Reformatting.

FWNormalisation/ElementaryRules.thy

@@ -36,41 +36,43 @@
  *****************************************************************************)
 
 subsection {* Elementary Firewall Policy Transformation Rules *} 
-theory ElementaryRules
+theory 
-imports FWNormalisationCore
+  ElementaryRules
+  imports 
+    FWNormalisationCore
 begin
-
+  
-
+  
 text{* 
   This theory contains those elementary transformation rules which are presented in the ICST 
   2010 paper~\cite{brucker.ea:firewall:2010}. They are not used elsewhere.
 *}
-
+  
 lemma elem1:
- "C (AllowPortFromTo x y p \<oplus> DenyAllFromTo x y) = C (DenyAllFromTo x y)"
+  "C (AllowPortFromTo x y p \<oplus> DenyAllFromTo x y) = C (DenyAllFromTo x y)"
-by (rule ext, auto simp: PLemmas)
+  by (rule ext, auto simp: PLemmas)
-
+    
-
+    
 lemma elem2:
- "C ((a \<oplus> b) \<oplus> c) = C (a \<oplus> (b \<oplus> c))"
+  "C ((a \<oplus> b) \<oplus> c) = C (a \<oplus> (b \<oplus> c))"
-by (simp add: C.simps) 
+  by (simp add: C.simps) 
-
+    
 lemma elem3:
- "C (AllowPortFromTo x y a \<oplus> AllowPortFromTo x y b) = 
+  "C (AllowPortFromTo x y a \<oplus> AllowPortFromTo x y b) = 
   C (AllowPortFromTo x y b \<oplus> AllowPortFromTo x y a)"
-by (rule ext, auto simp: PLemmas)
+  by (rule ext, auto simp: PLemmas)
-
+    
 lemma elem4:
- "C (a \<oplus> DenyAll) = C DenyAll"
+  "C (a \<oplus> DenyAll) = C DenyAll"
-by (rule ext, auto simp: PLemmas)
+  by (rule ext, auto simp: PLemmas)
-
+    
 lemma elem5:
- "C (DenyAllFromTo x y \<oplus> DenyAllFromTo u v) = C (DenyAllFromTo u v \<oplus> DenyAllFromTo x y)"
+  "C (DenyAllFromTo x y \<oplus> DenyAllFromTo u v) = C (DenyAllFromTo u v \<oplus> DenyAllFromTo x y)"
-by (rule ext, auto simp: PLemmas)
+  by (rule ext, auto simp: PLemmas)
-
+    
-
+    
 lemma elem6: 
- "dom (C a) \<inter> dom (C b) = {} \<Longrightarrow> C (a \<oplus> b) = C (b \<oplus> a)"
+  "dom (C a) \<inter> dom (C b) = {} \<Longrightarrow> C (a \<oplus> b) = C (b \<oplus> a)"
-by (rule ext, metis C.simps(4) map_add_comm)
+  by (rule ext, metis C.simps(4) map_add_comm)
-
+    
 end

FWNormalisation/FWNormalisation.thy

@@ -35,8 +35,11 @@
  *****************************************************************************)
 
 chapter {* Firewall Policy Normalisation *}
-theory  FWNormalisation
+theory  
-imports NormalisationIPPProofs
+  FWNormalisation
+  imports 
+    NormalisationIPPProofs
+    ElementaryRules
 begin
-
+  
 end

FWNormalisation/FWNormalisationCore.thy

@@ -85,21 +85,23 @@ text{* We define a very simple policy language: *}
 
 datatype ('\<alpha>,'\<beta>) Combinators = 
   DenyAll
-| DenyAllFromTo '\<alpha> '\<alpha> 
+  | DenyAllFromTo '\<alpha> '\<alpha> 
-| AllowPortFromTo '\<alpha> '\<alpha> '\<beta> 
+  | AllowPortFromTo '\<alpha> '\<alpha> '\<beta> 
-| Conc "(('\<alpha>,'\<beta>) Combinators)" "(('\<alpha>,'\<beta>) Combinators)" (infixr "\<oplus>" 80)
+  | Conc "(('\<alpha>,'\<beta>) Combinators)" "(('\<alpha>,'\<beta>) Combinators)" (infixr "\<oplus>" 80)
 
 text{* 
   And define the semantic interpretation of it. For technical reasons, we fix here the type to 
   policies over IntegerPort addresses. However, we could easily provide definitions for other
-  address types as well, using a generic consts for the type definition and a primitive recursive 
+  address types as well, using a generic constants for the type definition and a primitive 
-  definition for each desired address model.  *}
+  recursive definition for each desired address model.  
+*}
 
 subsubsection{* Auxiliary definitions and functions. *}
 text{*
-  This subsubsection defines several functions which are useful later for the combinators, invariants, 
+  This section defines several functions which are useful later for the combinators, invariants, 
   and proofs. 
 *}
+  
 fun srcNet where 
  "srcNet (DenyAllFromTo x y) = x"
 |"srcNet (AllowPortFromTo x y p) = x"
@@ -275,8 +277,8 @@ fun NetsCollected2 where
 subsubsection{* Transformations *}
 
 text {*
-  The following two functions transform a policy into a list of single rules and vice-versa - by 
+  The following two functions transform a policy into a list of single rules and vice-versa (by 
-  staying on the combinator level.
+  staying on the combinator level).
 *}
 
 fun policy2list::"('\<alpha>, '\<beta>) Combinators \<Rightarrow>
@@ -309,7 +311,9 @@ definition removeShadowRules1_alternative where
    "removeShadowRules1_alternative p =
                          rev (removeShadowRules1_alternative_rev (rev p))"
 
-text{* Remove all the rules which allow a port, but are shadowed by a deny between these subnets *}
+text{* 
+  Remove all the rules which allow a port, but are shadowed by a deny between these subnets.
+ *}
 
 fun removeShadowRules2::  "(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow>
                           (('\<alpha>, '\<beta>) Combinators) list"
@@ -321,8 +325,10 @@ where
 | "removeShadowRules2 (x#y) = x#(removeShadowRules2 y)"
 | "removeShadowRules2 [] = []"
 
-text{* Sorting a pocliy.  We first need to define an ordering on
+text{* 
-rules.  This ordering depends on the $Nets\_List$ of a policy.  *}
+  Sorting a policies:  We first need to define an ordering on rules.  This ordering depends 
+   on the $Nets\_List$ of a policy.  
+*}
 
 fun smaller :: "('\<alpha>, '\<beta>) Combinators \<Rightarrow> 
                 ('\<alpha>, '\<beta>) Combinators \<Rightarrow> 
@@ -346,16 +352,11 @@ fun qsort where
 lemma qsort_permutes:
   "set (qsort xs l) = set xs"
   apply (induct xs l rule: qsort.induct)
-   apply (simp_all)
+  by (auto)
-   apply auto
- done
-
-lemma set_qsort [simp]: "set (qsort xs l)  = set xs"
- apply (induct xs l rule: qsort.induct)
-   apply (simp_all)
-   apply auto
- done
 
+lemma set_qsort [simp]: "set (qsort xs l)  = set xs" 
+  by (simp add: qsort_permutes)
+    
 fun insort where
 	  "insort a [] l = [a]"
 	| "insort a (x#xs) l = (if (smaller a x l) then a#x#xs else x#(insort a xs l))"
@@ -364,12 +365,10 @@ fun sort where
   "sort [] l = []"
 | "sort (x#xs) l = insort x (sort xs l) l"
 
-
-
 fun sorted  where
-"sorted [] l \<longleftrightarrow> True" |
+  "sorted [] l = True"
-"sorted [x] l \<longleftrightarrow> True" |
+| "sorted [x] l = True"
-"sorted (x#y#zs) l \<longleftrightarrow> smaller x y l \<and> sorted (y#zs) l"
+| "sorted (x#y#zs) l = (smaller x y l \<and> sorted (y#zs) l)"
 
 fun separate where
  "separate (DenyAll#x) = DenyAll#(separate x)"
@@ -379,7 +378,8 @@ fun separate where
 |"separate x = x"                
 
 text {*
-Insert the DenyAllFromTo rules, such that traffic between two networks can be tested individually
+  Insert the DenyAllFromTo rules, such that traffic between two networks can be tested 
+  individually.
 *}
 
 fun  insertDenies where
@@ -389,11 +389,11 @@ fun  insertDenies where
                                 (insertDenies xs))"
 | "insertDenies [] = []"
 
-text{* Remove duplicate rules. This is especially necessary as
+text{* 
-insertDenies might have inserted duplicate rules.
+  Remove duplicate rules. This is especially necessary as insertDenies might have inserted 
-
+  duplicate rules. The second function is supposed to work on a list of policies. Only
-The second function is supposed to work on a list of policies. Only
+  rules which are duplicated within the same policy are removed.  
-rules which are duplicated within the same policy are removed.  *}
+*}
 
 
 fun removeDuplicates where
@@ -412,10 +412,8 @@ fun insertDeny where
 
 
 definition "sort' p l = sort l p"
-
 definition "qsort' p l = qsort l p"
 
-
 declare dom_eq_empty_conv [simp del]
 
 fun list2policyR::"(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow>
@@ -425,7 +423,9 @@ fun list2policyR::"(('\<alpha>, '\<beta>) Combinators) list \<Rightarrow>
 |"list2policyR [] = undefined "
 
 
-text{* We provide the definitions for two address representations. *}
+text{* 
+  We provide the definitions for two address representations. 
+*}
 
 
 subsubsection{* IntPort *}
@@ -437,9 +437,6 @@ where
 |"C (AllowPortFromTo x y p) = allow_from_to_port p x y"
 |"C  (x \<oplus> y) =  C x ++ C y"
 
-
-
-
 fun CRotate :: "(adr\<^sub>i\<^sub>p net, port) Combinators \<Rightarrow> (adr\<^sub>i\<^sub>p,DummyContent) packet \<mapsto> unit"
 where
 " CRotate DenyAll = C DenyAll" 
@@ -447,24 +444,20 @@ where
 |"CRotate (AllowPortFromTo x y p) = C (AllowPortFromTo x y p)"
 |"CRotate (x \<oplus> y) = ((CRotate y) ++ ((CRotate x)))"
 
-
 fun rotatePolicy where
   "rotatePolicy DenyAll = DenyAll" 
 | "rotatePolicy (DenyAllFromTo a b) = DenyAllFromTo a b"
 | "rotatePolicy (AllowPortFromTo a b p) = AllowPortFromTo a b p"
 | "rotatePolicy (a\<oplus>b) = (rotatePolicy b) \<oplus> (rotatePolicy a)"
 
-
 lemma check: "rev (policy2list (rotatePolicy p)) = policy2list p"
-apply (induct p)
+  apply (induct p)
-apply simp
+  by (simp_all) 
-apply simp_all
-done
-
 
 
 text{* 
-  All rules appearing at the left of a DenyAllFromTo, have disjunct domains from it (except DenyAll) 
+  All rules appearing at the left of a DenyAllFromTo, have disjunct domains from it 
+  (except DenyAll). 
 *}
 fun (sequential) wellformed_policy2 where
   "wellformed_policy2 [] = True"
@@ -472,8 +465,10 @@ fun (sequential) wellformed_policy2 where
 | "wellformed_policy2 (x#xs) = ((\<forall> c a b. c = DenyAllFromTo a b \<and> c \<in> set xs \<longrightarrow>
                  Map.dom (C x) \<inter> Map.dom (C c) = {}) \<and> wellformed_policy2 xs)"
 
-text{* An allow rule is disjunct with all rules appearing at the right of it. This invariant is not 
+text{* 
-        necessary as it is a consequence from others, but facilitates some proofs. *}
+  An allow rule is disjunct with all rules appearing at the right of it. This invariant is not 
+  necessary as it is a consequence from others, but facilitates some proofs. 
+*}
 
 fun (sequential) wellformed_policy3::"((adr\<^sub>i\<^sub>p net,port) Combinators) list \<Rightarrow> bool" where
   "wellformed_policy3 [] = True"
@@ -494,7 +489,6 @@ definition
                    (rm_MT_rules C) o insertDeny o removeShadowRules1 o
                    policy2list) p"
 
-
 definition normalize :: 
   "(adr\<^sub>i\<^sub>p net, port) Combinators \<Rightarrow> 
    (adr\<^sub>i\<^sub>p net, port) Combinators list" 
@@ -508,9 +502,6 @@ definition
     (sort (removeShadowRules2 (remdups ((rm_MT_rules C) (insertDeny
     (removeShadowRules1 (policy2list p)))))) ((l)))))"
 
-
-
-
 definition normalizeQ :: 
   "(adr\<^sub>i\<^sub>p net, port) Combinators \<Rightarrow> 
    (adr\<^sub>i\<^sub>p net, port) Combinators list" 
@@ -524,11 +515,11 @@ definition
     (qsort (removeShadowRules2 (remdups ((rm_MT_rules C) (insertDeny
     (removeShadowRules1 (policy2list p)))))) ((l)))))"
 
-text{* Of course, normalize is equal to normalize', the latter looks nicer though. *}
+text{* 
+  Of course, normalize is equal to normalize', the latter looks nicer though. 
+*}
 lemma "normalize = normalize'"
-by (rule ext, simp add: normalize_def normalize'_def sort'_def)
+  by (rule ext, simp add: normalize_def normalize'_def sort'_def)
-
-
 
 declare C.simps [simp del]
 
@@ -552,19 +543,20 @@ where
 |"Dp (AllowPortFromTo x y p) = Cp (AllowPortFromTo x y p)"
 |"Dp  (x \<oplus> y) =  Cp (y \<oplus> x)"
 
-
+text{* 
-
+  All rules appearing at the left of a DenyAllFromTo, have disjunct domains from it 
-
+  (except DenyAll). 
-text{* All rules appearing at the left of a DenyAllFromTo, have disjunct domains from it 
+*}
-         (except DenyAll) *}
 fun (sequential) wellformed_policy2Pr where
   "wellformed_policy2Pr [] = True"
 | "wellformed_policy2Pr (DenyAll#xs) = wellformed_policy2Pr xs"
 | "wellformed_policy2Pr (x#xs) = ((\<forall> c a b. c = DenyAllFromTo a b \<and> c \<in> set xs \<longrightarrow>
                  Map.dom (Cp x) \<inter> Map.dom (Cp c) = {}) \<and> wellformed_policy2Pr xs)"
 
-text{* An allow rule is disjunct with all rules appearing at the right of it. This invariant is not
+text{* 
-  necessary as it is a consequence from others, but facilitates some proofs. *}
+  An allow rule is disjunct with all rules appearing at the right of it. This invariant is not
+  necessary as it is a consequence from others, but facilitates some proofs. 
+*}
 
 fun (sequential) wellformed_policy3Pr::"((adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators) list \<Rightarrow> bool" where
   "wellformed_policy3Pr [] = True"
@@ -572,9 +564,6 @@ fun (sequential) wellformed_policy3Pr::"((adr\<^sub>i\<^sub>p\<^sub>p net, proto
       dom (Cp r) \<inter> dom (Cp (AllowPortFromTo a b p)) = {}) \<and> wellformed_policy3Pr xs)"
 | "wellformed_policy3Pr (x#xs) = wellformed_policy3Pr xs"
 
-
-
-
 definition 
  normalizePr' :: "(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators
   \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators list" where 
@@ -583,7 +572,6 @@ definition
                    (rm_MT_rules Cp) o insertDeny o removeShadowRules1 o
                    policy2list) p"
 
-
 definition normalizePr :: 
 "(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators
   \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators list" where
@@ -605,7 +593,6 @@ definition
                    (rm_MT_rules Cp) o insertDeny o removeShadowRules1 o
                    policy2list) p"
 
-
 definition normalizePrQ :: 
 "(adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators
   \<Rightarrow> (adr\<^sub>i\<^sub>p\<^sub>p net, protocol \<times> port) Combinators list" where
@@ -618,37 +605,33 @@ definition
     (qsort (removeShadowRules2 (remdups ((rm_MT_rules Cp) (insertDeny
     (removeShadowRules1 (policy2list p)))))) ((l)))))"
 
-
+text{* 
-text{* Of course, normalize is equal to normalize', the latter looks nicer though. *}
+  Of course, normalize is equal to normalize', the latter looks nicer though. 
+*}
 lemma "normalizePr = normalizePr'"
-by (rule ext, simp add: normalizePr_def normalizePr'_def sort'_def)
+  by (rule ext, simp add: normalizePr_def normalizePr'_def sort'_def)
 
 
-text{* The following definition helps in creating the test specification for the individual parts 
+text{* 
-  of a normalized policy. *}
+  The following definition helps in creating the test specification for the individual parts 
+  of a normalized policy. 
+*}
 definition makeFUTPr where 
    "makeFUTPr FUT p x n = 
      (packet_Nets x (fst (normBothNets (bothNets p)!n))  
                      (snd(normBothNets (bothNets p)!n)) \<longrightarrow> 
     FUT x = Cp ((normalizePr p)!Suc n) x)"
 
-
 declare Cp.simps [simp del]
 
-
 lemmas PLemmas = C.simps Cp.simps dom_def PolicyCombinators.PolicyCombinators
                  PortCombinators.PortCombinatorsCore aux
                  ProtocolPortCombinators.ProtocolCombinatorsCore src_def dest_def in_subnet_def
                  adr\<^sub>i\<^sub>p\<^sub>pLemmas adr\<^sub>i\<^sub>p\<^sub>pLemmas
 
-
 lemma aux: "\<lbrakk>x \<noteq> a; y\<noteq>b; (x \<noteq> y \<and> x \<noteq> b) \<or>  (a \<noteq> b \<and> a \<noteq> y)\<rbrakk> \<Longrightarrow> {x,a} \<noteq> {y,b}"
   by (auto)
 
-
-
 lemma aux2: "{a,b} = {b,a}"
   by auto
-
-
 end