# {\providecommand{\holocl}{\textsc{hol-ocl}} }
# {\providecommand{\isbn}{\textsc{isbn}} }
# {\providecommand{\Cpp}{C++} }
# {\providecommand{\Specsharp}{Spec\#} }
# {\providecommand{\doi}[1]{\href{http://dx.doi.org/#1}{doi:
{\urlstyle{rm}\nolinkurl{#1}}}}} }
@STRING{conf-tphols="\acs{tphols}" }
@STRING{iso = {International Organization for Standardization} }
@STRING{j-ar = "Journal of Automated Reasoning" }
@STRING{j-cacm = "Communications of the \acs{acm}" }
@STRING{j-acta-informatica = "Acta Informatica" }
@STRING{j-sosym = "Software and Systems Modeling" }
@STRING{j-sttt = "International Journal on Software Tools for Technology" }
@STRING{j-ist = "Information and Software Technology" }
@STRING{j-toplas= "\acs{acm} Transactions on Programming Languages and
Systems" }
@STRING{j-tosem = "\acs{acm} Transactions on Software Engineering and
Methodology" }
@STRING{j-eceasst="Electronic Communications of the \acs{easst}" }
@STRING{j-fac = "Formal Aspects of Computing" }
@STRING{j-ucs = "Journal of Universal Computer Science" }
@STRING{j-sl = "Journal of Symbolic Logic" }
@STRING{j-fp = "Journal of Functional Programming" }
@STRING{j-tkde = {\acs{ieee} Transaction on Knowledge and Data Engineering} }
@STRING{j-tse = {\acs{ieee} Transaction on Software Engineering} }
@STRING{j-entcs = {Electronic Notes in Theoretical Computer Science} }
@STRING{s-lnai = "Lecture Notes in Computer Science" }
@STRING{s-lncs = "Lecture Notes in Computer Science" }
@STRING{s-lnbip = "Lecture Notes in Business Information Processing" }
@String{j-computer = "Computer"}
@String{j-tissec = "\acs{acm} Transactions on Information and System Security"}
@STRING{omg = {Object Management Group} }
@STRING{j-ipl = {Information Processing Letters} }
@STRING{j-login = ";login: the USENIX Association newsletter" }
@STRING{PROC = "Proceedings of the " }
% Publisher:
% ==========
@STRING{pub-awl = {Addison-Wesley Longman, Inc.} }
@STRING{pub-awl:adr={Reading, MA, \acs{usa}} }
@STRING{pub-springer={Springer-Verlag} }
@STRING{pub-springer:adr={Heidelberg} }
@STRING{pub-cup = {Cambridge University Press} }
@STRING{pub-cup:adr={New York, \acs{ny}, \acs{usa}} }
@STRING{pub-mit = {\acs{mit} Press} }
@STRING{pub-mit:adr={Cambridge, Massachusetts} }
@STRING{pub-springer-ny={Springer-Verlag} }
,
@STRING{pub-springer-netherlands={Springer Netherlands} }
@STRING{pub-springer-netherlands:adr={} }
@STRING{pub-springer-ny:adr={New York, \acs{ny}, \acs{usa}} }
@STRING{pub-springer-london={Springer-Verlag} }
@STRING{pub-springer-london:adr={London} }
@STRING{pub-ieee= {\acs{ieee} Computer Society} }
@STRING{pub-ieee:adr={Los Alamitos, \acs{ca}, \acs{usa}} }
@STRING{pub-prentice={Prentice Hall, Inc.} }
@STRING{pub-prentice:adr={Upper Saddle River, \acs{nj}, \acs{usa}} }
@STRING{pub-acm = {\acs{acm} Press} }
@STRING{pub-acm:adr={New York, \acs{ny} \acs{usa}} }
@STRING{pub-oxford={Oxford University Press, Inc.} }
@STRING{pub-oxford:adr={New York, \acs{ny}, \acs{usa}} }
@STRING{pub-kluwer={Kluwer Academic Publishers} }
@STRING{pub-kluwer:adr={Dordrecht} }
@STRING{pub-elsevier={Elsevier Science Publishers} }
@STRING{pub-elsevier:adr={Amsterdam} }
@STRING{pub-north={North-Holland Publishing Co.} }
@STRING{pub-north:adr={Nijmegen, The Netherlands} }
@STRING{pub-ios = {\textsc{ios} Press} }
@STRING{pub-ios:adr={Amsterdam, The Netherlands} }
@STRING{pub-heise={Heise Zeitschriften Verlag} }
@STRING{pub-heise:adr={Hannover, Germany} }
@INPROCEEDINGS{brucker.ea:icst:2010,
author = {Achim D. Brucker and Lukas Br\"ugger and Paul Kearney and Burkhart Wolff},
title = {Verified Firewall Policy Transformations for Test Case Generation},
year = 2010,
series = {Lecture Notes in Computer Science},
publisher = {Springer-Verlag},
copyright = {\copyright Springer-Verlag},
booktitle = {International Conference on Software Testing {(ICST10)}},
location = {Paris, France},
editor = {Ana Cavalli and Sudipto Ghosh},
annote = {To appear in LNCS},
classification = {conference},
pdf = {../papers/conf/firewall-reloaded.pdf},
abstract = {We present an optimization technique for model-based generation of
test cases for firewalls. Based on a formal model for firewall
policies in higher-order logic, we derive a collection of
semantics-preserving policy transformation rules and an algorithm
that optimizes the specification with respect of the number of
test cases required for path coverage. The correctness of the rules
and the algorithm is established by formal proofs in
Isabelle/\acs{hol}. Finally, we use the normalized policies to
generate test cases with the domain-specific firewall testing tool
\testgenFW.
The resulting procedure is characterized by a gain in efficiency
of two orders of magnitude and can handle configurations with
hundreds of rules as occur in practice.
Our approach can be seen as an instance of a methodology to
tame inherent state-space explosions in test case generation for
security policies.}
}
@InCollection{ brucker.ea:test-sequence:2007,
abstract = {HOL-TestGen is a specification and test-case generation
environment extending the interactive theorem prover
Isabelle/HOL. Its method is two-staged: first, the
original formula is partitioned into test cases by
transformation into a normal form. Second, the test cases
are analyzed for ground instances (the test data)
satisfying the constraints of the test cases. Particular
emphasis is put on the control of explicit test hypotheses
which can be proven over concrete programs.
Although originally designed for black-box unit-tests,
HOL-TestGen's underlying logic and deduction engine is
powerful enough to be used in test-sequence generation, too.
We develop the theory for test-sequence generation with
HOL-TestGen and describe its use in a substantial case-study
in the field of computer security, namely the black-box
test of configured firewalls. },
keywords = {security, model-based testing, specification-based
testing, firewall testing},
location = {Zurich},
author = {Achim D. Brucker and Burkhart Wolff},
booktitle = {TAP 2007: Tests And Proofs},
language = {USenglish},
publisher = pub-springer,
series = s-lncs,
number = 4454,
editor = {Bertrand Meyer and Yuri Gurevich},
title = {Test-Sequence Generation with {HOL-TestGen} -- With an
Application to Firewall Testing },
categories = {holtestgen},
classification= {conference},
public = {yes},
year = 2007,
doi = {10.1007/978-3-540-73770-4_9},
pages = {149--168},
pdf = {http://www.brucker.ch/bibliography/download/2007/brucker.ea-test-sequence-2007.pdf}
,
ps = {http://www.brucker.ch/bibliography/download/2007/brucker.ea-test-sequence-2007.ps.gz}
,
}
@InCollection{ brucker.ea:model-based:2008,
abstract = {Firewalls are a cornerstone of todays security
infrastructure for networks. Their configuration,
implementing a firewall policy, is inherently complex, hard
to understand, and difficult to validate.
We present a substantial case study performed with the
model-based testing tool HOL-TestGen. Based on a formal model
of firewalls and their policies in HOL, we first
present a derived theory for simplifying policies. We
discuss different test plans for test specifications.
Finally, we show how to integrate these issues to a
domain-specific firewall testing tool HOL-TestGen/FW.},
editor = {Kenji Suzuki and Teruo Higashino},
location = {Tokyo, Japan},
author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff},
booktitle = {Testcom/FATES 2008},
language = {USenglish},
publisher = pub-springer,
series = s-lncs,
number = 5047,
doi = {10.1007/978-3-540-68524-1_9},
pages = {103--118},
title = {Model-based Firewall Conformance Testing},
categories = {holtestgen},
classification= {conference},
year = 2008,
pdf = {http://www.brucker.ch/bibliography/download/2008/brucker.ea-model-based-2008.pdf}
,
ps = {http://www.brucker.ch/bibliography/download/2008/brucker.ea-model-based-2008.ps.gz}
,
public = {yes},
}
@PhDThesis{ bidder:specification:2007,
author = {Diana von Bidder},
title = {Specification-based Firewall Testing},
school = {ETH Zurich},
year = 2007,
public = {yes},
type = {Ph.D. Thesis},
acknowledgement={none},
classification= {thesis},
note = {\acs{eth} Dissertation No. 17172. Diana von Bidder's
maiden name is Diana Senn.}
}
@article{Network_Security_Policy_Verification-AFP,
author = {Cornelius Diekmann},
title = {Network Security Policy Verification},
journal = {Archive of Formal Proofs},
month = jul,
year = 2014,
note = {\url{http://isa-afp.org/entries/Network_Security_Policy_Verification.shtml},
Formal proof development},
ISSN = {2150-914x},
}
@Article{ brucker.ea:upf:2014,
abstract = {We present the Unified Policy Framework (UPF), a generic framework for modelling security (access-control) policies. UPF emphasizes the view that a policy is a policy decision function that grants or denies access to resources, permissions, etc. In other words, instead of modelling the relations of permitted or prohibited requests directly, we model the concrete function that implements the policy decision point in a system. In more detail, UPF is based on the following four principles: 1) Functional representation of policies, 2) No conflicts are possible, 3) Three-valued decision type (allow, deny, undefined), 4) Output type not containing the decision only.},
author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff},
date = {2014-11-28},
file = {https://www.brucker.ch/bibliography/download/2014/brucker.ea-upf-outline-2014.pdf},
filelabel = {Outline},
issn = {2150-914x},
journal = {Archive of Formal Proofs},
month = {sep},
note = {\url{http://www.isa-afp.org/entries/UPF.shtml}, Formal proof development},
pdf = {https://www.brucker.ch/bibliography/download/2014/brucker.ea-upf-2014.pdf},
title = {The Unified Policy Framework (UPF)},
url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-upf-2014},
year = {2014},
}
@Article{ brucker.ea:formal-fw-testing:2014,
abstract = {Firewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf prod\-ucts, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT, to which a specification-based conformance test case gen\-eration approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented.},
author = {Achim D. Brucker and Lukas Br{\"u}gger and Burkhart Wolff},
doi = {10.1002/stvr.1544},
journal = {Software Testing, Verification \& Reliability (STVR)},
keywords = {model-based testing; conformance testing; security testing; firewall; specification-based testing; testing cloud infrastructure, transformation for testability; HOL-TestGen; test and proof; security configuration testing},
language = {USenglish},
number = {1},
pages = {34--71},
pdf = {https://www.brucker.ch/bibliography/download/2014/brucker.ea-formal-fw-testing-2014.pdf},
publisher = {John Wiley \& Sons},
title = {Formal Firewall Conformance Testing: An Application of Test and Proof Techniques},
url = {https://www.brucker.ch/bibliography/abstract/brucker.ea-formal-fw-testing-2014},
volume = {25},
year = {2015},
}

159
document/root.tex Normal file
View File

@ -0,0 +1,159 @@
\documentclass[11pt,DIV10,a4paper,twoside=semi,openright,titlepage]{scrreprt}
\usepackage{fixltx2e}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Overrides the (rightfully issued) warning by Koma Script that \rm
%%% etc. should not be used (they are deprecated since more than a
%%% decade)
\DeclareOldFontCommand{\rm}{\normalfont\rmfamily}{\mathrm}
\DeclareOldFontCommand{\sf}{\normalfont\sffamily}{\mathsf}
\DeclareOldFontCommand{\tt}{\normalfont\ttfamily}{\mathtt}
\DeclareOldFontCommand{\bf}{\normalfont\bfseries}{\mathbf}
\DeclareOldFontCommand{\it}{\normalfont\itshape}{\mathit}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\usepackage{isabelle,isabellesym}
\usepackage{stmaryrd}
\usepackage{paralist}
\usepackage{xspace}
\usepackage[USenglish]{babel}
\newcommand{\testgen}{HOL-TestGen\xspace}
\newcommand{\testgenFW}{HOL-TestGen/FW\xspace}
\usepackage[numbers, sort&compress, sectionbib]{natbib}
\usepackage{graphicx}
\usepackage{color}
\sloppy
\usepackage{amssymb}
\newcommand{\isasymmodels}{\isamath{\models}}
\newcommand{\HOL}{HOL}
\newcommand{\ie}{i.\,e.}
\newcommand{\eg}{e.\,g.}
\usepackage{pdfsetup}
\urlstyle{rm}
\isabellestyle{it}
\renewcommand{\isastyle}{\isastyleminor}
\pagestyle{empty}
\begin{document}
\renewcommand{\subsubsectionautorefname}{Section}
\renewcommand{\subsectionautorefname}{Section}
\renewcommand{\sectionautorefname}{Section}
\renewcommand{\chapterautorefname}{Chapter}
\newcommand{\subtableautorefname}{\tableautorefname}
\newcommand{\subfigureautorefname}{\figureautorefname}
\title{Formal Network Models and Their Application to Firewall Policies\\ (UPF-Firewall)}
\author{Achim D. Brucker\footnotemark[1] \quad
Lukas Br\"ugger\footnotemark[2] \quad
Burkhart Wolff\footnotemark[3]\\[1.5em]
\normalsize
\normalsize\footnotemark[1]~Department of Computer Science, The University of Sheffield, Sheffield, UK
\texorpdfstring{\\}{}
\normalsize\href{mailto:"Achim D. Brucker"
<a.brucker@sheffield.ac.uk>}{a.brucker@sheffield.ac.uk}\\[1em]
%
\normalsize\footnotemark[2]Information Security, ETH Zurich, 8092 Zurich, Switzerland
\texorpdfstring{\\}{}
\normalsize\href{mailto:"Lukas Bruegger"
<lukas.a.bruegger@gmail.com>}{Lukas.A.Bruegger@gmail.com}\\[1em]
%
\normalsize\footnotemark[3]~Univ. Paris-Sud, Laboratoire LRI,
UMR8623, 91405 Orsay, France
France\texorpdfstring{\\}{}
\normalsize\href{mailto:"Burkhart Wolff" <burkhart.wolff@lri.fr>}{burkhart.wolff@lri.fr}
}
\pagestyle{empty}
\publishers{%
\normalfont\normalsize%
\centerline{\textsf{\textbf{\large Abstract}}}
\vspace{1ex}%
\parbox{0.8\linewidth}{%
We present a formal model of network protocols and their
application to modeling firewall policies. The formalization is
based on the \emph{Unified Policy Framework} (UPF). The
formalization was originally developed with for generating test
cases for testing the security configuration actual firewall and
router (middle-boxes) using HOL-TestGen. Our work focuses on
modeling application level protocols on top of tcp/ip. Thus, its
abstraction level differs from Diekmann's Network Security
Policy Verification formalization
}
}
\maketitle
\cleardoublepage
\pagestyle{plain}
\tableofcontents
\cleardoublepage
\chapter{Introduction}
\input{introduction}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% <session>
% \input{session}
\input{UPF-Firewall}
\input{NetworkModels}
\input{NetworkCore}
\input{DatatypeAddress}
\input{DatatypePort}
\input{IntegerAddress}
\input{IntegerPort}
\input{IntegerPort_TCPUDP}
\input{IPv4}
\input{IPv4_TCPUDP.tex}
\input{PacketFilter.tex}
\input{PolicyCore}
\input{PolicyCombinators}
\input{PortCombinators}
\input{ProtocolPortCombinators}
\input{Ports}
\input{NAT}
\input{FWNormalisation.tex}
\input{FWNormalisationCore.tex}
\input{NormalisationGenericProofs.tex}
\input{NormalisationIntegerPortProof.tex}
\input{NormalisationIPPProofs.tex}
\input{Stateful}
\input{FTP}
\input{FTP_WithPolicy}
\input{VOIP}
\input{FTPVOIP}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\input{Examples.tex}
\input{DMZ.tex}
\input{DMZDatatype.tex}
\input{DMZInteger.tex}
\input{PersonalFirewall.tex}
\input{PersonalFirewallInt.tex}
\input{PersonalFirewallIpv4.tex}
\input{Transformation.tex}
\input{Transformation01.tex}
\input{Transformation02.tex}
\input{NAT-FW.tex}
\input{VoIP.tex}
% </session>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%\input{conclusion}
\appendix
\chapter{Appendix}
\input{LTL_alike.tex}
\begin{figure}
\includegraphics[height=\textheight]{session_graph}
\end{figure}
\bibliographystyle{abbrvnat}
\bibliography{root}
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: