-
Notifications
You must be signed in to change notification settings - Fork 108
/
Copy pathPolicyExample.thy
770 lines (618 loc) · 31.5 KB
/
PolicyExample.thy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
(*
* Copyright 2020, Data61, CSIRO (ABN 41 687 119 230)
*
* SPDX-License-Identifier: GPL-2.0-only
*)
theory PolicyExample
imports ArchNoninterference
begin
(* This first example_auth_graphample shows how notifications and endpoints differ.
Endpoints tend to spray information in all directions, while
notifications are unidirectional.
This example is a subset of the SAC example from access *)
datatype auth_graph_label = T | NTFN1 | NTFN2 | CTR | C | EP | RM
abbreviation partition_label where
"partition_label x \<equiv> OrdinaryLabel x"
definition example_auth_graph :: "(auth_graph_label subject_label \<times> auth \<times> auth_graph_label subject_label) set" where
"example_auth_graph \<equiv>
{ (partition_label T,Notify,partition_label NTFN1),
(partition_label CTR,Receive,partition_label NTFN1),
(partition_label C,Read,partition_label CTR),
(partition_label C,Write,partition_label CTR),
(partition_label CTR,Read,partition_label C),
(partition_label CTR,Write,partition_label C),
(partition_label CTR,SyncSend,partition_label EP),
(partition_label T,Notify,partition_label NTFN2),
(partition_label RM,Receive,partition_label NTFN2),
(partition_label RM,Receive,partition_label EP)
} \<union> {(a,b,c). a = c}"
declare example_auth_graph_def [simp]
lemma subjectReads_T:
"subjectReads example_auth_graph (partition_label T) = {partition_label T}"
apply(auto elim: subjectReads.induct)
done
lemma CTR_in_subjectReads_NTFN1:
"partition_label CTR \<in> subjectReads example_auth_graph (partition_label NTFN1)"
apply(rule read_sync_ep_read_receivers[where ep="partition_label NTFN1"], auto)
done
lemma EP_in_subjectReads_NTFN1:
"partition_label EP \<in> subjectReads example_auth_graph (partition_label NTFN1)"
apply(rule reads_read_queued_thread_read_ep[where t="partition_label CTR" and a="partition_label EP"], auto intro: CTR_in_subjectReads_NTFN1[simplified])
done
lemma C_in_subjectReads_NTFN1:
"partition_label C \<in> subjectReads example_auth_graph (partition_label NTFN1)"
apply(rule reads_read_thread_read_pages)
apply (rule CTR_in_subjectReads_NTFN1)
apply simp
done
lemma RM_in_subjectReads_NTFN1:
"partition_label RM \<in> subjectReads example_auth_graph (partition_label NTFN1)"
by (rule read_sync_ep_read_receivers; fastforce intro: EP_in_subjectReads_NTFN1)
lemma NTFN2_in_subjectReads_NTFN1:
"partition_label NTFN2 \<in> subjectReads example_auth_graph (partition_label NTFN1)"
apply (rule reads_read_queued_thread_read_ep[where t="partition_label RM" and a="partition_label NTFN2"])
by (auto intro: RM_in_subjectReads_NTFN1[simplified])
lemmas subjectReads_NTFN1' = reads_lrefl[of "partition_label NTFN1"]
CTR_in_subjectReads_NTFN1
EP_in_subjectReads_NTFN1
RM_in_subjectReads_NTFN1
C_in_subjectReads_NTFN1
NTFN2_in_subjectReads_NTFN1
lemma subjectReads_NTFN1:
"subjectReads example_auth_graph (partition_label NTFN1) = {partition_label NTFN1, partition_label CTR, partition_label EP, partition_label C, partition_label RM, partition_label NTFN2}"
apply(rule equalityI)
apply (rule subsetI)
apply (erule subjectReads.induct)
apply (fastforce simp: subjectReads_NTFN1'[simplified])+
done
lemma RM_in_subjectReads_NTFN2:
"partition_label RM \<in> subjectReads example_auth_graph (partition_label NTFN2)"
apply(rule read_sync_ep_read_receivers[where ep="partition_label NTFN2"], auto)
done
lemma EP_in_subjectReads_NTFN2:
"partition_label EP \<in> subjectReads example_auth_graph (partition_label NTFN2)"
apply(rule reads_read_queued_thread_read_ep[where t="partition_label RM" and a="partition_label EP"], auto intro: RM_in_subjectReads_NTFN2[simplified])
done
lemma CTR_in_subjectReads_NTFN2:
"partition_label CTR \<in> subjectReads example_auth_graph (partition_label NTFN2)"
apply(rule read_sync_ep_read_senders[where ep="partition_label EP"], auto intro: EP_in_subjectReads_NTFN2[simplified])
done
lemma C_in_subjectReads_NTFN2:
"partition_label C \<in> subjectReads example_auth_graph (partition_label NTFN2)"
apply(rule reads_read_thread_read_pages)
apply (rule CTR_in_subjectReads_NTFN2)
apply simp
done
lemma NTFN1_in_subjectReads_NTFN2:
"partition_label NTFN1 \<in> subjectReads example_auth_graph (partition_label NTFN2)"
apply(rule reads_read_queued_thread_read_ep[where t="partition_label CTR" and a="partition_label NTFN1"], auto intro: CTR_in_subjectReads_NTFN2[simplified])
done
lemmas subjectReads_NTFN2' = reads_lrefl[of "partition_label NTFN2"]
CTR_in_subjectReads_NTFN2
EP_in_subjectReads_NTFN2
RM_in_subjectReads_NTFN2
C_in_subjectReads_NTFN2
NTFN1_in_subjectReads_NTFN2
lemma subjectReads_NTFN2:
"subjectReads example_auth_graph (partition_label NTFN2) = {partition_label NTFN2, partition_label NTFN1, partition_label C, partition_label CTR, partition_label RM, partition_label EP}"
apply(rule equalityI)
apply (rule subsetI)
apply (erule subjectReads.induct)
apply (fastforce simp: subjectReads_NTFN2'[simplified])+
done
lemma EP_in_subjectReads_CTR:
"partition_label EP \<in> subjectReads example_auth_graph (partition_label CTR)"
apply(rule_tac a="partition_label CTR" and t="partition_label CTR" in reads_read_queued_thread_read_ep)
apply auto
done
lemma RM_in_subjectReads_CTR:
"partition_label RM \<in> subjectReads example_auth_graph (partition_label CTR)"
apply(clarsimp)
apply(rule_tac ep="partition_label EP" in read_sync_ep_read_receivers)
apply(rule EP_in_subjectReads_CTR[simplified])
apply fastforce
done
lemma C_in_subjectReads_CTR:
"partition_label C \<in> subjectReads example_auth_graph (partition_label CTR)"
apply(rule reads_read, auto)
done
lemma NTFN1_in_subjectReads_CTR:
"partition_label NTFN1 \<in> subjectReads example_auth_graph (partition_label CTR)"
apply(rule_tac t="partition_label CTR" and auth="Receive" and a="partition_label T" and auth'="Notify" in reads_read_queued_thread_read_ep)
apply (auto)
done
lemma NTFN2_in_subjectReads_CTR:
"partition_label NTFN2 \<in> subjectReads example_auth_graph (partition_label CTR)"
apply(rule_tac t="partition_label RM" and auth="Receive" and a="partition_label T" and auth'="Notify" in reads_read_queued_thread_read_ep)
apply (auto intro: RM_in_subjectReads_CTR[simplified])
done
lemmas subjectReads_CTR' = reads_lrefl[of "partition_label CTR"]
NTFN2_in_subjectReads_CTR NTFN1_in_subjectReads_CTR
C_in_subjectReads_CTR RM_in_subjectReads_CTR EP_in_subjectReads_CTR
lemma subjectReads_CTR:
"subjectReads example_auth_graph (partition_label CTR) = {partition_label CTR,partition_label C,partition_label EP, partition_label RM, partition_label NTFN1, partition_label NTFN2}"
apply(clarsimp)
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct; auto)
apply(auto simp: subjectReads_CTR'[simplified])
done
lemma NTFN1_in_subjectReads_C:
"partition_label NTFN1 \<in> subjectReads example_auth_graph (partition_label C)"
apply(rule_tac a="partition_label T" and ep="partition_label NTFN1" and t="partition_label CTR" in reads_read_queued_thread_read_ep)
apply (auto intro: reads_read)
done
lemma EP_in_subjectReads_C:
"partition_label EP \<in> subjectReads example_auth_graph (partition_label C)"
apply(rule_tac a="partition_label CTR" and t="partition_label CTR" in reads_read_queued_thread_read_ep)
apply (auto intro: reads_read)
done
lemma RM_in_subjectReads_C:
"partition_label RM \<in> subjectReads example_auth_graph (partition_label C)"
apply(clarsimp)
apply(rule read_sync_ep_read_receivers[OF EP_in_subjectReads_C[simplified]])
apply simp
done
lemma CTR_in_subjectReads_C:
"partition_label CTR \<in> subjectReads example_auth_graph (partition_label C)"
apply(rule reads_read, auto)
done
lemma NTFN2_in_subjectReads_C:
"partition_label NTFN2 \<in> subjectReads example_auth_graph (partition_label C)"
apply(rule_tac a="partition_label T" and ep="partition_label NTFN2" and t="partition_label RM" in reads_read_queued_thread_read_ep)
apply(fastforce simp: RM_in_subjectReads_C[simplified])+
done
lemmas subjectReads_C' = reads_lrefl[of "partition_label C"]
NTFN2_in_subjectReads_C NTFN1_in_subjectReads_C
RM_in_subjectReads_C EP_in_subjectReads_C CTR_in_subjectReads_C
lemma subjectReads_C:
"subjectReads example_auth_graph (partition_label C) = {partition_label C,partition_label CTR,partition_label NTFN1, partition_label EP, partition_label RM, partition_label NTFN2}"
apply(clarsimp)
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct; auto)
apply(auto simp: subjectReads_C'[simplified])
done
lemma CTR_in_subjectReads_EP:
"partition_label CTR \<in> subjectReads example_auth_graph (partition_label EP)"
apply(clarsimp)
apply(rule_tac ep="partition_label EP" in read_sync_ep_read_senders)
apply simp+
done
lemma NTFN1_in_subjectReads_EP:
"partition_label NTFN1 \<in> subjectReads example_auth_graph (partition_label EP)"
apply(rule reads_read_queued_thread_read_ep[where a="partition_label NTFN1", OF _ _ _ _ CTR_in_subjectReads_EP])
apply(auto)
done
lemma C_in_subjectReads_EP:
"partition_label C \<in> subjectReads example_auth_graph (partition_label EP)"
apply(rule reads_read_thread_read_pages[OF CTR_in_subjectReads_EP])
apply(auto)
done
lemma RM_in_subjectReads_EP:
"partition_label RM \<in> subjectReads example_auth_graph (partition_label EP)"
apply(rule read_sync_ep_read_receivers[OF reads_lrefl])
apply(auto)
done
lemma NTFN2_in_subjectReads_EP:
"partition_label NTFN2 \<in> subjectReads example_auth_graph (partition_label EP)"
apply(rule reads_read_queued_thread_read_ep[where a="partition_label NTFN2", OF _ _ _ _ RM_in_subjectReads_EP])
apply(auto)
done
lemmas subjectReads_EP' = reads_lrefl[of "partition_label EP"]
CTR_in_subjectReads_EP
C_in_subjectReads_EP
RM_in_subjectReads_EP
NTFN2_in_subjectReads_EP
NTFN1_in_subjectReads_EP
lemma subjectReads_EP:
"subjectReads example_auth_graph (partition_label EP) = {partition_label EP,partition_label CTR,partition_label NTFN1, partition_label C, partition_label RM, partition_label NTFN2}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct; auto)
apply(auto simp: subjectReads_EP'[simplified])
done
lemma NTFN2_in_subjectReads_RM:
"partition_label NTFN2 \<in> subjectReads example_auth_graph (partition_label RM)"
apply(rule reads_ep, auto)
done
lemma EP_in_subjectReads_RM:
"partition_label EP \<in> subjectReads example_auth_graph (partition_label RM)"
apply(rule reads_ep, auto)
done
lemma CTR_in_subjectReads_RM:
"partition_label CTR \<in> subjectReads example_auth_graph (partition_label RM)"
apply(rule read_sync_ep_read_senders[where ep="partition_label EP", OF EP_in_subjectReads_RM], auto)
done
lemma C_in_subjectReads_RM:
"partition_label C \<in> subjectReads example_auth_graph (partition_label RM)"
apply(rule reads_read_thread_read_pages[where t="partition_label CTR", OF CTR_in_subjectReads_RM], auto)
done
lemma NTFN1_in_subjectReads_RM:
"partition_label NTFN1 \<in> subjectReads example_auth_graph (partition_label RM)"
apply(rule reads_read_queued_thread_read_ep[where a="partition_label T" and t="partition_label CTR", OF _ _ _ _ CTR_in_subjectReads_RM], auto)
done
lemmas subjectReads_RM' = reads_lrefl[of "partition_label RM"]
CTR_in_subjectReads_RM
C_in_subjectReads_RM
EP_in_subjectReads_RM
NTFN1_in_subjectReads_RM
NTFN2_in_subjectReads_RM
lemma subjectReads_RM:
"subjectReads example_auth_graph (partition_label RM) = {partition_label RM, partition_label NTFN2,partition_label EP,partition_label CTR, partition_label C, partition_label NTFN1}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct; auto)
apply(auto simp: subjectReads_RM'[simplified])
done
lemma NTFN1_in_subjectAffects_T:
"partition_label NTFN1 \<in> subjectAffects example_auth_graph (partition_label T)
" apply(auto intro: affects_ep)
done
lemma NTFN2_in_subjectAffects_T:
"partition_label NTFN2 \<in> subjectAffects example_auth_graph (partition_label T)
" apply(auto intro: affects_ep)
done
lemma C_in_subjectAffects_T:
"partition_label C \<in> subjectAffects example_auth_graph (partition_label T)
" apply(rule affects_send[where auth="Notify" and ep="partition_label NTFN1"], auto)
done
lemma CTR_in_subjectAffects_T:
"partition_label CTR \<in> subjectAffects example_auth_graph (partition_label T)
" apply(rule affects_send[where auth="Notify" and ep="partition_label NTFN1"], auto)
done
lemma RM_in_subjectAffects_T:
"partition_label RM \<in> subjectAffects example_auth_graph (partition_label T)
" apply(rule affects_send[where auth="Notify" and ep="partition_label NTFN2"], auto)
done
lemma EP_in_subjectAffects_T:
"partition_label EP \<in> subjectAffects example_auth_graph (partition_label T)"
by (rule affects_ep_bound_trans, auto)
lemmas subjectAffects_T' = affects_lrefl[of "partition_label T"]
NTFN1_in_subjectAffects_T
NTFN2_in_subjectAffects_T
C_in_subjectAffects_T
CTR_in_subjectAffects_T
RM_in_subjectAffects_T
EP_in_subjectAffects_T
lemma subjectAffects_T:
"subjectAffects example_auth_graph (partition_label T) = {partition_label NTFN1,partition_label NTFN2,partition_label T,partition_label C, partition_label CTR, partition_label RM, partition_label EP}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.cases; fastforce)
apply(auto simp: subjectAffects_T'[simplified])
done
lemma CTR_in_subjectAffects_NTFN1:
"partition_label CTR \<in> subjectAffects example_auth_graph (partition_label NTFN1)"
apply(rule affects_send[where ep="partition_label NTFN1"], auto)
done
lemma C_in_subjectAffects_NTFN1:
"partition_label C \<in> subjectAffects example_auth_graph (partition_label NTFN1)"
apply(rule affects_send[where ep="partition_label NTFN1"], auto)
done
lemmas subjectAffects_NTFN1' = affects_lrefl[of "partition_label NTFN1"]
C_in_subjectAffects_NTFN1
CTR_in_subjectAffects_NTFN1
lemma subjectAffects_NTFN1:
"subjectAffects example_auth_graph (partition_label NTFN1) = {partition_label NTFN1,partition_label CTR,partition_label C}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.cases; fastforce)
apply(auto simp: subjectAffects_NTFN1'[simplified])
done
lemma RM_in_subjectAffects_NTFN2:
"partition_label RM \<in> subjectAffects example_auth_graph (partition_label NTFN2)"
apply(rule affects_send[where ep="partition_label NTFN2"], auto)
done
lemma EP_in_subjectAffects_NTFN2:
"partition_label EP \<in> subjectAffects example_auth_graph (partition_label NTFN2)"
apply(rule affects_ep_bound_trans, auto)
done
lemmas subjectAffects_NTFN2' = affects_lrefl[of "partition_label NTFN2"]
RM_in_subjectAffects_NTFN2
EP_in_subjectAffects_NTFN2
lemma subjectAffects_NTFN2:
"subjectAffects example_auth_graph (partition_label NTFN2) = {partition_label NTFN2,partition_label RM, partition_label EP}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.cases; fastforce)
apply(auto simp: subjectAffects_NTFN2'[simplified])
done
lemma C_in_subjectAffects_CTR:
"partition_label C \<in> subjectAffects example_auth_graph (partition_label CTR)"
apply(rule affects_write[where auth="Write"], auto)
done
lemma EP_in_subjectAffects_CTR:
"partition_label EP \<in> subjectAffects example_auth_graph (partition_label CTR)"
apply(rule affects_ep, auto)
done
lemma NTFN1_in_subjectAffects_CTR:
"partition_label NTFN1 \<in> subjectAffects example_auth_graph (partition_label CTR)"
apply(rule affects_ep, auto)
done
lemma RM_in_subjectAffects_CTR:
"partition_label RM \<in> subjectAffects example_auth_graph (partition_label CTR)"
apply(rule affects_send, auto)
done
lemmas subjectAffects_CTR' = affects_lrefl[of "partition_label CTR"]
NTFN1_in_subjectAffects_CTR
C_in_subjectAffects_CTR
EP_in_subjectAffects_CTR
RM_in_subjectAffects_CTR
lemma subjectAffects_CTR:
"subjectAffects example_auth_graph (partition_label CTR) = {partition_label CTR,partition_label C,partition_label EP,partition_label NTFN1, partition_label RM}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.cases; auto)
apply(auto simp: subjectAffects_CTR'[simplified])
done
lemma CTR_in_subjectAffects_C:
"partition_label CTR \<in> subjectAffects example_auth_graph (partition_label C)"
apply(rule affects_write[where auth=Write], auto)
done
lemmas subjectAffects_C' = affects_lrefl[of "partition_label C"]
CTR_in_subjectAffects_C
lemma subjectAffects_C:
"subjectAffects example_auth_graph (partition_label C) = {partition_label C,partition_label CTR}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.cases; auto)
apply(auto simp: subjectAffects_C'[simplified])
done
lemma RM_in_subjectAffects_EP:
"partition_label RM \<in> subjectAffects example_auth_graph (partition_label EP)"
apply(rule affects_send, auto)
done
lemma CTR_in_subjectAffects_EP:
"partition_label CTR \<in> subjectAffects example_auth_graph (partition_label EP)"
apply(rule affects_recv, auto)
done
lemma C_in_subjectAffects_EP:
"partition_label C \<in> subjectAffects example_auth_graph (partition_label EP)"
apply(rule affects_reset[where ep="partition_label EP" and l'="partition_label CTR"], auto)
done
lemma NTFN2_in_subjectAffects_EP:
"partition_label NTFN2 \<in> subjectAffects example_auth_graph (partition_label EP)"
apply(rule affects_ep_bound_trans, auto)
done
lemmas subjectAffects_EP' = affects_lrefl[of "partition_label EP"]
CTR_in_subjectAffects_EP
C_in_subjectAffects_EP
RM_in_subjectAffects_EP
NTFN2_in_subjectAffects_EP
lemma subjectAffects_EP:
"subjectAffects example_auth_graph (partition_label EP) = {partition_label EP, partition_label RM, partition_label CTR, partition_label C, partition_label NTFN2}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.cases; fastforce)
apply(auto simp: subjectAffects_EP'[simplified])
done
lemma EP_in_subjectAffects_RM:
"partition_label EP \<in> subjectAffects example_auth_graph (partition_label RM)"
apply(rule affects_ep, auto)
done
lemma CTR_in_subjectAffects_RM:
"partition_label CTR \<in> subjectAffects example_auth_graph (partition_label RM)"
apply(rule affects_recv, auto)
done
lemma NTFN2_in_subjectAffects_RM:
"partition_label NTFN2 \<in> subjectAffects example_auth_graph (partition_label RM)"
apply(rule affects_ep, auto)
done
lemmas subjectAffects_RM' = affects_lrefl[of "partition_label RM"]
EP_in_subjectAffects_RM
NTFN2_in_subjectAffects_RM
CTR_in_subjectAffects_RM
lemma subjectAffects_RM:
"subjectAffects example_auth_graph (partition_label RM) = {partition_label RM,partition_label EP,partition_label CTR,partition_label NTFN2}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.cases; auto)
apply(auto simp: subjectAffects_RM'[simplified])
done
lemmas subjectReads = subjectReads_T subjectReads_NTFN1 subjectReads_NTFN2 subjectReads_CTR
subjectReads_EP subjectReads_RM subjectReads_C
declare example_auth_graph_def [simp del]
lemma partsSubjectAffects_T:
"partsSubjectAffects example_auth_graph T = {Partition T,Partition NTFN1, Partition NTFN2, Partition CTR, Partition C, Partition EP, Partition RM}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads subjectAffects_T | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_NTFN1:
"partsSubjectAffects example_auth_graph NTFN1 = {Partition NTFN1, Partition CTR, Partition C, Partition EP, Partition RM, Partition NTFN2}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads subjectAffects_NTFN1 | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_NTFN2:
"partsSubjectAffects example_auth_graph NTFN2 = {Partition NTFN2, Partition CTR, Partition C, Partition EP, Partition RM, Partition NTFN1}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads subjectAffects_NTFN2 | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_CTR:
"partsSubjectAffects example_auth_graph CTR = {Partition NTFN1, Partition CTR, Partition C, Partition EP, Partition RM, Partition NTFN2}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads subjectAffects_CTR | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_C:
"partsSubjectAffects example_auth_graph C = {Partition CTR, Partition C, Partition EP, Partition RM, Partition NTFN1, Partition NTFN2}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads subjectAffects_C | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_EP:
"partsSubjectAffects example_auth_graph EP = {Partition CTR, Partition C, Partition EP, Partition RM, Partition NTFN1, Partition NTFN2}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads subjectAffects_EP | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_RM:
"partsSubjectAffects example_auth_graph RM = {Partition CTR, Partition C, Partition EP, Partition RM, Partition NTFN2, Partition NTFN1}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads subjectAffects_RM | rename_tac xa, case_tac xa)+
done
lemmas partsSubjectAffects = partsSubjectAffects_T partsSubjectAffects_NTFN1
partsSubjectAffects_NTFN2 partsSubjectAffects_CTR
partsSubjectAffects_C partsSubjectAffects_RM partsSubjectAffects_EP
definition example_policy :: "(auth_graph_label partition \<times> auth_graph_label partition) set" where
"example_policy \<equiv> {(PSched,d)|d. True} \<union>
{(Partition l,Partition k)|l k. (k = T \<longrightarrow> l = T)}"
lemma "example_policy = policyFlows example_auth_graph"
apply(rule equalityI)
apply(rule subsetI)
apply(clarsimp simp: example_policy_def)
apply(elim disjE)
apply(fastforce intro: policy_scheduler)
apply clarsimp
apply (rule policy_affects)
apply (case_tac "k = T")
apply (clarsimp simp: partsSubjectAffects)
apply(case_tac l; (auto simp: partsSubjectAffects | case_tac k)+)
apply(rule subsetI)
apply(clarsimp simp: example_policy_def)
apply(erule policyFlows.cases)
apply(case_tac l, auto simp: partsSubjectAffects)
done
(* This second example is a classic 'one way information flow'
example, where information is allowed to flow from Low to High,
but not the reverse. We consider a typical scenario where
shared memory and an notification for notifications are used to
implement a ring-buffer. *)
datatype auth_graph_label2 = High | Low | SharedPage | NTFN
definition example_auth_graph2 :: "(auth_graph_label2 subject_label \<times> auth \<times> auth_graph_label2 subject_label) set" where
"example_auth_graph2 \<equiv>
{ (partition_label Low,Write,partition_label SharedPage),
(partition_label Low,Read,partition_label SharedPage),
(partition_label High,Read,partition_label SharedPage),
(partition_label Low,Notify,partition_label NTFN),
(partition_label High,Receive,partition_label NTFN)
} \<union> {(x,a,y). x = y}"
declare example_auth_graph2_def [simp]
lemma subjectReads_Low: "subjectReads example_auth_graph2 (partition_label Low) = {partition_label Low,partition_label SharedPage}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct, fastforce+)
apply (auto intro: reads_read)
done
lemma subjectReads_SharedPage: "subjectReads example_auth_graph2 (partition_label SharedPage) = {partition_label Low,partition_label SharedPage}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct, fastforce+)
apply (auto intro: reads_read_page_read_thread)
done
lemma High_in_subjectReads_NTFN:
"partition_label High \<in> subjectReads example_auth_graph2 (partition_label NTFN)"
apply(rule read_sync_ep_read_receivers)
apply auto
done
lemma SharedPage_in_subjectReads_NTFN:
"partition_label SharedPage \<in> subjectReads example_auth_graph2 (partition_label NTFN)"
apply(rule reads_read_thread_read_pages[OF High_in_subjectReads_NTFN])
apply auto
done
lemma Low_in_subjectReads_NTFN:
"partition_label Low \<in> subjectReads example_auth_graph2 (partition_label NTFN)"
apply(rule reads_read_page_read_thread[OF SharedPage_in_subjectReads_NTFN])
apply auto
done
lemma subjectReads_NTFN: "subjectReads example_auth_graph2 (partition_label NTFN) = {partition_label NTFN,partition_label High,partition_label SharedPage, partition_label Low}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct, fastforce+)
apply (auto intro: High_in_subjectReads_NTFN Low_in_subjectReads_NTFN SharedPage_in_subjectReads_NTFN simp del: example_auth_graph2_def)
done
lemma NTFN_in_subjectReads_High:
"partition_label NTFN \<in> subjectReads example_auth_graph2 (partition_label High)"
apply(fastforce intro: reads_ep)
done
lemma SharedPage_in_subjectReads_High:
"partition_label SharedPage \<in> subjectReads example_auth_graph2 (partition_label High)"
apply(fastforce intro: reads_read_thread_read_pages)
done
lemma Low_in_subjectReads_High:
"partition_label Low \<in> subjectReads example_auth_graph2 (partition_label High)"
apply(fastforce intro: reads_read_page_read_thread[OF SharedPage_in_subjectReads_High])
done
lemma subjectReads_High: "subjectReads example_auth_graph2 (partition_label High) = {partition_label High,partition_label NTFN, partition_label SharedPage,partition_label Low}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectReads.induct, fastforce+)
apply(auto intro: NTFN_in_subjectReads_High SharedPage_in_subjectReads_High Low_in_subjectReads_High simp del: example_auth_graph2_def)
done
lemma SharedPage_in_subjectAffects_Low:
"partition_label SharedPage \<in> subjectAffects example_auth_graph2 (partition_label Low)"
apply(fastforce intro: affects_write)
done
lemma NTFN_in_subjectAffects_Low:
"partition_label NTFN \<in> subjectAffects example_auth_graph2 (partition_label Low)"
apply(fastforce intro: affects_ep)
done
lemma High_in_subjectAffects_Low:
"partition_label High \<in> subjectAffects example_auth_graph2 (partition_label Low)"
apply(rule affects_send[where ep="partition_label NTFN"])
apply(auto)
done
lemma subjectAffects_Low: "subjectAffects example_auth_graph2 (partition_label Low) = {partition_label Low,partition_label NTFN,partition_label SharedPage, partition_label High}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.induct, fastforce+)
apply(auto intro: affects_lrefl SharedPage_in_subjectAffects_Low NTFN_in_subjectAffects_Low High_in_subjectAffects_Low simp del: example_auth_graph2_def)
done
lemma subjectAffects_SharedPage: "subjectAffects example_auth_graph2 (partition_label SharedPage) = {partition_label SharedPage}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.induct, fastforce+)
apply(auto intro: affects_lrefl)
done
lemma High_in_subjectAffects_NTFN:
"partition_label High \<in> subjectAffects example_auth_graph2 (partition_label NTFN)"
apply(rule affects_send[where ep="partition_label NTFN"])
apply auto
done
lemma subjectAffects_NTFN: "subjectAffects example_auth_graph2 (partition_label NTFN) = {partition_label NTFN,partition_label High}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.induct, fastforce+)
apply(auto intro: affects_lrefl High_in_subjectAffects_NTFN simp del: example_auth_graph2_def)
done
lemma NTFN_in_subjectAffects_High:
"partition_label NTFN \<in> subjectAffects example_auth_graph2 (partition_label High)"
apply(fastforce intro: affects_ep)
done
lemma subjectAffects_High: "subjectAffects example_auth_graph2 (partition_label High) = {partition_label NTFN,partition_label High}"
apply(rule equalityI)
apply(rule subsetI)
apply(erule subjectAffects.induct, fastforce+)
apply(auto intro: affects_lrefl NTFN_in_subjectAffects_High simp del: example_auth_graph2_def)
done
lemmas subjectReads_2 = subjectReads_High subjectReads_Low subjectReads_NTFN subjectReads_SharedPage
declare example_auth_graph2_def [simp del]
lemma partsSubjectAffects_Low: "partsSubjectAffects example_auth_graph2 Low = {Partition Low, Partition High, Partition SharedPage, Partition NTFN}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads_2 subjectAffects_Low | case_tac xa, rename_tac xa)+
done
lemma partsSubjectAffects_SharedPage: "partsSubjectAffects example_auth_graph2 SharedPage = {Partition SharedPage, Partition High, Partition Low, Partition NTFN}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads_2 subjectAffects_SharedPage | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_NTFN: "partsSubjectAffects example_auth_graph2 NTFN = {Partition NTFN, Partition High}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads_2 subjectAffects_NTFN | rename_tac xa, case_tac xa)+
done
lemma partsSubjectAffects_High: "partsSubjectAffects example_auth_graph2 High = {Partition High, Partition NTFN}"
apply(auto simp: partsSubjectAffects_def image_def label_can_affect_partition_def subjectReads_2 subjectAffects_High | rename_tac xa, case_tac xa)+
done
lemmas partsSubjectAffects2 =
partsSubjectAffects_High partsSubjectAffects_Low partsSubjectAffects_NTFN
partsSubjectAffects_SharedPage
definition example_policy2 where
"example_policy2 \<equiv> {(PSched, d)|d. True} \<union>
{(d,e). d = e} \<union>
{(Partition Low, Partition NTFN), (Partition Low, Partition SharedPage),
(Partition Low, Partition High)} \<union>
{(Partition SharedPage,Partition High), (Partition SharedPage, Partition Low),
(Partition SharedPage,Partition NTFN)} \<union>
{(Partition NTFN, Partition High)} \<union>
{(Partition High, Partition NTFN)}"
lemma "policyFlows example_auth_graph2 = example_policy2"
apply(rule equalityI)
apply(rule subsetI)
apply(clarsimp simp: example_policy2_def)
apply(erule policyFlows.cases)
apply(case_tac l; auto simp: partsSubjectAffects2)
apply assumption
apply(rule subsetI)
apply(clarsimp simp: example_policy2_def)
apply(elim disjE)
apply(fastforce simp: partsSubjectAffects2 intro: policy_affects)+
apply(fastforce intro: policy_scheduler)
apply(fastforce intro: policyFlows_refl refl_onD)
done
end