(***************************************************************************** * Copyright (c) 2005-2010 ETH Zurich, Switzerland * 2008-2015 Achim D. Brucker, Germany * 2009-2017 Université Paris-Sud, France * 2015-2017 The University of Sheffield, UK * * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. * * * Neither the name of the copyright holders nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *****************************************************************************) subsection \Normalisation Proofs: Integer Protocol\ theory NormalisationIPPProofs imports NormalisationIntegerPortProof begin text\ Normalisation proofs which are specific to the IntegerProtocol address representation. \ lemma ConcAssoc: "Cp((A \ B) \ D) = Cp(A \ (B \ D))" by (simp add: Cp.simps) lemma aux26[simp]: "twoNetsDistinct a b c d \ dom (Cp (AllowPortFromTo a b p)) \ dom (Cp (DenyAllFromTo c d)) = {}" by(auto simp:twoNetsDistinct_def netsDistinct_def PLemmas, auto) lemma wp2_aux[rule_format]: "wellformed_policy2Pr (xs @ [x]) \ wellformed_policy2Pr xs" apply(induct xs, simp_all) subgoal for a as apply(case_tac "a", simp_all) done done lemma Cdom2: "x \ dom(Cp b) \ Cp (a \ b) x = (Cp b) x" by (auto simp: Cp.simps) lemma wp2Conc[rule_format]: "wellformed_policy2Pr (x#xs) \ wellformed_policy2Pr xs" by (case_tac "x",simp_all) lemma DAimpliesMR_E[rule_format]: "DenyAll \ set p \ (\ r. applied_rule_rev Cp x p = Some r)" apply (simp add: applied_rule_rev_def) apply (rule_tac xs = p in rev_induct, simp_all) by (metis Cp.simps(1) denyAllDom) lemma DAimplieMR[rule_format]: "DenyAll \ set p \ applied_rule_rev Cp x p \ None" by (auto intro: DAimpliesMR_E) lemma MRList1[rule_format]: "x \ dom (Cp a) \ applied_rule_rev Cp x (b@[a]) = Some a" by (simp add: applied_rule_rev_def) lemma MRList2: "x \ dom (Cp a) \ applied_rule_rev Cp x (c@b@[a]) = Some a" by (simp add: applied_rule_rev_def) lemma MRList3: "x \ dom(Cp xa) \ applied_rule_rev Cp x (a@b#xs@[xa]) = applied_rule_rev Cp x (a @ b # xs)" by (simp add: applied_rule_rev_def) lemma CConcEnd[rule_format]: "Cp a x = Some y \ Cp (list2FWpolicy (xs @ [a])) x = Some y" (is "?P xs") apply (rule_tac P = ?P in list2FWpolicy.induct) by (simp_all add:Cp.simps) lemma CConcStartaux: "Cp a x = None \ (Cp aa ++ Cp a) x = Cp aa x" by (simp add: PLemmas) lemma CConcStart[rule_format]: "xs \ [] \ Cp a x = None \ Cp (list2FWpolicy (xs @ [a])) x = Cp (list2FWpolicy xs) x" by (rule list2FWpolicy.induct) (simp_all add: PLemmas) lemma mrNnt[simp]: "applied_rule_rev Cp x p = Some a \ p \ []" by (simp add: applied_rule_rev_def)(auto) lemma mr_is_C[rule_format]: "applied_rule_rev Cp x p = Some a \ Cp (list2FWpolicy (p)) x = Cp a x" apply (simp add: applied_rule_rev_def) apply (rule rev_induct, simp_all, safe) apply (metis CConcEnd ) apply (metis CConcEnd) by (metis CConcStart applied_rule_rev_def mrNnt option.exhaust) lemma CConcStart2: "p \ [] \ x \ dom (Cp a) \ Cp(list2FWpolicy (p@[a])) x = Cp (list2FWpolicy p)x" by (erule CConcStart,simp add: PLemmas) lemma CConcEnd1: "q@p \ [] \ x \ dom (Cp a) \ Cp(list2FWpolicy(q@p@[a])) x = Cp (list2FWpolicy (q@p))x" by (subst lCdom2) (rule CConcStart2, simp_all) lemma CConcEnd2[rule_format]: "x \ dom (Cp a) \ Cp (list2FWpolicy (xs @ [a])) x = Cp a x" (is "?P xs") by (rule_tac P = ?P in list2FWpolicy.induct) (auto simp:Cp.simps) lemma bar3: "x \ dom (Cp (list2FWpolicy (xs @ [xa]))) \ x \ dom (Cp (list2FWpolicy xs)) \ x \ dom (Cp xa)" by auto (metis CConcStart eq_Nil_appendI l2p_aux2 option.simps(3)) lemma CeqEnd[rule_format,simp]: "a \ [] \ x \ dom (Cp(list2FWpolicy a)) \ Cp(list2FWpolicy(b@a)) x = (Cp(list2FWpolicy a)) x" proof (induct rule: rev_induct) case Nil show ?case by simp next case (snoc xa xs) show ?case apply (case_tac "xs \ []", simp_all) apply (case_tac "x \ dom (Cp xa)") apply (metis CConcEnd2 MRList2 mr_is_C ) apply (metis snoc.hyps CConcEnd1 CConcStart2 Nil_is_append_conv bar3 ) by (metis MRList2 eq_Nil_appendI mr_is_C ) qed lemma CConcStartA[rule_format,simp]: "x \ dom (Cp a) \ x \ dom (Cp (list2FWpolicy (a # b)))" (is "?P b") by (rule_tac P = ?P in list2FWpolicy.induct) (simp_all add: Cp.simps) lemma domConc: "x \ dom (Cp (list2FWpolicy b)) \ b \ [] \ x \ dom (Cp (list2FWpolicy (a@b)))" by (auto simp: PLemmas) lemma CeqStart[rule_format,simp]: "x \ dom (Cp (list2FWpolicy a)) \ a \ [] \ b \ [] \ Cp (list2FWpolicy (b@a)) x = (Cp (list2FWpolicy b)) x" by (rule list2FWpolicy.induct,simp_all) (auto simp: list2FWpolicyconc PLemmas) lemma C_eq_if_mr_eq2: "applied_rule_rev Cp x a = Some r \ applied_rule_rev Cp x b = Some r \ a\[] \ b\[] \ (Cp (list2FWpolicy a)) x = (Cp (list2FWpolicy b)) x" by (metis mr_is_C) lemma nMRtoNone[rule_format]: "p \ [] \ applied_rule_rev Cp x p = None \ Cp (list2FWpolicy p) x = None" proof (induct rule: rev_induct) case Nil show ?case by simp next case (snoc xa xs) show ?case apply (case_tac "xs = []", simp_all) by (simp_all add: snoc.hyps applied_rule_rev_def dom_def) qed lemma C_eq_if_mr_eq: "applied_rule_rev Cp x b = applied_rule_rev Cp x a \ a \ [] \ b \ [] \ (Cp (list2FWpolicy a)) x = (Cp (list2FWpolicy b)) x" apply (cases "applied_rule_rev Cp x a = None", simp_all) apply (subst nMRtoNone,simp_all) apply (subst nMRtoNone,simp_all) by (auto intro: C_eq_if_mr_eq2) lemma notmatching_notdom: "applied_rule_rev Cp x (p@[a]) \ Some a \ x \ dom (Cp a)" by (simp add: applied_rule_rev_def split: if_splits) lemma foo3a[rule_format]: "applied_rule_rev Cp x (a@[b]@c) = Some b \ r \ set c \ b \ set c \ x \ dom (Cp r)" proof (induct rule: rev_induct) case Nil show ?case by simp next case (snoc xa xs) show ?case apply simp_all apply (rule impI|rule conjI|simp)+ apply (rule_tac p = "a @ b # xs" in notmatching_notdom,simp_all) by (metis Cons_eq_appendI NormalisationIPPProofs.MRList2 NormalisationIPPProofs.MRList3 append_Nil option.inject snoc.hyps) qed lemma foo3D: "wellformed_policy1 p \ p=DenyAll#ps \ applied_rule_rev Cp x p = Some DenyAll \ r\set ps \ x \ dom (Cp r)" by (rule_tac a = "[]" and b = "DenyAll" and c = "ps" in foo3a, simp_all) lemma foo4[rule_format]: "set p = set s \ (\ r. r \ set p \ x \ dom (Cp r)) \ (\ r .r \ set s \ x \ dom (Cp r))" by simp lemma foo5b[rule_format]: "x \ dom (Cp b) \ (\ r. r \ set c \ x \ dom (Cp r))\ applied_rule_rev Cp x (b#c) = Some b" apply (simp add: applied_rule_rev_def) apply (rule_tac xs = c in rev_induct, simp_all) done lemma mr_first: "x \ dom (Cp b) \ (\ r. r \ set c \ x \ dom (Cp r)) \ s = b#c \ applied_rule_rev Cp x s = Some b" by (simp add: foo5b) lemma mr_charn[rule_format]: "a \ set p \ (x \ dom (Cp a)) \(\ r. r \ set p \ x \ dom (Cp r) \ r = a) \ applied_rule_rev Cp x p = Some a" apply(rule_tac xs = p in rev_induct) apply(simp_all only:applied_rule_rev_def) apply(simp,safe,simp_all) by(auto) lemma foo8: "\ r. r \ set p \ x \ dom (Cp r) \ r = a \ set p = set s \ \ r. r \ set s \ x \ dom (Cp r) \ r = a" by auto lemma mrConcEnd[rule_format]: "applied_rule_rev Cp x (b # p) = Some a \ a \ b \ applied_rule_rev Cp x p = Some a" apply (simp add: applied_rule_rev_def) apply (rule_tac xs = p in rev_induct,simp_all) by auto lemma wp3tl[rule_format]: "wellformed_policy3Pr p \ wellformed_policy3Pr (tl p)" apply (induct p, simp_all) subgoal for a as apply(case_tac a, simp_all) done done lemma wp3Conc[rule_format]: "wellformed_policy3Pr (a#p) \ wellformed_policy3Pr p" by (induct p, simp_all, case_tac a, simp_all) lemma foo98[rule_format]: "applied_rule_rev Cp x (aa # p) = Some a \ x \ dom (Cp r) \ r \ set p \ a \ set p" unfolding applied_rule_rev_def proof (induct rule: rev_induct) case Nil show ?case by simp next case (snoc xa xs) then show ?case by simp_all (case_tac "r = xa", simp_all) qed lemma mrMTNone[simp]: "applied_rule_rev Cp x [] = None" by (simp add: applied_rule_rev_def) lemma DAAux[simp]: "x \ dom (Cp DenyAll)" by (simp add: dom_def PolicyCombinators.PolicyCombinators Cp.simps) lemma mrSet[rule_format]: "applied_rule_rev Cp x p = Some r \ r \ set p" unfolding applied_rule_rev_def by (rule_tac xs=p in rev_induct) simp_all lemma mr_not_Conc: "singleCombinators p \ applied_rule_rev Cp x p \ Some (a\b)" by (auto simp: mrSet dest: mrSet elim: SCnotConc) lemma foo25[rule_format]: "wellformed_policy3Pr (p@[x]) \ wellformed_policy3Pr p" apply(induct p, simp_all) subgoal for a p apply(case_tac a, simp_all) done done lemma mr_in_dom[rule_format]: "applied_rule_rev Cp x p = Some a \ x \ dom (Cp a)" by (rule_tac xs = p in rev_induct) (auto simp: applied_rule_rev_def) lemma wp3EndMT[rule_format]: "wellformed_policy3Pr (p@[xs]) \ AllowPortFromTo a b po \ set p \ dom (Cp (AllowPortFromTo a b po)) \ dom (Cp xs) = {}" apply (induct p, simp_all) by (metis NormalisationIPPProofs.wp3Conc aux0_4 inf_commute list.set_intros(1) wellformed_policy3Pr.simps(2)) lemma foo29: "dom (Cp a) \ {} \ dom (Cp a) \ dom (Cp b) = {} \ a \ b" by auto lemma foo28: "AllowPortFromTo a b po\set p \ dom(Cp(AllowPortFromTo a b po))\{} \ (wellformed_policy3Pr(p@[x])) \ x \ AllowPortFromTo a b po" by (metis foo29 Cp.simps(3) wp3EndMT) lemma foo28a[rule_format]: "x \ dom (Cp a) \ dom (Cp a) \ {}" by auto lemma allow_deny_dom[simp]: "dom (Cp (AllowPortFromTo a b po)) \ dom (Cp (DenyAllFromTo a b))" by (simp_all add: twoNetsDistinct_def netsDistinct_def PLemmas) auto lemma DenyAllowDisj: "dom (Cp (AllowPortFromTo a b p)) \ {} \ dom (Cp (DenyAllFromTo a b)) \ dom (Cp (AllowPortFromTo a b p)) \ {}" by (metis Int_absorb1 allow_deny_dom) lemma foo31: "\ r. r \ set p \ x \ dom (Cp r) \ (r = AllowPortFromTo a b po \ r = DenyAllFromTo a b \ r = DenyAll) \ set p = set s \ (\r. r\set s \ x\dom(Cp r) \ r=AllowPortFromTo a b po \ r=DenyAllFromTo a b \ r = DenyAll)" by auto lemma wp1_auxa: "wellformed_policy1_strong p\(\ r. applied_rule_rev Cp x p = Some r)" apply (rule DAimpliesMR_E) by (erule wp1_aux1aa) lemma deny_dom[simp]: "twoNetsDistinct a b c d \ dom (Cp (DenyAllFromTo a b)) \ dom (Cp (DenyAllFromTo c d)) = {}" by (simp add: Cp.simps) (erule aux6) lemma domTrans: "\dom a \ dom b; dom(b) \ dom (c) = {}\ \ dom(a) \ dom(c) = {}" by auto lemma DomInterAllowsMT: " twoNetsDistinct a b c d \ dom (Cp(AllowPortFromTo a b p)) \ dom(Cp(AllowPortFromTo c d po))={}" apply (case_tac "p = po", simp_all) apply (rule_tac b = "Cp (DenyAllFromTo a b)" in domTrans, simp_all) apply (metis domComm aux26 tNDComm) apply (simp add: twoNetsDistinct_def netsDistinct_def PLemmas) by (auto simp: prod_eqI) lemma DomInterAllowsMT_Ports: "p \ po \ dom (Cp (AllowPortFromTo a b p)) \ dom (Cp (AllowPortFromTo c d po)) = {}" apply (simp add: twoNetsDistinct_def netsDistinct_def PLemmas) by (auto simp: prod_eqI) lemma wellformed_policy3_charn[rule_format]: "singleCombinators p \ distinct p \ allNetsDistinct p \ wellformed_policy1 p \ wellformed_policy2Pr p \ wellformed_policy3Pr p" proof (induct p) case Nil show ?case by simp next case (Cons a p) then show ?case apply (auto intro: singleCombinatorsConc ANDConc waux2 wp2Conc) apply (case_tac a,simp_all, clarify) subgoal for a b c d r apply (case_tac r,simp_all) apply (metis Int_commute) apply (metis DomInterAllowsMT aux7aa DomInterAllowsMT_Ports) apply (metis aux0_0 ) done done qed lemma DistinctNetsDenyAllow: "DenyAllFromTo b c \ set p \ AllowPortFromTo a d po \ set p\ allNetsDistinct p \ dom (Cp (DenyAllFromTo b c)) \ dom (Cp (AllowPortFromTo a d po)) \ {}\ b = a \ c = d" apply (simp add: allNetsDistinct_def) apply (frule_tac x = "b" in spec) apply (drule_tac x = "d" in spec) apply (drule_tac x = "a" in spec) apply (drule_tac x = "c" in spec) apply (metis Int_commute ND0aux1 ND0aux3 NDComm aux26 twoNetsDistinct_def ND0aux2 ND0aux4) done lemma DistinctNetsAllowAllow: "AllowPortFromTo b c poo \ set p \ AllowPortFromTo a d po \ set p \ allNetsDistinct p \ dom(Cp(AllowPortFromTo b c poo)) \ dom(Cp(AllowPortFromTo a d po)) \ {} \ b = a \ c = d \ poo = po" apply (simp add: allNetsDistinct_def) apply (frule_tac x = "b" in spec) apply (drule_tac x = "d" in spec) apply (drule_tac x = "a" in spec) apply (drule_tac x = "c" in spec) apply (metis DomInterAllowsMT DomInterAllowsMT_Ports ND0aux3 ND0aux4 NDComm twoNetsDistinct_def) done lemma WP2RS2[simp]: "singleCombinators p \ distinct p \ allNetsDistinct p \ wellformed_policy2Pr (removeShadowRules2 p)" proof (induct p) case Nil then show ?case by simp next case (Cons x xs) have wp_xs: "wellformed_policy2Pr (removeShadowRules2 xs)" by (metis Cons ANDConc distinct.simps(2) singleCombinatorsConc) show ?case proof (cases x) case DenyAll thus ?thesis using wp_xs by simp next case (DenyAllFromTo a b) thus ?thesis using wp_xs Cons by (simp,metis DenyAllFromTo aux aux7 tNDComm deny_dom) next case (AllowPortFromTo a b p) thus ?thesis using wp_xs by (simp, metis aux26 AllowPortFromTo Cons(4) aux aux7a tNDComm) next case (Conc a b) thus ?thesis by (metis Conc Cons(2) singleCombinators.simps(2)) qed qed lemma AD_aux: "AllowPortFromTo a b po \ set p \ DenyAllFromTo c d \ set p \ allNetsDistinct p \ singleCombinators p \ a \ c \ b \ d \ dom (Cp (AllowPortFromTo a b po)) \ dom (Cp (DenyAllFromTo c d)) = {}" by (rule aux26,rule_tac x ="AllowPortFromTo a b po" and y = "DenyAllFromTo c d" in tND) auto lemma sorted_WP2[rule_format]: "sorted p l \ all_in_list p l \ distinct p \ allNetsDistinct p \ singleCombinators p \ wellformed_policy2Pr p" proof (induct p) case Nil thus ?case by simp next case (Cons a p) thus ?case proof (cases a) case DenyAll thus ?thesis using Cons by (auto intro: ANDConc singleCombinatorsConc sortedConcEnd) next case (DenyAllFromTo c d) thus ?thesis using Cons apply (simp, intro impI conjI allI impI deny_dom) by (auto intro: aux7 tNDComm ANDConc singleCombinatorsConc sortedConcEnd) next case (AllowPortFromTo c d e) thus ?thesis using Cons apply simp apply (intro impI conjI allI, rename_tac "aa" "b") apply (rule aux26) subgoal for aa b apply (rule_tac x = "AllowPortFromTo c d e" and y = "DenyAllFromTo aa b" in tND, assumption,simp_all) apply (subgoal_tac "smaller (AllowPortFromTo c d e) (DenyAllFromTo aa b) l") apply (simp split: if_splits) apply metis apply (erule sorted_is_smaller, simp_all) apply (metis bothNet.simps(2) in_list.simps(2) in_set_in_list) done by (auto intro: aux7 tNDComm ANDConc singleCombinatorsConc sortedConcEnd) next case (Conc a b) thus ?thesis using Cons by simp qed qed lemma wellformed2_sorted[simp]: "all_in_list p l \ distinct p \ allNetsDistinct p \ singleCombinators p \ wellformed_policy2Pr (sort p l)" by (metis distinct_sort set_sort sorted_WP2 SC3 aND_sort all_in_listSubset order_refl sort_is_sorted) lemma wellformed2_sortedQ[simp]: "all_in_list p l \ distinct p \ allNetsDistinct p \ singleCombinators p \ wellformed_policy2Pr (qsort p l)" by (metis sorted_WP2 SC3Q aND_sortQ all_in_listSubset distinct_sortQ set_sortQ sort_is_sortedQ subsetI) lemma C_DenyAll[simp]: "Cp (list2FWpolicy (xs @ [DenyAll])) x = Some (deny ())" by (auto simp: PLemmas) lemma C_eq_RS1n: "Cp(list2FWpolicy (removeShadowRules1_alternative p)) = Cp(list2FWpolicy p)" proof (cases "p") case Nil then show ?thesis by (simp, metis list2FWpolicy.simps(1) rSR1_eq removeShadowRules1.simps(2)) next case (Cons a list) then show ?thesis apply (hypsubst, simp) apply (thin_tac "p = a # list") proof (induct rule: rev_induct) case Nil show ?case by (metis rSR1_eq removeShadowRules1.simps(2)) next case (snoc x xs) show ?case apply (case_tac "xs = []", simp_all) apply (simp add: removeShadowRules1_alternative_def) apply (insert snoc.hyps, case_tac x, simp_all) apply (rule ext, rename_tac xa) apply (case_tac "x = DenyAll",simp_all add: PLemmas) apply (rule_tac t = "removeShadowRules1_alternative (xs @ [x])" and s = "(removeShadowRules1_alternative xs)@[x]" in subst) apply (erule RS1n_assoc) subgoal for a apply (case_tac "a \ dom (Cp x)", simp_all) done done qed qed lemma C_eq_RS1[simp]: "p \ [] \ Cp(list2FWpolicy (removeShadowRules1 p)) = Cp(list2FWpolicy p)" by (metis rSR1_eq C_eq_RS1n) lemma EX_MR_aux[rule_format]: "applied_rule_rev Cp x (DenyAll # p) \ Some DenyAll \ (\y. applied_rule_rev Cp x p = Some y)" by (simp add: applied_rule_rev_def) (rule_tac xs = p in rev_induct, simp_all) lemma EX_MR : "applied_rule_rev Cp x p \ (Some DenyAll) \ p = DenyAll#ps \ (applied_rule_rev Cp x p = applied_rule_rev Cp x ps)" apply (auto,subgoal_tac "applied_rule_rev Cp x (DenyAll#ps) \ None", auto) apply (metis mrConcEnd) by (metis DAimpliesMR_E list.sel(1) hd_in_set list.simps(3) not_Some_eq) lemma mr_not_DA: "wellformed_policy1_strong s \ applied_rule_rev Cp x p = Some (DenyAllFromTo a ab) \ set p = set s \ applied_rule_rev Cp x s \ Some DenyAll" apply (subst wp1n_tl, simp_all) by (metis (mono_tags, lifting) Combinators.distinct(1) foo98 mrSet mr_in_dom WP1n_DA_notinSet set_ConsD wp1n_tl) lemma domsMT_notND_DD: "dom (Cp (DenyAllFromTo a b)) \ dom (Cp (DenyAllFromTo c d)) \ {} \ \ netsDistinct a c" by (erule contrapos_nn) (simp add: Cp.simps aux6 twoNetsDistinct_def) lemma domsMT_notND_DD2: "dom (Cp (DenyAllFromTo a b)) \ dom (Cp (DenyAllFromTo c d)) \ {} \ \ netsDistinct b d" by (erule contrapos_nn) (simp add: Cp.simps aux6 twoNetsDistinct_def) lemma domsMT_notND_DD3: "x \ dom (Cp (DenyAllFromTo a b)) \ x \ dom (Cp (DenyAllFromTo c d)) \ \ netsDistinct a c" by (auto intro!: domsMT_notND_DD) lemma domsMT_notND_DD4: "x \ dom (Cp (DenyAllFromTo a b)) \ x \ dom (Cp (DenyAllFromTo c d)) \ \ netsDistinct b d" by (auto intro!: domsMT_notND_DD2) lemma NetsEq_if_sameP_DD: "allNetsDistinct p \ u\ set p \ v\ set p \ u = (DenyAllFromTo a b) \ v = (DenyAllFromTo c d) \ x \ dom (Cp (u)) \ x \ dom (Cp (v)) \ a = c \ b = d" unfolding allNetsDistinct_def by (simp)(metis allNetsDistinct_def ND0aux1 ND0aux2 domsMT_notND_DD3 domsMT_notND_DD4 ) lemma rule_charn1: assumes aND : "allNetsDistinct p" and mr_is_allow : "applied_rule_rev Cp x p = Some (AllowPortFromTo a b po)" and SC : "singleCombinators p" and inp : "r \ set p" and inDom : "x \ dom (Cp r)" shows "(r = AllowPortFromTo a b po \ r = DenyAllFromTo a b \ r = DenyAll)" proof (cases r) case DenyAll show ?thesis by (metis DenyAll) next case (DenyAllFromTo x y) show ?thesis by (metis DenyAllFromTo NormalisationIPPProofs.AD_aux NormalisationIPPProofs.mrSet NormalisationIPPProofs.mr_in_dom SC aND domInterMT inDom inp mr_is_allow) next case (AllowPortFromTo x y b) show ?thesis by (metis (mono_tags, lifting) AllowPortFromTo NormalisationIPPProofs.DistinctNetsAllowAllow NormalisationIPPProofs.mrSet NormalisationIPPProofs.mr_in_dom aND domInterMT inDom inp mr_is_allow) next case (Conc x y) thus ?thesis using assms by (metis aux0_0) qed lemma none_MT_rulessubset[rule_format]: "none_MT_rules Cp a \ set b \ set a \ none_MT_rules Cp b" by (induct b,simp_all) (metis notMTnMT) lemma nMTSort: "none_MT_rules Cp p \ none_MT_rules Cp (sort p l)" by (metis set_sort nMTeqSet) lemma nMTSortQ: "none_MT_rules Cp p \ none_MT_rules Cp (qsort p l)" by (metis set_sortQ nMTeqSet) lemma wp3char[rule_format]: "none_MT_rules Cp xs \ Cp (AllowPortFromTo a b po) = Map.empty \ wellformed_policy3Pr (xs @ [DenyAllFromTo a b]) \ AllowPortFromTo a b po \ set xs" by (induct xs, simp_all) (metis domNMT wp3Conc) lemma wp3charn[rule_format]: assumes domAllow: "dom (Cp (AllowPortFromTo a b po)) \ {}" and wp3: "wellformed_policy3Pr (xs @ [DenyAllFromTo a b])" shows allowNotInList: "AllowPortFromTo a b po \ set xs" apply (insert assms) proof (induct xs) case Nil show ?case by simp next case (Cons x xs) show ?case using Cons by (simp,auto intro: wp3Conc) (auto simp: DenyAllowDisj domAllow) qed lemma rule_charn2: assumes aND: "allNetsDistinct p" and wp1: "wellformed_policy1 p" and SC: "singleCombinators p" and wp3: "wellformed_policy3Pr p" and allow_in_list: "AllowPortFromTo c d po \ set p" and x_in_dom_allow: "x \ dom (Cp (AllowPortFromTo c d po))" shows "applied_rule_rev Cp x p = Some (AllowPortFromTo c d po)" proof (insert assms, induct p rule: rev_induct) case Nil show ?case using Nil by simp next case (snoc y ys) show ?case using snoc apply simp apply (case_tac "y = (AllowPortFromTo c d po)") apply (simp add: applied_rule_rev_def) apply simp_all apply (subgoal_tac "ys \ []") apply (subgoal_tac "applied_rule_rev Cp x ys = Some (AllowPortFromTo c d po)") defer 1 apply (metis ANDConcEnd SCConcEnd WP1ConcEnd foo25) apply (metis inSet_not_MT) proof (cases y) case DenyAll thus ?thesis using DenyAll snoc apply simp by (metis DAnotTL DenyAll inSet_not_MT policy2list.simps(2)) next case (DenyAllFromTo a b) thus ?thesis using snoc apply simp apply (simp_all add: applied_rule_rev_def) apply (rule conjI) apply (metis domInterMT wp3EndMT) apply (rule impI) by (metis ANDConcEnd DenyAllFromTo SCConcEnd WP1ConcEnd foo25) next case (AllowPortFromTo a1 a2 b) thus ?thesis using AllowPortFromTo snoc apply simp apply (simp_all add: applied_rule_rev_def) apply (rule conjI) apply (metis domInterMT wp3EndMT) by (metis ANDConcEnd AllowPortFromTo SCConcEnd WP1ConcEnd foo25 x_in_dom_allow) next case (Conc a b) thus ?thesis using Conc snoc apply simp by (metis Conc aux0_0 in_set_conv_decomp) qed qed lemma rule_charn3: "wellformed_policy1 p \ allNetsDistinct p \ singleCombinators p \ wellformed_policy3Pr p \ applied_rule_rev Cp x p = Some (DenyAllFromTo c d) \ AllowPortFromTo a b po \ set p \ x \ dom (Cp (AllowPortFromTo a b po))" by (clarify) (simp add: NormalisationIPPProofs.rule_charn2 domI) lemma rule_charn4: assumes wp1: "wellformed_policy1 p" and aND: "allNetsDistinct p" and SC: "singleCombinators p" and wp3: "wellformed_policy3Pr p" and DA: "DenyAll \ set p" and mr: "applied_rule_rev Cp x p = Some (DenyAllFromTo a b)" and rinp: "r \ set p" and xindom: "x \ dom (Cp r)" shows "r = DenyAllFromTo a b" proof (cases r) case DenyAll thus ?thesis using DenyAll assms by simp next case (DenyAllFromTo c d) thus ?thesis using assms apply simp apply (erule_tac x = x and p = p and v = "(DenyAllFromTo a b)" and u = "(DenyAllFromTo c d)" in NetsEq_if_sameP_DD, simp_all) apply (erule mrSet) by (erule mr_in_dom) next case (AllowPortFromTo c d e) thus ?thesis using assms apply simp apply (subgoal_tac "x \ dom (Cp (AllowPortFromTo c d e))", simp) by (rule_tac p = p in rule_charn3, auto intro: SCnotConc) next case (Conc a b) thus ?thesis using assms apply simp by (metis Conc aux0_0) qed lemma foo31a: "(\ r. r \ set p \ x \ dom (Cp r) \ (r = AllowPortFromTo a b po \ r = DenyAllFromTo a b \ r = DenyAll)) \ set p = set s \ r \ set s \ x \ dom (Cp r) \ (r = AllowPortFromTo a b po \ r = DenyAllFromTo a b \ r = DenyAll)" by auto lemma aux4[rule_format]: "applied_rule_rev Cp x (a#p) = Some a \ a \ set (p) \ applied_rule_rev Cp x p = None" by (rule rev_induct, simp_all) (intro impI,simp add: applied_rule_rev_def split: if_splits) lemma mrDA_tl: assumes mr_DA: "applied_rule_rev Cp x p = Some DenyAll" and wp1n: "wellformed_policy1_strong p" shows "applied_rule_rev Cp x (tl p) = None" apply (rule aux4 [where a = DenyAll]) apply (metis wp1n_tl mr_DA wp1n) by (metis WP1n_DA_notinSet wp1n) lemma rule_charnDAFT: "wellformed_policy1_strong p \ allNetsDistinct p \ singleCombinators p \ wellformed_policy3Pr p \ applied_rule_rev Cp x p = Some (DenyAllFromTo a b) \ r \ set (tl p) \ x \ dom (Cp r) \ r = DenyAllFromTo a b" apply (subgoal_tac "p = DenyAll#(tl p)") apply (metis (no_types, lifting) ANDConc Combinators.distinct(1) NormalisationIPPProofs.mrConcEnd NormalisationIPPProofs.rule_charn4 NormalisationIPPProofs.wp3Conc WP1n_DA_notinSet singleCombinatorsConc waux2) using wp1n_tl by auto lemma mrDenyAll_is_unique: "wellformed_policy1_strong p \ applied_rule_rev Cp x p = Some DenyAll \ r \ set (tl p) \ x \ dom (Cp r)" apply (rule_tac a = "[]" and b = "DenyAll" and c = "tl p" in foo3a, simp_all) apply (metis wp1n_tl) by (metis WP1n_DA_notinSet) theorem C_eq_Sets_mr: assumes sets_eq: "set p = set s" and SC: "singleCombinators p" and wp1_p: "wellformed_policy1_strong p" and wp1_s: "wellformed_policy1_strong s" and wp3_p: "wellformed_policy3Pr p" and wp3_s: "wellformed_policy3Pr s" and aND: "allNetsDistinct p" shows "applied_rule_rev Cp x p = applied_rule_rev Cp x s" proof (cases "applied_rule_rev Cp x p") case None have DA: "DenyAll \ set p" using wp1_p by (auto simp: wp1_aux1aa) have notDA: "DenyAll \ set p" using None by (auto simp: DAimplieMR) thus ?thesis using DA by (contradiction) next case (Some y) thus ?thesis proof (cases y) have tl_p: "p = DenyAll#(tl p)" by (metis wp1_p wp1n_tl) have tl_s: "s = DenyAll#(tl s)" by (metis wp1_s wp1n_tl) have tl_eq: "set (tl p) = set (tl s)" by (metis list.sel(3) WP1n_DA_notinSet sets_eq foo2 wellformed_policy1_charn wp1_aux1aa wp1_eq wp1_p wp1_s) { case DenyAll have mr_p_is_DenyAll: "applied_rule_rev Cp x p = Some DenyAll" by (simp add: DenyAll Some) hence x_notin_tl_p: "\ r. r \ set (tl p) \ x \ dom (Cp r)" using wp1_p by (auto simp: mrDenyAll_is_unique) hence x_notin_tl_s: "\ r. r \ set (tl s) \ x \ dom (Cp r)" using tl_eq by auto hence mr_s_is_DenyAll: "applied_rule_rev Cp x s = Some DenyAll" using tl_s by (auto simp: mr_first) thus ?thesis using mr_p_is_DenyAll by simp next case (DenyAllFromTo a b) have mr_p_is_DAFT: "applied_rule_rev Cp x p = Some (DenyAllFromTo a b)" by (simp add: DenyAllFromTo Some) have DA_notin_tl: "DenyAll \ set (tl p)" by (metis WP1n_DA_notinSet wp1_p) have mr_tl_p: "applied_rule_rev Cp x p = applied_rule_rev Cp x (tl p)" by (metis Combinators.simps(4) DenyAllFromTo Some mrConcEnd tl_p) have dom_tl_p: "\ r. r \ set (tl p) \ x \ dom (Cp r) \ r = (DenyAllFromTo a b)" using wp1_p aND SC wp3_p mr_p_is_DAFT by (auto simp: rule_charnDAFT) hence dom_tl_s: "\ r. r \ set (tl s) \ x \ dom (Cp r) \ r = (DenyAllFromTo a b)" using tl_eq by auto have DAFT_in_tl_s: "DenyAllFromTo a b \ set (tl s)" using mr_tl_p by (metis DenyAllFromTo mrSet mr_p_is_DAFT tl_eq) have x_in_dom_DAFT: "x \ dom (Cp (DenyAllFromTo a b))" by (metis mr_p_is_DAFT DenyAllFromTo mr_in_dom) hence mr_tl_s_is_DAFT: "applied_rule_rev Cp x (tl s) = Some (DenyAllFromTo a b)" using DAFT_in_tl_s dom_tl_s by (metis mr_charn) hence mr_s_is_DAFT: "applied_rule_rev Cp x s = Some (DenyAllFromTo a b)" using tl_s by (metis DA_notin_tl DenyAllFromTo EX_MR mrDA_tl not_Some_eq tl_eq wellformed_policy1_strong.simps(2)) thus ?thesis using mr_p_is_DAFT by simp next case (AllowPortFromTo a b c) have wp1s: "wellformed_policy1 s" by (metis wp1_eq wp1_s) have mr_p_is_A: "applied_rule_rev Cp x p = Some (AllowPortFromTo a b c)" by (simp add: AllowPortFromTo Some) hence A_in_s: "AllowPortFromTo a b c \