The Uni ed Policy Framework (UPF) · The Uni ed Policy Framework (UPF) Achim D. Brucker Lukas...

The Unified Policy Framework(UPF)

Achim D Bruckerlowast Lukas Bruggerdagger Burkhart WolffDagger

lowastSAP SE Vincenz-Priessnitz-Str 1 76131 Karlsruhe Germany

achimbruckersapcom

daggerInformation Security ETH Zurich 8092 Zurich Switzerland

LukasABrueggergmailcom

DaggerUniv Paris-Sud Laboratoire LRI UMR8623 91405 Orsay France France

burkhartwolfflrifr

November 30 2014

AbstractWe present the Unified Policy Framework (UPF) a generic frameworkfor modelling security (access-control) policies in IsabelleHOL UPFemphasizes the view that a policy is a policy decision function thatgrants or denies access to resources permissions etc In other wordsinstead of modelling the relations of permitted or prohibited requestsdirectly we model the concrete function that implements the policydecision point in a system seen as an ldquoaspectrdquo of ldquowrapperrdquo aroundthe business logic of a system In more detail UPF is based on thefollowing four principles 1 Functional representation of policies 2 Noconflicts are possible 3 Three-valued decision type (allow deny un-defined) 4 Output type not containing the decision only

Contents

1 Introduction 5

2 The Unified Policy Framework (UPF) 721 The Core of the Unified Policy Framework (UPF) 7

211 Foundation 7

212 Policy Constructors 8

213 Override Operators 9

214 Coercion Operators 11

22 Elementary Policies 14

221 The Core Policy Combinators Allow and Deny Everything 14

222 Common Instances 15

223 Domain Range and Restrictions 17

23 Sequential Composition 21

231 Flattening 21

232 Policy Composition 24

24 Parallel Composition 25

241 Parallel Combinators Foundations 26

242 Combinators for Transition Policies 29

243 Range Splitting 29

244 Distributivity of the parallel combinators 30

25 Properties on Policies 32

251 Basic Properties 32

252 Combined Data-Policy Refinement 34

253 Equivalence of Policies 34

26 Policy Transformations 35

261 Elementary Operators 36

262 Distributivity of the Transformation 40

27 Policy Transformation for Testing 44

28 Putting Everything Together UPF 46

3 Example 4931 Secure Service Specification 49

311 Datatypes for Modelling Users and Roles 49

312 Modelling Health Records and the Web Service API 50

313 Modelling Access Control 53

314 The State Transitions and Output Function 57

3

315 Combine All Parts 5832 Instantiating Our Secure Service Example 59

321 Access Control Configuration 59322 The Initial System State 60323 Basic Properties 60

4 Conclusion and Related Work 6341 Related Work 6342 Conclusion Future Work 63

5 Appendix 6551 Basic Monad Theory for Sequential Computations 65

511 General Framework for Monad-based Sequence-Test 65512 Valid Test Sequences in the State Exception Monad 72513 Valid Test Sequences in the State Exception Backtrack Monad 76

4

1 Introduction

Access control i e restricting the access to information or resources is an importantpillar of todayrsquos information security portfolio Thus the large number of access controlmodels (e g [1 5 6 15ndash17 19 21]) and variants thereof (e g [2 2 4 7 14 18 22])is not surprising On the one hand this variety of specialized access control modelsallows concise representation of access control policies On the other hand the lack of acommon foundations makes it difficult to compare and analyze different access controlmodels formally

We present formalization of the Unified Policy Framework (UPF) [13] that providesa formal semantics for the core concepts of access control policiesb It can serve as ameta-model for a large set of well-known access control policies and moreover serve asa framework for analysis and test generation tools addressing common ground in policymodels Thus UPF for comparing different access control models including a formalcorrectness proof of a specific embedding for example implementing a role-based accesscontrol policy in terms of a discretionary access enforcement architecture Moreoverdefining well-known access control models by instantiating a unified policy frameworkallows to re-use tools such as test-case generators that are already provided for the uni-fied policy framework As the instantiation of a unified policy framework may also definea domain-specific (i e access control model specific) set of policy combinators (syntax)such an approach still provides the usual notations and thus a concise representation ofaccess control policies

UPF was already successful used as a basis for large scale access control policies in thehealth care domain [10] as well as in the domain of firewall and router policies [12] Inboth domains the formal policy specifications served as basis for the generation usingHOL-TestGen [9] of test cases that can be used for validating the compliance of animplementation to the formal model UPF is based on the following four principles

1 policies are represented as functions (rather than relations)

2 policy combination avoids conflicts by construction

3 the decision type is three-valued (allow deny undefined)

4 the output type does not only contain the decision but also a lsquoslotrsquo for arbitraryresult data

UPF is related to the state-exception monad modeling failing computations in somecases our UPF model makes explicit use of this connection although it is not centralThe used theory for state-exception monads can be found in the appendix

5

2 The Unified Policy Framework (UPF)

21 The Core of the Unified Policy Framework (UPF)

theoryUPFCore

importsMonads

begin

211 Foundation

The purpose of this theory is to formalize a somewhat non-standard view on the funda-mental concept of a security policy which is worth outlining This view has arisen fromprior experience in the modelling of network (firewall) policies Instead of regardingpolicies as relations on resources sets of permissions etc we emphasise the view thata policy is a policy decision function that grants or denies access to resources permis-sions etc In other words we model the concrete function that implements the policydecision point in a system and which represents a rdquowrapperrdquo around the business logicAn advantage of this view is that it is compatible with many different policy modelsenabling a uniform modelling framework to be defined Furthermore this function istypically a large cascade of nested conditionals using conditions referring to an internalstate and security contexts of the system or a user This cascade of conditionals caneasily be decomposed into a set of test cases similar to transformations used for binarydecision diagrams (BDD) and motivate equivalence class testing for unit test and se-quence test scenarios From the modelling perspective using HOLas its input languagewe will consequently use the expressive power of its underlying functional programminglanguage including the possibility to define higher-order combinators

In more detail we model policies as partial functions based on input data α (argu-ments system state security context ) to output data β

datatype primeα decision = allow primeα | deny primeα

type-synonym ( primeα primeβ) policy = primeα primeβ decision (infixr |minusgt 0 )

In the following we introduce a number of shortcuts and alternative notations Thetype of policies is represented as

translations (type) primeα |minusgt primeβ lt= (type) primeα primeβ decisiontype-notation (xsymbols) policy (infixr 7rarr 0 )

7

allowing the notation primeα 7rarr primeβ for the policy type and the alternative notations forNone and Some of the HOLlibrary primeα option type

notation None (perp)notation Some (b-c 80 )

Thus the range of a policy may consist of baccept xc data of bdeny xc data as wellas perp modeling the undefinedness of a policy ie a policy is considered as a partialfunction Partial functions are used since we describe elementary policies by partialsystem behaviour which are glued together by operators such as function override andfunctional composition

We define the two fundamental sets the allow-set Allow and the deny-set Deny (writ-ten A and D set for short) to characterize these two main sets of the range of a policy

definition Allow ( primeα decision) setwhere Allow = range allow

definition Deny ( primeα decision) setwhere Deny = range deny

212 Policy Constructors

Most elementary policy constructors are based on the update operation Funfun-upd-deff (a = b) equiv λx if x = a then b else f x and the maplet-notation a(x 7rarr y) usedfor a(x 7rarr y)

Furthermore we add notation adopted to our problem domain

nonterminal policylets and policylet

syntax-policylet1 [ primea primea] =gt policylet (- += -)-policylet2 [ primea primea] =gt policylet (- minus= -)

policylet =gt policylets (-)-Maplets [policylet policylets] =gt policylets (- -)-Maplets [policylet policylets] =gt policylets (- -)-MapUpd [ primea |minusgt primeb policylets] =gt primea |minusgt primeb (- prime(- prime) [900 0 ]900 )

syntax (xsymbols)-policylet1 [ primea primea] =gt policylet (- 7rarr+ -)-policylet2 [ primea primea] =gt policylet (- 7rarrminus -)-emptypolicy primea |minusgt primeb (empty)

translations-MapUpd m (-Maplets xy ms) -MapUpd (-MapUpd m xy) ms-MapUpd m (-policylet1 x y) m(x = CONST Some (CONST allow y))-MapUpd m (-policylet2 x y) m(x = CONST Some (CONST deny y))

8

empty CONST empty

Here are some lemmas essentially showing syntactic equivalences

lemma test empty(x+=a yminus= b) = empty(x 7rarr+ a y 7rarrminus b) by simp

lemma test2 p(x 7rarr+ax 7rarrminusb) = p(x 7rarrminusb) by simp

We inherit a fairly rich theory on policy updates from Map here Some examples are

lemma pol-upd-triv1 t k = ballow xc =rArr t(k 7rarr+x ) = tby (rule ext) simp

lemma pol-upd-triv2 t k = bdeny xc =rArr t(k 7rarrminusx ) = tby (rule ext) simp

lemma pol-upd-allow-nonempty t(k 7rarr+x ) 6= emptyby simp

lemma pol-upd-deny-nonempty t(k 7rarrminusx ) 6= emptyby simp

lemma pol-upd-eqD1 m(a 7rarr+x ) = n(a 7rarr+y) =rArr x = yby(auto dest map-upd-eqD1 )

lemma pol-upd-eqD2 m(a 7rarrminusx ) = n(a 7rarrminusy) =rArr x = yby(auto dest map-upd-eqD1 )

lemma pol-upd-neq1 [simp] m(a 7rarr+x ) 6= n(a 7rarrminusy)by(auto dest map-upd-eqD1 )

213 Override Operators

Key operators for constructing policies are the override operators There are four differ-ent versions of them with one of them being the override operator from the Map theoryAs it is common to compose policy rules in a ldquoleft-to-right-first-fitrdquo-manner that oneis taken as default defined by a syntax translation from the provided override operatorfrom the Map theory (which does it in reverse order)

syntax-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl (+p) 100 )

syntax (xsymbols)-policyoverride [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl

oplus100 )

translationspoplus

q q ++ p

9

Some elementary facts inherited from Map are

lemma override-empty poplusempty = p

by simp

lemma empty-override emptyoplus

p = pby simp

lemma override-assoc p1oplus

(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp

The following two operators are variants of the standard override For override A anallow of wins over a deny For override D the situation is dual

definition override-A [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-A 100 )where m2 ++-A m1 =

(λx (case m1 x ofballow ac rArr ballow ac| bdeny ac rArr (case m2 x of ballow bc rArr ballow bc

| - rArr bdeny ac)| perp rArr m2 x )

)

syntax (xsymbols)-policyoverride-A [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl

oplusA 100 )

translationspoplus

A q p ++-A q

lemma override-A-empty [simp] poplus

A empty = pby(simp add override-A-def )

lemma empty-override-A[simp] emptyoplus

A p = papply (rule ext)apply (simp add override-A-def )apply (case-tac p x )

apply (simp-all)apply (case-tac a)

apply (simp-all)done

lemma override-A-assoc p1oplus

A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus

A p3by (rule ext simp add override-A-def split decisionsplits optionsplits)

definition override-D [ primeα 7rarr primeβ primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixl ++ prime-D 100 )

10

where m1 ++-D m2 =(λx case m2 x of

bdeny ac rArr bdeny ac| ballow ac rArr (case m1 x of bdeny bc rArr bdeny bc

| - rArr ballow ac)| perp rArr m1 x

)

syntax (xsymbols)-policyoverride-D [ primea 7rarr primeb primea 7rarr primeb] rArr primea 7rarr primeb (infixl

oplusD 100 )

translationspoplus

D q p ++-D q

lemma override-D-empty [simp] poplus

D empty = pby(simp add override-D-def )

lemma empty-override-D [simp] emptyoplus

D p = papply (rule ext)apply (simp add override-D-def )apply (case-tac p x simp-all)apply (case-tac a simp-all)

done

lemma override-D-assoc p1oplus

D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus

D p3apply (rule ext)apply (simp add override-D-def split decisionsplits optionsplits)

done

214 Coercion Operators

Often especially when combining policies of different type it is necessary to adapt theinput or output domain of a policy to a more refined context

An analogous for the range of a policy is defined as follows

definition policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-f 55 )where

f o-f p = (λx case p x ofballow yc rArr ballow (f y)c| bdeny yc rArr bdeny (f y)c| perp rArr perp)

syntax (xsymbols)-policy-range-comp [ primeβrArr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl of 55 )

11

translationsp of q p o-f q

lemma policy-range-comp-strict f of empty = emptyapply (rule ext)apply (simp add policy-range-comp-def )

done

A generalized version is where separate coercion functions are applied to the resultdepending on the decision of the policy is as follows

definition range-split [( primeβrArr primeγ)times( primeβrArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ(infixr nabla 100 )

where (P) nabla p = (λx case p x ofballow yc rArr ballow ((fst P) y)c| bdeny yc rArr bdeny ((snd P) y)c| perp rArr perp)

lemma range-split-strict [simp] P nabla empty = emptyapply (rule ext)apply (simp add range-split-def )

done

lemma range-split-charn(f g) nabla p = (λx case p x of

ballow xc rArr ballow (f x )c| bdeny xc rArr bdeny (g x )c| perp rArr perp)

apply (simp add range-split-def )apply (rule ext)apply (case-tac p x )



The connection between these two becomes apparent if considering the followinglemma

lemma range-split-vs-range-compose (f f ) nabla p = f of pby(simp add range-split-charn policy-range-comp-def )

lemma range-split-id [simp] (id id) nabla p = papply (rule ext)apply (simp add range-split-charn id-def )

12

apply (case-tac p x )apply (simp-all)

apply (case-tac a)apply (simp-all)

done

lemma range-split-bi-compose [simp] (f1 f2 ) nabla (g1 g2 ) nabla p = (f1 o g1 f2 o g2 ) nabla papply (rule ext)apply (simp add range-split-charn comp-def )apply (case-tac p x )



The next three operators are rather exotic and in most cases not used

The following is a variant of range split where the change in the decision depends onthe input instead of the output

definition dom-split2a [( primeα primeγ) times ( primeα primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆a100 )where P ∆a p = (λx case p x of

ballow yc rArr ballow (the ((fst P) x ))c| bdeny yc rArr bdeny (the ((snd P) x ))c| perp rArr perp)

definition dom-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixr ∆100 )where P ∆ p = (λx case p x of

ballow yc rArr ballow ((fst P) x )c| bdeny yc rArr bdeny ((snd P) x )c| perp rArr perp)

definition range-split2 [( primeα rArr primeγ) times ( primeα rArr primeγ) primeα 7rarr primeβ] rArr primeα 7rarr ( primeβ times primeγ) (infixr nabla2100 )where P nabla2 p = (λx case p x of

ballow yc rArr ballow (y (fst P) x )c| bdeny yc rArr bdeny (y (snd P) x )c| perp rArr perp)

The following operator is used for transition policies only a transition policy is trans-formed into a state-exception monad Such a monad can for example be used for testcase generation using HOL-Testgen [9]

definition policy2MON ( primeιtimes primeσ 7rarr primeotimes primeσ) rArr ( primeι rArr( primeo decision primeσ) MON SE)where policy2MON p = (λ ι σ case p (ισ) of

13

b(allow (outsσ prime))c rArr b(allow outs σ prime)c| b(deny (outsσ prime))c rArr b(deny outs σ prime)c| perp rArr perp)

lemmas UPFCoreDefs = Allow-def Deny-def override-A-def override-D-defpolicy-range-comp-def

range-split-def dom-split2-def map-add-def restrict-map-defend

22 Elementary Policies

theoryElementaryPolicies

importsUPFCore

begin

In this theory we introduce the elementary policies of UPF that build the basis formore complex policies These complex policies respectively embedding of well-knownaccess control or security models are build by composing the elementary policies definedin this theory

221 The Core Policy Combinators Allow and Deny Everything

definitiondeny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (AllD)where

deny-pfun pf equiv (λ x case pf x ofbyc rArr bdeny (y)c|perp rArr perp)

definitionallow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) ( AllA)where

allow-pfun pf equiv (λ x case pf x ofbyc rArr ballow (y)c|perp rArr perp)

syntax (xsymbols)-allow-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Ap)

translationsAp f AllA f

syntax (xsymbols)

14

-deny-pfun ( primeα primeβ) rArr ( primeα 7rarr primeβ) (Dp)translations

Dp f AllD f

notation (xsymbols)deny-pfun (binder forallD 10 ) andallow-pfun (binder forallA 10 )

lemma AllD-norm[simp] deny-pfun (id o (λx bxc)) = (forallDx bxc)by(simp add id-def comp-def )

lemma AllD-norm2 [simp] deny-pfun (Some o id) = (forallDx bxc)by(simp add id-def comp-def )

lemma AllA-norm[simp] allow-pfun (id o Some) = (forallAx bxc)by(simp add id-def comp-def )

lemma AllA-norm2 [simp] allow-pfun (Some o id) = (forallAx bxc)by(simp add id-def comp-def )

lemma AllA-apply [simp] (forallAx Some (P x )) x = ballow (P x )cby(simp add allow-pfun-def )

lemma AllD-apply [simp] (forallDx Some (P x )) x = bdeny (P x )cby(simp add deny-pfun-def )

lemma neq-Allow-Deny pf 6= empty =rArr (deny-pfun pf ) 6= (allow-pfun pf )apply (erule contrapos-nn)apply (rule ext)apply (drule-tac x=x in fun-cong)apply (auto simp deny-pfun-def allow-pfun-def )apply (case-tac pf x = perp)apply (auto)

done

222 Common Instances

definition allow-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Af )where allow-all-fun f = allow-pfun (Some o f )

definition deny-all-fun ( primeα rArr primeβ) rArr ( primeα 7rarr primeβ) (Df )where deny-all-fun f equiv deny-pfun (Some o f )

definition

15

deny-all-id primeα 7rarr primeα (DI) wheredeny-all-id equiv deny-pfun (id o Some)

definitionallow-all-id primeα 7rarr primeα (AI) where

allow-all-id equiv allow-pfun (id o Some)

definitionallow-all ( primeα 7rarr unit) (AU ) whereallow-all p = ballow ()c

definitiondeny-all ( primeα 7rarr unit) (DU ) wheredeny-all p = bdeny ()c

and resulting properties

lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus

empty = Af fapply simpdone

lemma allow-pfun empty = emptyapply (rule ext)apply (simp add allow-pfun-def )done

lemma allow-left-cancel dom pf = UNIV =rArr (allow-pfun pf )oplus

x = (allow-pfun pf )

apply (rule ext)+apply (auto simp allow-pfun-def optionsplits)done

lemma deny-left-cancel dom pf = UNIV =rArr (deny-pfun pf )oplus

x = (deny-pfun pf )apply (rule ext)+apply (auto simp deny-pfun-def optionsplits)done

16

223 Domain Range and Restrictions

Since policies are essentially maps we inherit the basic definitions for domain and rangeon MapsMapdom_def dom m = a m a 6= perpwhereas range is just an abrreviation for image

abbreviation range (rsquoa =gt rsquob) =gt rsquob set

where -- of function range f == f lsquo UNIV

As a consequence we inherit the following properties on policies

bull MapdomD a isin dom m =rArr exist b m a = bbc

bull MapdomI m a = bbc =rArr a isin dom m

bull MapdomIff (a isin dom m) = (m a 6= perp)

bull Mapdom_const dom (λx bf xc) = UNIV

bull Mapdom_def dom m = a m a 6= perp

bull Mapdom_empty dom empty =

bull Mapdom_eq_empty_conv (dom f = ) = (f = empty)

bull Mapdom_eq_singleton_conv (dom f = x) = (exist v f = [x 7rarr v ])

bull Mapdom_fun_upd dom (f (x = y)) = (if y = perp then dom f minus x elseinsert x (dom f ))

bull Mapdom_if dom (λx if P x then f x else g x ) = dom f cap x P x cup domg cap x not P x

bull Mapdom_map_add dom (noplus

m) = dom n cup dom m

However some properties are specific to policy concepts

lemma sub-ran ran p sube Allow cup Denyapply (auto simp Allow-def Deny-def ran-def full-SetCompr-eq [symmetric])apply (case-tac x )apply (simp-all)apply (erule-tac x=α in allE )apply (simp)done

lemma dom-allow-pfun [simp]dom(allow-pfun f ) = dom fapply (auto simp allow-pfun-def )

17

apply (case-tac f x simp-all)done

lemma dom-allow-all dom(Af f ) = UNIVby(auto simp allow-all-fun-def o-def )

lemma dom-deny-pfun [simp]dom(deny-pfun f ) = dom fapply (auto simp deny-pfun-def )apply (case-tac f x )apply (simp-all)done

lemma dom-deny-all dom(Df f ) = UNIVby(auto simp deny-all-fun-def o-def )

lemma ran-allow-pfun [simp]ran(allow-pfun f ) = allow lsquo (ran f )apply (simp add allow-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)

done

lemma ran-allow-all ran(Af id) = Allowapply (simp add allow-all-fun-def Allow-def o-def )apply (rule set-eqI )apply (auto simp image-def ran-def )

done

lemma ran-deny-pfun[simp] ran(deny-pfun f ) = deny lsquo (ran f )apply (simp add deny-pfun-def ran-def )apply (rule set-eqI )apply (auto)apply (case-tac f a)apply (auto simp image-def )apply (rule-tac x=a in exI )apply (simp)

done

lemma ran-deny-all ran(Df id) = Denyapply (simp add deny-all-fun-def Deny-def o-def )apply (rule set-eqI )

18

apply (auto simp image-def ran-def )done

Reasoning over dom is most crucial since it paves the way for simplification and reorder-ing of policies composed by override (ie by the normal left-to-right rule compositionmethod



bull Mapinj_on_map_add_dom inj-on (m primeoplus

m) (dom m prime) = inj-on m prime (domm prime)

bull Mapmap_add_comm dom m1 0 cap dom m2 0 = =rArr m2 0oplus

m1 0 =m1 0

oplusm2 0

bull Mapmap_add_dom_app_simps(1) m isin dom l2 0 =rArr (l2 0oplus

l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m

bull Mapmap_add_upd_left m isin dom e2 0 =rArr e2 0oplus

e1 0 (m 7rarr u1 0 ) =(e2 0

opluse1 0 )(m 7rarr u1 0 )

The latter rule also applies to allow- and deny-override

definition dom-restrict [ primeα set primeα 7rarr primeβ] rArr primeα 7rarr primeβ (infixr 55 )where S p equiv (λx if x isin S then p x else perp)

lemma dom-dom-restrict [simp] dom(S p) = S cap dom papply (auto simp dom-restrict-def )apply (case-tac x isin S )apply (simp-all)apply (case-tac x isin S )apply (simp-all)

done

lemma dom-restrict-idem[simp] (dom p) p = papply (rule ext)apply (auto simp dom-restrict-def

dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])done

lemma dom-restrict-inter [simp] T S p = T cap S papply (rule ext)

19

apply (auto simp dom-restrict-defdest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])

done

definition ran-restrict [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 55 )where p S equiv (λx if p x isin (SomelsquoS ) then p x else perp)

definition ran-restrict2 [ primeα 7rarr primeβ primeβ decision set ] rArr primeα 7rarr primeβ (infixr 2 55 )where p 2 S equiv (λx if (the (p x )) isin (S ) then p x else perp)

lemma ran-restrict = ran-restrict2apply (rule ext)+apply (simp add ran-restrict-def ran-restrict2-def )apply (case-tac x xb)apply simp-allapply (metis inj-Some inj-image-mem-iff )

done

lemma ran-ran-restrict [simp] ran(p S ) = S cap ran pby(auto simp ran-restrict-def image-def ran-def )

lemma ran-restrict-idem[simp] p (ran p) = papply (rule ext)apply (auto simp ran-restrict-def image-def Ball-def ran-def )apply (erule contrapos-pp)apply (auto dest neq-commute[THEN iffD1 THEN not-None-eq [THEN iffD1 ]])

done

lemma ran-restrict-inter [simp] (p S ) T = p T cap Sapply (rule ext)apply (auto simp ran-restrict-def


lemma ran-gen-A[simp] (forallAx bP xc) Allow = (forallAx bP xc)apply (rule ext)apply (auto simp Allow-def ran-restrict-def )

done

lemma ran-gen-D [simp] (forallDx bP xc) Deny = (forallDx bP xc)apply (rule ext)apply (auto simp Deny-def ran-restrict-def )

20

done

lemmas ElementaryPoliciesDefs = deny-pfun-def allow-pfun-def allow-all-fun-defdeny-all-fun-def

allow-all-id-def deny-all-id-def allow-all-def deny-all-defdom-restrict-def ran-restrict-def

end

23 Sequential Composition

theorySeqComposition

importsElementaryPolicies

begin

Sequential composition is based on the idea that two policies are to be combinedby applying the second policy to the output of the first one Again there are fourpossibilities how the decisions can be combined

231 Flattening

A key concept of sequential policy composition is the flattening of nested decisionsThere are four possibilities and these possibilities will give the various flavours of policycomposition

fun flat-orA ( primeα decision) decision rArr ( primeα decision)where flat-orA(allow(allow y)) = allow y|flat-orA(allow(deny y)) = allow y|flat-orA(deny(allow y)) = allow y|flat-orA(deny(deny y)) = deny y

lemma flat-orA-deny [dest ]flat-orA x = deny y =rArr x = deny(deny y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)

done

lemma flat-orA-allow [dest ] flat-orA x = allow y =rArr x = allow(allow y)or x = allow(deny y)

21

or x = deny(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)

done

fun flat-orD ( primeα decision) decision rArr ( primeα decision)where flat-orD(allow(allow y)) = allow y|flat-orD(allow(deny y)) = deny y|flat-orD(deny(allow y)) = deny y|flat-orD(deny(deny y)) = deny y

lemma flat-orD-allow [dest ] flat-orD x = allow y =rArr x = allow(allow y)apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)

done

lemma flat-orD-deny [dest ] flat-orD x = deny y =rArr x = deny(deny y)or x = allow(deny y)or x = deny(allow y)

apply (case-tac x )apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)

done

fun flat-1 ( primeα decision) decision rArr ( primeα decision)where flat-1 (allow(allow y)) = allow y|flat-1 (allow(deny y)) = allow y|flat-1 (deny(allow y)) = deny y|flat-1 (deny(deny y)) = deny y

lemma flat-1-allow [dest ] flat-1 x = allow y =rArr x = allow(allow y) or x = allow(denyy)

apply (case-tac x )

22

apply (simp-all)apply (case-tac α)apply (simp-all)apply (case-tac α)apply (simp-all)

done

lemma flat-1-deny [dest ] flat-1 x = deny y =rArr x = deny(deny y) or x = deny(allowy)


done

fun flat-2 ( primeα decision) decision rArr ( primeα decision)where flat-2 (allow(allow y)) = allow y|flat-2 (allow(deny y)) = deny y|flat-2 (deny(allow y)) = allow y|flat-2 (deny(deny y)) = deny y

lemma flat-2-allow [dest ] flat-2 x = allow y =rArr x = allow(allow y) or x = deny(allowy)


done

lemma flat-2-deny [dest ] flat-2 x = deny y =rArr x = deny(deny y) or x = allow(denyy)


done

23

232 Policy Composition

The following definition allows to compose two policies Denies and allows are trans-ferred

fun lift ( primeα 7rarr primeβ) rArr ( primeα decision 7rarr primeβ decision)where lift f (deny s) = (case f s of

byc rArr bdeny yc| perp rArr perp)

| lift f (allow s) = (case f s ofbyc rArr ballow yc

| perp rArr perp)

lemma lift-mt [simp] lift empty = emptyapply (rule ext)apply (case-tac x )apply (simp-all)

done

Since policies are maps we inherit a composition on them However this results innestings of decisionsmdashwhich must be flattened As we now that there are four differentforms of flattening we have four different forms of policy composition

definitioncomp-orA [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orA 55 ) wherep2 o-orA p1 equiv (map-option flat-orA) o (lift p2 o-m p1 )

notation (xsymbols)comp-orA (infixl orA 55 )

lemma comp-orA-mt [simp]p orA empty = emptyby(simp add comp-orA-def )

lemma mt-comp-orA[simp]empty orA p = emptyby(simp add comp-orA-def )

definitioncomp-orD [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-orD 55 ) wherep2 o-orD p1 equiv (map-option flat-orD) o (lift p2 o-m p1 )

notation (xsymbols)comp-orD (infixl orD 55 )

lemma comp-orD-mt [simp]p o-orD empty = emptyby(simp add comp-orD-def )

24

lemma mt-comp-orD [simp]empty o-orD p = emptyby(simp add comp-orD-def )

definitioncomp-1 [ primeβ 7rarr primeγ primeα 7rarr primeβ] rArr primeα 7rarr primeγ (infixl o prime-1 55 ) wherep2 o-1 p1 equiv (map-option flat-1 ) o (lift p2 o-m p1 )

notation (xsymbols)comp-1 (infixl 1 55 )

lemma comp-1-mt [simp]p 1 empty = emptyby(simp add comp-1-def )

lemma mt-comp-1 [simp]empty 1 p = emptyby(simp add comp-1-def )





end

24 Parallel Composition

theoryParallelComposition


begin

The following combinators are based on the idea that two policies are executed inparallel Since both input and the output can differ we chose to pair them

The new input pair will often contain repetitions which can be reduced using thedomain-restriction and domain-reduction operators Using additional range-modifyingoperators such as nabla decide which result argument is chosen this might be the first or

25

the latter or in case that β = γ and β underlies a lattice structure the supremum orinfimum of both or an arbitrary combination of them

In any case although we have strictly speaking a pairing of decisions and not a nestingof them we will apply the same notational conventions as for the latter ie as forflattening

241 Parallel Combinators Foundations

There are four possible semantics how the decision can be combined thus there are fourparallel composition operators For each of them we prove several properties

definition prod-orA [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimesorA 55 )

where p1otimesorA p2 =

(λ(x y) (case p1 x ofballow d1 c rArr(case p2 y of

ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr ballow(d1 d2 )c| perp rArr perp)

| bdeny d1 crArr(case p2 y ofballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)

| perp rArr perp))

lemma prod-orA-mt [simp]potimesorA empty = empty

apply (rule ext)apply (simp add prod-orA-def )apply (auto)apply (simp split optionsplits decisionsplits)

done

lemma mt-prod-orA[simp]emptyotimesorA p = empty

apply (rule ext)apply (simp add prod-orA-def )

done

lemma prod-orA-quasi-commute p2otimesorA p1 = (((λ(x y) (y x )) o-f (p1

otimesorA p2 )))

o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orA-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)

done

26

definition prod-orD [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeα times primeγ 7rarr primeβ times primeδ ) (infixrotimesorD 55 )

where p1otimesorD p2 =


ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c| perp rArr perp)

| bdeny d1 crArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)

| perp rArr perp))

lemma prod-orD-mt [simp]potimesorD empty = empty

apply (rule ext)apply (simp add prod-orD-def )apply (auto)apply (simp split optionsplits decisionsplits)

done

lemma mt-prod-orD [simp]emptyotimesorD p = empty

apply (rule ext)apply (simp add prod-orD-def )

done

lemma prod-orD-quasi-commute p2otimesorD p1 = (((λ(x y) (y x )) o-f (p1

otimesorD p2 )))

o (λ(ab)(ba))apply (rule ext)apply (simp add prod-orD-def policy-range-comp-def o-def )apply (auto)apply (simp split optionsplits decisionsplits)

done

The following two combinators are by definition non-commutative but still strict

definition prod-1 [ primeα 7rarr primeβ primeγ 7rarr primeδ] rArr ( primeαtimes primeγ 7rarr primeβtimes primeδ) (infixrotimes

1 55 )where p1

otimes1 p2 equiv

(λ(x y) (case p1 x ofballow d1 crArr(case p2 y of


| bdeny d1 c rArr(case p2 y ofballow d2 c rArr bdeny(d1 d2 )c| bdeny d2 c rArr bdeny(d1 d2 )c

27

| perp rArr perp)|perp rArr perp))

lemma prod-1-mt [simp]potimes

1 empty = emptyapply (rule ext)apply (simp add prod-1-def )apply (auto)apply (simp split optionsplits decisionsplits)

done

lemma mt-prod-1 [simp]emptyotimes

1 p = emptyapply (rule ext)apply (simp add prod-1-def )

done


2 55 )where p1

otimes2 p2 equiv


ballow d2 c rArr ballow(d1 d2 )c| bdeny d2 c rArr bdeny (d1 d2 )c| perp rArr perp)


|perp rArrperp))



done



done

definition prod-1-id [ primeα 7rarr primeβ primeα 7rarr primeγ] rArr ( primeα 7rarr primeβtimes primeγ) (infixrotimes

1I 55 )where p

otimes1I q = (p

otimes1 q) o (λx (x x ))

lemma prod-1-id-mt [simp]potimes

1I empty = empty

28

apply (rule ext)apply (simp add prod-1-id-def )

done

lemma mt-prod-1-id [simp]emptyotimes

1I p = emptyapply (rule ext)apply (simp add prod-1-id-def prod-1-def )

done


2I 55 )wherep

otimes2I q = (p



2I empty = emptyapply (rule ext)apply (simp add prod-2-id-def )

done



done

242 Combinators for Transition Policies

For constructing transition policies two additional combinators are required one com-bines state transitions by pairing the states the other works equivalently on generalmaps

definition parallel-map ( primeα primeβ) rArr ( primeδ primeγ) rArr( primeα times primeδ primeβ times primeγ) (infixr

otimesM 60 )

where p1otimes

M p2 = (λ (x y) case p1 x of bd1 c rArr(case p2 y of bd2 c rArr b(d1 d2 )c

| perp rArr perp)| perp rArr perp)

definition parallel-st ( primei times primeσ primeσ) rArr ( primei times primeσ prime primeσ prime) rArr( primei times primeσ times primeσ prime primeσ times primeσ prime) (infixr

otimesS 60 )

wherep1

otimesS p2 = (p1

otimesM p2 ) o (λ (abc) ((ab)ac))

243 Range Splitting

The following combinator is a special case of both a parallel composition operator anda range splitting operator Its primary use case is when combining a policy with statetransitions

29

definition comp-ran-split [( primeα primeγ) times ( primeα primeγ) primed 7rarr primeβ] rArr ( primed times primeα) 7rarr ( primeβ times primeγ)(infixr

otimesnabla 100 )

where Potimesnabla p equiv λx case p (fst x ) of

ballow yc rArr (case ((fst P) (snd x )) of perp rArr perp | bzc rArr ballow(y z )c)

| bdeny yc rArr (case ((snd P) (snd x )) of perp rArr perp | bzc rArr bdeny(y z )c)

| perp rArr perp

An alternative characterisation of the operator is as follows

lemma comp-ran-split-charn(f g)

otimesnabla p = (

(((p Allow)otimesorA (Ap f ))

oplus((p Deny)

otimesorA (Dp g))))

apply (rule ext)apply (simp add comp-ran-split-def map-add-def o-def ran-restrict-def image-def

Allow-def Deny-def dom-restrict-def prod-orA-defallow-pfun-def deny-pfun-def

split optionsplits decisionsplits)apply (auto)

done

244 Distributivity of the parallel combinators

lemma distr-or1-a (F = F1oplus

F2 ) =rArr (((Notimes

1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N

otimes1 F2 ) o f )))

apply (rule ext)apply (simp add prod-1-def map-add-def

split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add prod-1-def map-add-def

split decisionsplits optionsplits)done

lemma distr-or1 (F = F1oplus

F2 ) =rArr ((g o-f ((Notimes

1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N

otimes1 F2 ) o f ))))

apply (rule ext)+apply (simp add prod-1-def map-add-def policy-range-comp-def



30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N


apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def




F2 ) =rArr ((r o-f ((Notimes

2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N


apply (rule ext)apply (simp add prod-2-id-def prod-2-def map-add-def policy-range-comp-def



lemma distr-orA (F = F1oplus

F2 ) =rArr ((g o-f ((NotimesorA F ) o f )) =

((g o-f ((NotimesorA F1 ) o f ))

oplus(g o-f ((N

otimesorA F2 ) o f ))))

apply (rule ext)+apply (simp add prod-orA-def map-add-def policy-range-comp-def

split decisionsplits optionsplits)apply (case-tac f x )apply (simp-all add map-add-def


lemma distr-orD (F = F1oplus

F2 ) =rArr ((g o-f ((NotimesorD F ) o f )) =

((g o-f ((NotimesorD F1 ) o f ))

oplus(g o-f ((N

otimesorD F2 ) o f ))))

apply (rule ext)+apply (simp add prod-orD-def map-add-def policy-range-comp-def



lemma coerc-assoc (r o-f P) o d = r o-f (P o d)apply (simp add policy-range-comp-def )apply (rule ext)apply (simp split optionsplits decisionsplits)

31

done

lemmas ParallelDefs = prod-orA-def prod-orD-def prod-1-def prod-2-defparallel-map-def

parallel-st-def comp-ran-split-defend

25 Properties on Policies

theoryAnalysis

importsParallelCompositionSeqComposition

begin

In this theory several standard policy properties are paraphrased in UPF terms

251 Basic Properties

A Policy Has no Gaps

definition gap-free ( primea 7rarr primeb) rArr boolwhere gap-free p = (dom p = UNIV )

Comparing Policies

Policy p is more defined than q

definition more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere more-defined p q = (dom q sube dom p)

definition strictly-more-defined ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrboolwhere strictly-more-defined p q = (dom q sub dom p)

lemma strictly-more-vs-more strictly-more-defined p q =rArr more-defined p qunfolding more-defined-def strictly-more-defined-defby auto

Policy p is more permissive than q

definition more-permissive ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vA 60 )where p vA q = (forall x (case q x of ballow yc rArr (exist z (p x = ballow zc))

| bdeny yc rArr True| perp rArr True))

32

lemma more-permissive-refl p vA punfolding more-permissive-defby(auto split optionsplit decisionsplit)

lemma more-permissive-trans p vA p prime =rArr p prime vA p primeprime =rArr p vA p primeprime

unfolding more-permissive-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and

P = λx case p primeprime x of perp rArr True| ballow yc rArr exist z p prime x = ballow zc| bdeny yc rArr True in allE )

apply(simp elim exE )by(erule-tac x = x in allE simp)

Policy p is more rejective than q

definition more-rejective ( primea 7rarr primeb) rArr ( primea 7rarr primeb) rArr bool (infixl vD 60 )where p vD q = (forall x (case q x of bdeny yc rArr (exist z (p x = bdeny zc))

| ballow yc rArr True| perp rArr True))

lemma more-rejective-trans p vD p prime =rArr p prime vD p primeprime =rArr p vD p primeprime

unfolding more-rejective-defapply(auto split optionsplit decisionsplit)apply(erule-tac x = x and

P = λx case p primeprime x of perp rArr True| ballow yc rArr True| bdeny yc rArr exist z p prime x = bdeny zc in allE )


lemma more-rejective-refl p vD punfolding more-rejective-defby(auto split optionsplit decisionsplit)

lemma Af f vA punfolding more-permissive-def allow-all-fun-def allow-pfun-defby(auto split optionsplit decisionsplit)

33

lemma AI vA punfolding more-permissive-def allow-all-fun-def allow-pfun-def allow-all-id-defby(auto split optionsplit decisionsplit)

252 Combined Data-Policy Refinement

definition policy-refinement ( primea 7rarr primeb) rArr ( primea primerArr primea) rArr( primeb primerArr primeb) rArr ( primea prime 7rarr primeb prime) rArr bool(- v-- - [50 50 50 50 ]50 )

where p vabsa absb q equiv(forall a case p a of

perp rArr True| ballow yc rArr (forall a primeisinx absa x=a

exist b prime q a prime = ballow b primecand absb b prime = y)

| bdeny yc rArr (forall a primeisinx absa x=aexist b prime q a prime = bdeny b primec

and absb b prime = y))

theorem polref-refl p vidid punfolding policy-refinement-defby(auto split optionsplit decisionsplit)

theorem polref-transassumes A p vfg p prime

and B p prime vf primeg prime p primeprime

shows p vf o f primeg o g prime p primeprime

apply(insert A B)unfolding policy-refinement-defapply(auto split optionsplit decisionsplit simp o-def )apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)apply(erule-tac x=f (f prime a prime) in allE simp)apply(erule-tac x=f prime a prime in allE auto)apply(erule-tac x= (f prime a prime) in allE auto)done

253 Equivalence of Policies

Equivalence over domain D definition p-eq-dom ( primea 7rarr primeb) rArr primea set rArr ( primea 7rarr primeb)rArrbool (- asymp- - [60 60 60 ]60 )where p asympD q = (forall xisinD p x = q x )

p and q have no conflicts

34

definition no-conflicts ( primea 7rarr primeb) rArr( primea 7rarr primeb) rArrbool whereno-conflicts p q = (dom p = dom q and (forall xisin(dom p)

(case p x of ballow yc rArr (exist z q x = ballow zc)| bdeny yc rArr (exist z q x = bdeny zc))))

lemma policy-eq assumes p-over-qA p vA qand q-over-pA q vA pand p-over-qD q vD pand q-over-pD p vD qand dom-eq dom p = dom q

shows no-conflicts p qapply (insert p-over-qA q-over-pA p-over-qD q-over-pD dom-eq)apply (simp add no-conflicts-def more-permissive-def more-rejective-def

split optionsplits decisionsplits)apply (safe)apply (metis domI domIff dom-eq)apply (metis)+

done

Miscellaneous

lemma dom-inter [[dom p cap dom q = p x = byc]] =rArr q x = perpby (auto)

lemma dom-eq dom p cap dom q = =rArr poplus

A q = poplus

D qunfolding override-A-def override-D-defby (rule ext auto simp dom-def split prod splits optionsplits decisionsplits )

lemma dom-split-alt-def (f g) ∆ p = (dom(p Allow) (Af f ))oplus

(dom(p Deny) (Df g))

apply (rule ext)apply (simp add dom-split2-def Allow-def Deny-def dom-restrict-def

deny-all-fun-def allow-all-fun-def map-add-def )apply (simp split optionsplits decisionsplits)apply (auto simp map-add-def o-def deny-pfun-def ran-restrict-def image-def )

done

end

26 Policy Transformations

theoryNormalisation

35

importsSeqCompositionParallelComposition

begin

This theory provides the formalisations required for the transformation of UPF poli-cies A typical usage scenario can be observed in the firewall case study [12]

261 Elementary Operators

We start by providing several operators and theorems useful when reasoning about a listof rules which should eventually be interpreted as combined using the standard overrideoperator

The following definition takes as argument a list of rules and returns a policy wherethe rules are combined using the standard override operator

definition list2policy ( primea 7rarr primeb) list rArr ( primea 7rarr primeb) wherelist2policy l = foldr (λ x y (x

oplusy)) l empty

Determine the position of element of a list

fun position primeα rArr primeα list rArr nat whereposition a [] = 0|(position a (xxs)) = (if a = x then 1 else (Suc (position a xs)))

Provides the first applied rule of a policy given as a list of rules

fun applied-rule whereapplied-rule C a (xxs) = (if a isin dom (C x ) then (Some x )

else (applied-rule C a xs))|applied-rule C a [] = None

The following is used if the list is constructed backwards

definition applied-rule-rev whereapplied-rule-rev C a x = applied-rule C a (rev x )

The following is a typical policy transformation It can be applied to any type ofpolicy and removes all the rules from a policy with an empty domain It takes twoarguments a semantic interpretation function and a list of rules

fun rm-MT-rules whererm-MT-rules C (xxs) = (if dom (C x )=

then rm-MT-rules C xselse x(rm-MT-rules C xs))

|rm-MT-rules C [] = []

The following invariant establishes that there are no rules with an empty domain in alist of rules

36

fun none-MT-rules wherenone-MT-rules C (xxs) = (dom (C x ) 6= and (none-MT-rules C xs))|none-MT-rules C [] = True

The following related invariant establishes that the policy has not a completely emptydomain

fun not-MT wherenot-MT C (xxs) = (if (dom (C x ) = ) then (not-MT C xs) else True)|not-MT C [] = False

Next a few theorems about the two invariants and the transformation

lemma none-MT-rules-vs-notMT none-MT-rules C p =rArr p 6= [] =rArr not-MT C papply (induct p)apply (simp-all)

done

lemma rmnMT none-MT-rules C (rm-MT-rules C p)apply (induct p)apply (simp-all)

done

lemma rmnMT2 none-MT-rules C p =rArr (rm-MT-rules C p) = papply (induct p)apply (simp-all)

done

lemma nMTcharn none-MT-rules C p = (forall r isin set p dom (C r) 6= )apply (induct p)apply (simp-all)

done

lemma nMTeqSet set p = set s =rArr none-MT-rules C p = none-MT-rules C sapply (simp add nMTcharn)

done

lemma notMTnMT [[a isin set p none-MT-rules C p]] =rArr dom (C a) 6= apply (simp add nMTcharn)

done

lemma none-MT-rulesconc none-MT-rules C (a[b]) =rArr none-MT-rules C aapply (induct a)apply (simp-all)

done

37

lemma nMTtail none-MT-rules C p =rArr none-MT-rules C (tl p)apply (induct p)apply (simp-all)

done

lemma not-MTimpnotMT [simp] not-MT C p =rArr p 6= []apply (auto)

done

lemma SR3nMT not not-MT C p =rArr rm-MT-rules C p = []apply (induct p)apply (auto simp if-splits)

done

lemma NMPcharn [[a isin set p dom (C a) 6= ]] =rArr not-MT C papply (induct p)apply (auto simp if-splits)

done

lemma NMPrm not-MT C p =rArr not-MT C (rm-MT-rules C p)apply (induct p)apply (simp-all)

done

Next a few theorems about applied rule

lemma mrconc applied-rule-rev C x p = Some a =rArr applied-rule-rev C x (bp) =Some aproof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )

nextcase (snoc xs x ) show case using snocapply (simp add applied-rule-rev-def if-splits)by (metis optioninject)

qed

lemma mreq-end [[applied-rule-rev C x b = Some r applied-rule-rev C x c = Some r ]]=rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)

by (simp add mrconc)

lemma mrconcNone applied-rule-rev C x p = None =rArrapplied-rule-rev C x (bp) = applied-rule-rev C x [b]

proof (induct p rule rev-induct)

38

case Nil show caseby (simp add applied-rule-rev-def )

nextcase (snoc ys y) show case using snocproof (cases x isin dom (C ys))case True show thesis using True snocby (auto simp applied-rule-rev-def )nextcase False show thesis using False snocby (auto simp applied-rule-rev-def )

qedqed

lemma mreq-endNone [[applied-rule-rev C x b = None applied-rule-rev C x c = None]]=rArr

applied-rule-rev C x (ab) = applied-rule-rev C x (ac)by (metis mrconcNone)

lemma mreq-end2 applied-rule-rev C x b = applied-rule-rev C x c =rArrapplied-rule-rev C x (ab) = applied-rule-rev C x (ac)

apply (case-tac applied-rule-rev C x b = None)apply (auto intro mreq-end mreq-endNone)

done

lemma mreq-end3 applied-rule-rev C x p 6= None =rArrapplied-rule-rev C x (b p) = applied-rule-rev C x (p)

by (auto simp mrconc)

lemma mrNoneMT [[r isin set p applied-rule-rev C x p = None]] =rArrx isin dom (C r)

proof (induct p rule rev-induct)case Nil show case using Nilby (simp add applied-rule-rev-def )

nextcase (snoc y ys) show case using snocproof (cases r isin set ys)case True show thesis using snoc Trueby (simp add applied-rule-rev-def split split-if-asm)

nextcase False show thesis using snoc False

by (simp add applied-rule-rev-def split split-if-asm)qed

qed

39

262 Distributivity of the Transformation

The scenario is the following (can be applied iteratively)

bull Two policies are combined using one of the parallel combinators

bull (eg P = P1 P2) (At least) one of the constituent policies has

bull a normalisation procedures which as output produces a list of

bull policies that are semantically equivalent to the original policy if

bull combined from left to right using the override operator

The following function is crucial for the distribution Its arguments are a policy a listof policies a parallel combinator and a range and a domain coercion function

fun prod-list ( primeα 7rarr primeβ) rArr (( primeγ 7rarr primeδ) list) rArr(( primeα 7rarr primeβ) rArr ( primeγ 7rarr primeδ) rArr (( primeα times primeγ) 7rarr ( primeβ times primeδ))) rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr

otimesL 54 ) where

prod-list x (yys) par-comb ran-adapt dom-adapt =((ran-adapt o-f ((par-comb x y) o dom-adapt))(prod-list x ys par-comb ran-adapt

dom-adapt))| prod-list x [] par-comb ran-adapt dom-adapt = []

An instance as usual there are four of them

definition prod-2-list [( primeα 7rarr primeβ) (( primeγ 7rarr primeδ) list)] rArr(( primeβ times primeδ) rArr primey) rArr ( primex rArr ( primeα times primeγ)) rArr(( primex 7rarr primey) list) (infixr

otimes2L 55 ) where

xotimes

2L y = (λ d r (xotimes

L y) (opotimes

2) d r)

lemma list2listNMT x 6= [] =rArr map sem x 6= []apply (case-tac x )apply (simp-all)

done

lemma two-conc (prod-list x (yys) p r d) = ((r o-f ((p x y) o d))(prod-list x ys pr d))by simp

The following two invariants establish if the law of distributivity holds for a combinatorand if an operator is strict regarding undefinedness

definition is-distr whereis-distr p = (λ g f (forall N P1 P2 ((g o-f ((p N (P1

oplusP2 )) o f )) =

((g o-f ((p N P1 ) o f ))oplus

(g o-f ((p N P2 ) o f ))))))

40

definition is-strict whereis-strict p = (λ r d forall P1 (r o-f (p P1 empty d)) = empty)

lemma is-distr-orD is-distr (opotimesorD) d r

apply (simp add is-distr-def )apply (rule allI )+apply (rule distr-orD)apply (simp)

done

lemma is-strict-orD is-strict (opotimesorD) d r

apply (simp add is-strict-def )apply (simp add policy-range-comp-def )

done

lemma is-distr-2 is-distr (opotimes

2) d rapply (simp add is-distr-def )apply (rule allI )+apply (rule distr-or2 )

by simp

lemma is-strict-2 is-strict (opotimes

2) d rapply (simp only is-strict-def )apply simpapply (simp add policy-range-comp-def )

done

lemma domStart t isin dom p1 =rArr (p1oplus

p2 ) t = p1 tapply (simp add map-add-dom-app-simps)

done

lemma notDom x isin dom A =rArr not A x = Noneapply auto

done

The following theorems are crucial they establish the correctness of the distribution

lemma Norm-Distr-1 ((r o-f (((opotimes

1) P1 (list2policy P2 )) o d)) x =((list2policy ((P1

otimesL P2 ) (op

otimes1) r d)) x ))

proof (induct P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )

nextcase (Cons p ps) show case using Consproof (cases x isin dom (r o-f ((P1

otimes1 p) d)))

41

case True show thesis using Trueby (auto simp list2policy-def policy-range-comp-def prod-1-def

split optionsplits decisionsplits prod splits)nextcase False show thesis using Cons False

by (auto simp list2policy-def policy-range-comp-def map-add-dom-app-simps(3 )prod-1-def

split optionsplits decisionsplits prod splits)qed

qed



otimesL P2 ) (op

otimes2) r d)) x ))proof (induct

P2 )case Nil show caseby (simp add policy-range-comp-def list2policy-def )


otimes2 p) d)))

case True show thesis using Trueby (auto simp list2policy-def prod-2-def policy-range-comp-def


by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-2-def


qed

lemma Norm-Distr-A ((r o-f (((opotimesorA) P1 (list2policy P2 )) o d)) x =

((list2policy ((P1otimes

L P2 ) (opotimesorA) r d)) x ))



otimesorA p) d)))

case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orA-def


by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )

42

prod-orA-defsplit optionsplits decisionsplits prod splits)

qedqed

lemma Norm-Distr-D ((r o-f (((opotimesorD) P1 (list2policy P2 )) o d)) x =


L P2 ) (opotimesorD) r d)) x ))



otimesorD p) d)))

case True show thesis using Trueby (auto simp policy-range-comp-def list2policy-def prod-orD-def


by (auto simp policy-range-comp-def list2policy-def map-add-dom-app-simps(3 )prod-orD-def


qed

Some domain reasoning

lemma domSubsetDistr1 dom A = UNIV =rArr dom ((λ(x y) x ) o-f (Aotimes

1 B) o (λx (x x ))) = dom B

apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-1-def policy-range-comp-def dom-def

split decisionsplits optionsplits prod splits)done


2 B) o (λx (x x ))) = dom B



lemma domSubsetDistrA dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorA B) o

(λ x (x x ))) = dom B

43

apply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orA-def policy-range-comp-def dom-def


lemma domSubsetDistrD dom A = UNIV =rArr dom ((λ(x y) x ) o-f (AotimesorD B) o

(λ x (x x ))) = dom Bapply (rule set-eqI )apply (rule iffI )apply (auto simp prod-orD-def policy-range-comp-def dom-def

split decisionsplits optionsplits prod splits)doneend

27 Policy Transformation for Testing

theoryNormalisationTestSpecification

importsNormalisation

begin

This theory provides functions and theorems which are useful if one wants to testpolicy which are transformed Most exist in two versions one where the domains of therules of the list (which is the result of a transformation) are pairwise disjoint and onewhere this applies not for the last rule in a list (which is usually a default rules)

The examples in the firewall case study provide a good documentation how thesetheories can be applied

This invariant establishes that the domains of a list of rules are pairwise disjoint

fun disjDom wheredisjDom (xxs) = ((forall yisin(set xs) dom x cap dom y = ) and disjDom xs)|disjDom [] = True

fun PUTList ( primea 7rarr primeb) rArr primea rArr ( primea 7rarr primeb) list rArr boolwherePUTList PUT x (pps) = ((x isin dom p minusrarr (PUT x = p x )) and (PUTList PUT x ps))|PUTList PUT x [] = True

lemma distrPUTL1 x isin dom P =rArr (list2policy PL) x = P x=rArr (PUTList PUT x PL =rArr (PUT x = P x ))

apply (induct PL)apply (auto simp list2policy-def dom-def )

44

done

lemma PUTList-None x isin dom (list2policy list) =rArr PUTList PUT x listapply (induct list)apply (auto simp list2policy-def dom-def )

done

lemma PUTList-DomMT (forall yisinset list dom a cap dom y = ) =rArr x isin (dom a) =rArr x isin dom (list2policy list)apply (induct list)apply (auto simp dom-def list2policy-def )

done

lemma distrPUTL2 x isin dom P =rArr (list2policy PL) x = P x =rArr disjDom PL =rArr (PUT x = P x ) =rArr

PUTList PUT x PLapply (induct PL)apply (simp-all add list2policy-def )apply (auto)apply (case-tac x isin dom a)apply (case-tac list2policy PL x = P x )apply (simp add list2policy-def )apply (rule PUTList-None)apply (rule-tac a = a in PUTList-DomMT )apply (simp-all add list2policy-def dom-def )

done

lemma distrPUTL[[x isin dom P (list2policy PL) x = P x disjDom PL]] =rArr (PUT x = P x ) = PUTList

PUT x PLapply (rule iffI )apply (rule distrPUTL2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTL1 )apply (auto)

done

It makes sense to cater for the common special case where the normalisation returnsa list where the last element is a default-catch-all rule It seems easier to cater for thisglobally rather than to require the normalisation procedures to do this

fun gatherDomain-aux wheregatherDomain-aux (xxs) = (dom x cup (gatherDomain-aux xs))|gatherDomain-aux [] =

45

definition gatherDomain where gatherDomain p = (gatherDomain-aux (butlast p))

definition PUTListGD where PUTListGD PUT x p =(((x isin (gatherDomain p) and x isin dom (last p)) minusrarr PUT x = (last p) x ) and

(PUTList PUT x (butlast p)))

definition disjDomGD where disjDomGD p = disjDom (butlast p)

lemma distrPUTLG1 [[x isin dom P (list2policy PL) x = P x PUTListGD PUT x PL]]=rArr PUT x = P x

apply (induct PL)apply (simp-all add domIff PUTListGD-def disjDomGD-def gatherDomain-def

list2policy-def )apply (auto simp dom-def domIff split split-if-asm)

done

lemma distrPUTLG2 PL 6= [] =rArr x isin dom P =rArr (list2policy (PL)) x = P x =rArr disjDomGD PL =rArr(PUT x = P x ) =rArr PUTListGD PUT x (PL)

apply (simp add PUTListGD-def disjDomGD-def gatherDomain-def list2policy-def )apply (induct PL)apply (auto)apply (metis PUTList-DomMT PUTList-None domI )

done

lemma distrPUTLG [[x isin dom P (list2policy PL) x = P x disjDomGD PL PL 6= []]] =rArr(PUT x = P x ) = PUTListGD PUT x PLapply (rule iffI )apply (rule distrPUTLG2 )apply (simp-all)apply (rule-tac PL = PL in distrPUTLG1 )apply (auto)

done

end

28 Putting Everything Together UPF

theoryUPF

imports

46

NormalisationNormalisationTestSpecificationAnalysis

begin

This is the top-level theory for the Unified Policy Framework (UPF) and thus buildsthe base theory for using UPF For the moment we only define a set of lemmas for allcore UPF definitions that is useful for using UPF

lemmas UPFDefs = UPFCoreDefs ParallelDefs ElementaryPoliciesDefsend

47

3 Example

In this chapter we present a small example application of UPF for modeling accesscontrol for a Web service that might be used in a hospital This scenario is motivatedby our formalization of the NHS system [10 13]

UPF was also successfully used for modeling network security policies such as the onesenforced by firewalls [12 13] These models were also used for generating test cases usingHOL-TestGen [9]

31 Secure Service Specification

theoryService

importsUPF

begin

In this section we model a simple Web service and its access control model that allowsthe staff in a hospital to access health care records of patients

311 Datatypes for Modelling Users and Roles

Users

First we introduce a type for users that we use to model that each staff member has aunique id

type-synonym user = int

Similarly each patient has a unique id

type-synonym patient = int

Roles and Relationships

In our example we assume three different roles for members of the clinical staff

datatype role = ClinicalPractitioner | Nurse | Clerical

We model treatment relationships (legitimate relationships) between staff and patients(respectively their health records This access control model is inspired by our detailedNHS model

49

type-synonym lr-id = inttype-synonym LR = lr-id (user set)

The security context stores all the existing LRs

type-synonym Σ = patient LR

The user context stores the roles the users are in

type-synonym υ = user role

312 Modelling Health Records and the Web Service API

Health Records

The content and the status of the entries of a health record

datatype data = dummyContentdatatype status = Open | Closedtype-synonym entry-id = inttype-synonym entry = status times user times datatype-synonym SCR = (entry-id entry)type-synonym DB = patient SCR

The Web Service API

The operations provided by the service

datatype Operation = createSCR user role patient| appendEntry user role patient entry-id entry| deleteEntry user role patient entry-id| readEntry user role patient entry-id| readSCR user role patient| addLR user role patient lr-id (user set)| removeLR user role patient lr-id| changeStatus user role patient entry-id status| deleteSCR user role patient| editEntry user role patient entry-id entry

fun is-createSCR whereis-createSCR (createSCR u r p) = True|is-createSCR x = False

fun is-appendEntry whereis-appendEntry (appendEntry u r p e ei) = True|is-appendEntry x = False

fun is-deleteEntry where

50

is-deleteEntry (deleteEntry u r p e-id) = True|is-deleteEntry x = False

fun is-readEntry whereis-readEntry (readEntry u r p e) = True|is-readEntry x = False

fun is-readSCR whereis-readSCR (readSCR u r p) = True|is-readSCR x = False

fun is-changeStatus whereis-changeStatus (changeStatus u r p s ei) = True|is-changeStatus x = False

fun is-deleteSCR whereis-deleteSCR (deleteSCR u r p) = True|is-deleteSCR x = False

fun is-addLR whereis-addLR (addLR u r lrid lr us) = True|is-addLR x = False

fun is-removeLR whereis-removeLR (removeLR u r p lr) = True|is-removeLR x = False

fun is-editEntry whereis-editEntry (editEntry u r p e-id s) = True|is-editEntry x = False

fun SCROp (Operation times DB) SCR whereSCROp ((createSCR u r p) S ) = S p|SCROp ((appendEntry u r p ei e) S ) = S p|SCROp ((deleteEntry u r p e-id) S ) = S p|SCROp ((readEntry u r p e) S ) = S p|SCROp ((readSCR u r p) S ) = S p|SCROp ((changeStatus u r p s ei)S ) = S p|SCROp ((deleteSCR u r p)S ) = S p|SCROp ((editEntry u r p e-id s)S ) = S p|SCROp x = perp

fun patientOfOp Operation rArr patient wherepatientOfOp (createSCR u r p) = p

51

|patientOfOp (appendEntry u r p e ei) = p|patientOfOp (deleteEntry u r p e-id) = p|patientOfOp (readEntry u r p e) = p|patientOfOp (readSCR u r p) = p|patientOfOp (changeStatus u r p s ei) = p|patientOfOp (deleteSCR u r p) = p|patientOfOp (addLR u r p lr ei) = p|patientOfOp (removeLR u r p lr) = p|patientOfOp (editEntry u r p e-id s) = p

fun userOfOp Operation rArr user whereuserOfOp (createSCR u r p) = u|userOfOp (appendEntry u r p e ei) = u|userOfOp (deleteEntry u r p e-id) = u|userOfOp (readEntry u r p e) = u|userOfOp (readSCR u r p) = u|userOfOp (changeStatus u r p s ei) = u|userOfOp (deleteSCR u r p) = u|userOfOp (editEntry u r p e-id s) = u|userOfOp (addLR u r p lr ei) = u|userOfOp (removeLR u r p lr) = u

fun roleOfOp Operation rArr role whereroleOfOp (createSCR u r p) = r|roleOfOp (appendEntry u r p e ei) = r|roleOfOp (deleteEntry u r p e-id) = r|roleOfOp (readEntry u r p e) = r|roleOfOp (readSCR u r p) = r|roleOfOp (changeStatus u r p s ei) = r|roleOfOp (deleteSCR u r p) = r|roleOfOp (editEntry u r p e-id s) = r|roleOfOp (addLR u r p lr ei) = r|roleOfOp (removeLR u r p lr) = r

fun contentOfOp Operation rArr data wherecontentOfOp (appendEntry u r p ei e) = (snd (snd e))|contentOfOp (editEntry u r p ei e) = (snd (snd e))

fun contentStatic Operation rArr bool wherecontentStatic (appendEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic (editEntry u r p ei e) = ((snd (snd e)) = dummyContent)|contentStatic x = True

fun allContentStatic where

52

allContentStatic (xxs) = (contentStatic x and allContentStatic xs)|allContentStatic [] = True

313 Modelling Access Control

In the following we define a rather complex access control model for our scenario thatextends traditional role-based access control (RBAC) [20] with treatment relationshipsand sealed envelopes Sealed envelopes (see [13] for details) are a variant of break-the-glass access control (see [8] for a general motivation and explanation of break-the-glassaccess control)

Sealed Envelopes

type-synonym SEPolicy = (Operation times DB 7rarr unit)

definition get-entry DB rArr patient rArr entry-id rArr entry option whereget-entry S p e-id = (case S p of perp rArr perp

| bScrc rArr Scr e-id)

definition userHasAccess user rArr entry rArr bool whereuserHasAccess u e = ((fst e) = Open or (fst (snd e) = u))

definition readEntrySE SEPolicy wherereadEntrySE x = (case x of (readEntry u r p e-id S ) rArr (case get-entry S p e-id of

perp rArr perp| bec rArr (if (userHasAccess u e)

then ballow ()celse bdeny ()c ))

| x rArr perp)

definition deleteEntrySE SEPolicy wheredeleteEntrySE x = (case x of (deleteEntry u r p e-id S ) rArr (case get-entry S p e-id of


then ballow ()celse bdeny ()c))

| x rArr perp)

definition editEntrySE SEPolicy whereeditEntrySE x = (case x of (editEntry u r p e-id sS ) rArr (case get-entry S p e-id of



53

| x rArr perp)

definition SEPolicy SEPolicy whereSEPolicy = editEntrySE

oplusdeleteEntrySE

oplusreadEntrySE

oplusAU

lemmas SEsimps = SEPolicy-def get-entry-def userHasAccess-defeditEntrySE-def deleteEntrySE-def readEntrySE-def

Legitimate Relationships

type-synonym LRPolicy = (Operation times Σ unit) policy

fun hasLR user rArr patient rArr Σ rArr bool wherehasLR u p Σ = (case Σ p of perp rArr False

| blrsc rArr (exist lr lrisin(ran lrs) and u isin lr))

definition LRPolicy LRPolicy whereLRPolicy = (λ(x y) (if hasLR (userOfOp x ) (patientOfOp x ) y


definition createSCRPolicy LRPolicy wherecreateSCRPolicy x = (if (is-createSCR (fst x ))

then ballow ()celse perp)

definition addLRPolicy LRPolicy whereaddLRPolicy x = (if (is-addLR (fst x ))


definition LR-Policy where LR-Policy = createSCRPolicyoplus

addLRPolicyoplus

LR-Policy

oplusAU

lemmas LRsimps = LR-Policy-def createSCRPolicy-def addLRPolicy-def LRPolicy-def

type-synonym FunPolicy = (Operation times DB times Σunit) policy

fun createFunPolicy FunPolicy wherecreateFunPolicy ((createSCR u r p)(D S )) = (if p isin dom D

then bdeny ()celse ballow ()c)

|createFunPolicy x = perp

54

fun addLRFunPolicy FunPolicy whereaddLRFunPolicy ((addLR u r p l us)(D S )) = (if l isin dom S


|addLRFunPolicy x = perp

fun removeLRFunPolicy FunPolicy whereremoveLRFunPolicy ((removeLR u r p l)(D S )) = (if l isin dom S

then ballow ()celse bdeny ()c)

|removeLRFunPolicy x = perp

fun readSCRFunPolicy FunPolicy wherereadSCRFunPolicy ((readSCR u r p)(D S )) = (if p isin dom D


|readSCRFunPolicy x = perp

fun deleteSCRFunPolicy FunPolicy wheredeleteSCRFunPolicy ((deleteSCR u r p)(D S )) = (if p isin dom D


|deleteSCRFunPolicy x = perp

fun changeStatusFunPolicy FunPolicy wherechangeStatusFunPolicy (changeStatus u r p e s(d S )) =

(case d p of bxc rArr (if e isin dom xthen ballow ()celse bdeny ()c)

| - rArr bdeny ()c)|changeStatusFunPolicy x = perp

fun deleteEntryFunPolicy FunPolicy wheredeleteEntryFunPolicy (deleteEntry u r p e(d S )) =


| - rArr bdeny ()c)|deleteEntryFunPolicy x = perp

fun readEntryFunPolicy FunPolicy wherereadEntryFunPolicy (readEntry u r p e(d S )) =

(case d p of bxc rArr (if e isin dom x

55


| - rArr bdeny ()c)|readEntryFunPolicy x = perp

fun appendEntryFunPolicy FunPolicy whereappendEntryFunPolicy (appendEntry u r p e ed (d S )) =

(case d p of bxc rArr (if e isin dom xthen bdeny ()celse ballow ()c)

| - rArr bdeny ()c)|appendEntryFunPolicy x = perp

fun editEntryFunPolicy FunPolicy whereeditEntryFunPolicy (editEntry u r p ei e(d S )) =

(case d p of bxc rArr (if ei isin dom xthen ballow ()celse bdeny ()c)

| - rArr bdeny ()c)|editEntryFunPolicy x = perp

definition FunPolicy whereFunPolicy = editEntryFunPolicy

oplusappendEntryFunPolicy

oplusreadEntryFunPolicy

oplusdeleteEntryFunPolicy

opluschangeStatusFunPolicy

oplusdeleteSCRFunPolicy

oplusremoveLRFunPolicy

oplusreadSCRFunPolicy

oplusaddLRFunPolicy

opluscreateFunPolicy

oplusAU

Modelling Core RBAC

type-synonym RBACPolicy = Operation times υ 7rarr unit

definition RBAC (role times Operation) set whereRBAC = (r f ) r = Nurse and is-readEntry f cup

(r f ) r = Nurse and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-appendEntry f cup(r f ) r = ClinicalPractitioner and is-deleteEntry f cup(r f ) r = ClinicalPractitioner and is-readEntry f cup(r f ) r = ClinicalPractitioner and is-readSCR f cup(r f ) r = ClinicalPractitioner and is-changeStatus f cup(r f ) r = ClinicalPractitioner and is-editEntry f cup(r f ) r = Clerical and is-createSCR f cup(r f ) r = Clerical and is-deleteSCR f cup(r f ) r = Clerical and is-addLR f cup

56

(r f ) r = Clerical and is-removeLR f

definition RBACPolicy RBACPolicy whereRBACPolicy = (λ (f uc)

if ((roleOfOp f f ) isin RBAC and broleOfOp f c = uc (userOfOp f ))then ballow ()celse bdeny ()c)

314 The State Transitions and Output Function

State Transition

fun OpSuccessDB (Operation times DB) DB whereOpSuccessDB (createSCR u r pS ) = (case S p of perp rArr bS (p 7rarrempty)c

| bxc rArr bSc)|OpSuccessDB ((appendEntry u r p ei e)S ) =

(case S p of perp rArr bSc| bxc rArr ((if ei isin (dom x )

then bScelse bS (p 7rarr x (ei 7rarre))c)))

|OpSuccessDB ((deleteSCR u r p)S ) = (Some (S (p=perp)))|OpSuccessDB ((deleteEntry u r p ei)S ) =

(case S p of perp rArr bSc| bxc rArr Some (S (p 7rarr(x (ei =perp)))))

|OpSuccessDB ((changeStatus u r p ei s)S ) =(case S p of perp rArr bSc

| bxc rArr (case x ei ofbec rArr bS (p 7rarr x (ei 7rarr(ssnd e)))c| perp rArr bSc))

|OpSuccessDB ((editEntry u r p ei e)S ) =(case S p of perp rArrbSc

| bxc rArr (case x ei ofbec rArr bS (p 7rarr(x (ei 7rarr(e))))c

| perp rArr bSc))|OpSuccessDB (x S ) = bSc

fun OpSuccessSigma (Operation times Σ) Σ whereOpSuccessSigma (addLR u r p lr-id usS ) =

(case S p of blrsc rArr (case (lrs lr-id) ofperp rArr bS (p 7rarr(lrs(lr-id 7rarrus)))c| bxc rArr bSc)

| perp rArr bS (p 7rarr(empty(lr-id 7rarrus)))c)|OpSuccessSigma (removeLR u r p lr-id S ) =

57

(case S p of Some lrs rArr bS (p 7rarr(lrs(lr-id =perp)))c| perp rArr bSc)

|OpSuccessSigma (x S ) = bSc

fun OpSuccessUC (Operation times υ) υ whereOpSuccessUC (f u) = buc

Output

type-synonym Output = unit

fun OpSuccessOutput (Operation) Output whereOpSuccessOutput x = b()c

fun OpFailOutput Operation Output whereOpFailOutput x = b()c

315 Combine All Parts

definition SE-LR-Policy (Operation times DB times Σ unit) policy whereSE-LR-Policy = (λ(x x ) x ) of (SEPolicy

otimesorD LR-Policy) o (λ(abc) ((ab)ac))

definition SE-LR-FUN-Policy (Operation times DB times Σ unit) policy whereSE-LR-FUN-Policy = ((λ(x x ) x ) of (FunPolicy

otimesorD SE-LR-Policy) o (λa (aa)))

definition SE-LR-RBAC-Policy (Operation times DB times Σ times υ unit) policy whereSE-LR-RBAC-Policy = (λ(x x ) x )

of (RBACPolicyotimesorD SE-LR-FUN-Policy)

o (λ(abcd) ((ad)(abc)))

definition ST-Allow Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Allow = ((OpSuccessOutput

otimesM (OpSuccessDB

otimesS OpSuccessSigmaotimes

S OpSuccessUC ))o ( (λ(abc) ((a)(abc)))))

definition ST-Deny Operation times DB times Σ times υ Output times DB times Σ times υwhere ST-Deny = (λ (opespsi uc) Some (() spsi uc))

definition SE-LR-RBAC-ST-Policy Operation times DB times Σ times υ 7rarr Output times DB times

58

Σ times υwhere SE-LR-RBAC-ST-Policy = ((λ (x y)y)

of ((ST-Allow ST-Deny)otimesnabla SE-LR-RBAC-Policy)

o (λx (x x )))

definition PolMon Operation rArr (Output decisionDB times Σ times υ) MON SE

where PolMon = (policy2MON SE-LR-RBAC-ST-Policy)

end

32 Instantiating Our Secure Service Example

theoryServiceExample

importsService

begin

In the following we briefly present an instantiations of our secure service examplefrom the last section We assume three different members of the health care staff andtwo patients

321 Access Control Configuration

definition alice user where alice = 1definition bob user where bob = 2definition charlie user where charlie = 3definition patient1 patient where patient1 = 5definition patient2 patient where patient2 = 6

definition UC0 υ whereUC0 = empty(alice 7rarrNurse)(bob 7rarrClinicalPractitioner)(charlie 7rarrClerical)

definition entry1 entry whereentry1 = (Openalice dummyContent)

definition entry2 entry whereentry2 = (Closed bob dummyContent)

definition entry3 entry whereentry3 = (Closed alice dummyContent)

definition SCR1 SCR whereSCR1 = (Mapempty(1 7rarrentry1 ))

59

definition SCR2 SCR whereSCR2 = (Mapempty)

definition Spine0 DB whereSpine0 = empty(patient1 7rarrSCR1 )(patient2 7rarrSCR2 )

definition LR1 LR whereLR1 =(empty(1 7rarralice))

definition Σ0 Σ whereΣ0 = (empty(patient1 7rarrLR1 ))

322 The Initial System State

definition σ0 DB times Σtimesυ whereσ0 = (Spine0 Σ0 UC0 )


lemma [simp] (case a of allow d rArr bX c | deny d2 rArr bY c) = perp =rArr Falseby (case-tac asimp-all)

lemma [cong simp]((if hasLR urp1-alice 1 Σ0 then ballow ()c else bdeny ()c) = perp) = False

by (simp)

lemmas MonSimps = valid-SE-def unit-SE-def bind-SE-deflemmas Psplits = optionsplits unit splits prod splits decisionsplitslemmas PolSimps = valid-SE-def unit-SE-def bind-SE-def if-splits policy2MON-def

SE-LR-RBAC-ST-Policy-def map-add-def id-def LRsimps prod-2-defRBACPolicy-def

SE-LR-Policy-def SEPolicy-def RBAC-def deleteEntrySE-def editEntrySE-def

readEntrySE-def σ0-def Σ0-def UC0-def patient1-def patient2-def LR1-def

alice-def bob-def charlie-def get-entry-def SE-LR-RBAC-Policy-def Allow-def

Deny-def dom-restrict-def policy-range-comp-def prod-orA-def prod-orD-def

ST-Allow-def ST-Deny-def Spine0-def SCR1-def SCR2-def entry1-defentry2-def

entry3-def FunPolicy-def SE-LR-FUN-Policy-def o-def image-def UPFDefs

60

lemma SE-LR-RBAC-Policy ((createSCR alice Clerical patient1 )σ0 )= Some (deny())by (simp add PolSimps)

lemma exBool [simp] exist abool a by auto

lemma deny-allow [simp] bdeny ()c isin Some lsquo range allow by auto

lemma allow-deny [simp] ballow ()c isin Some lsquo range deny by auto

Policy as monad Alice using her first urp can read the SCR of patient1

lemma(σ0 |= (os larr mbind [(createSCR alice Clerical patient1 )] (PolMon)

(return (os = [(deny (Out) )]))))by (simp add PolMon-def MonSimps PolSimps)

Presenting her other urp she is not allowed to read it

lemma SE-LR-RBAC-Policy ((appendEntry alice Clerical patient1 ei d)σ0 )= bdeny()cby (simp add PolSimps)

end

61

4 Conclusion and Related Work

41 Related Work

With Barker [3] our UPF shares the observation that a broad range of access controlmodels can be reduced to a surprisingly small number of primitives together with a setof combinators or relations to build more complex policies We also share the vision thatthe semantics of access control models should be formally defined In contrast to [3] UPFuses higher-order constructs and more importantly is geared towards machine supportfor (formally) transforming policies and supporting model-based test case generationapproaches

42 Conclusion Future Work

We have presented a uniform framework for modelling security policies This mightbe regarded as merely an interesting academic exercise in the art of abstraction espe-cially given the fact that underlying core concepts are logically equivalent but presentedremarkably different frommdashapparently simplemdashsecurity textbook formalisations How-ever we have successfully used the framework to model fully the large and complexinformation governance policy of a national health-care record system as described inthe official documents [10] as well as network policies [12] Thus we have shown theframework being able to accommodate relatively conventional RBAC [20] mechanismsalongside less common ones such as Legitimate Relationships These security conceptsare modelled separately and combined into one global access control mechanism More-over we have shown the practical relevance of our model by using it in our test gener-ation system HOL-TestGen [9] translating informal security requirements into formaltest specifications to be processed to test sequences for a distributed system consistingof applications accessing a central record storage system

Besides applying our framework to other access control models we plan to developspecific test case generation algorithms Such domain-specific algorithms allow by ex-ploiting knowledge about the structure of access control models respectively the UPFfor a deeper exploration of the test space Finally this results in an improved testcoverage

63

5 Appendix

51 Basic Monad Theory for Sequential Computations

theoryMonads

importsMain

begin

511 General Framework for Monad-based Sequence-Test

As such Higher-order Logic as a purely functional specification formalism has no built-in mechanism for state and state-transitions Forms of testing involving state requiretherefore explicit mechanisms for their treatment inside the logic a well-known techniqueto model states inside purely functional languages are monads made popular by Wadlerand Moggi and extensively used in Haskell HOLis powerful enough to represent themost important standard monads however it is not possible to represent monads assuch due to well-known limitations of the Hindley-Milner type-system

Here is a variant for state-exception monads that models precisely transition functionswith preconditions Next we declare the state-backtrack-monad In all of them ourconcept of io-stepping functions can be formulated these are functions mapping inputto a given monad Later on we will build the usual concepts of

1 deterministic io automata

2 non-deterministic io automata and

3 labelled transition systems (LTS)

State Exception Monads

type-synonym ( primeo primeσ) MON SE = primeσ ( primeo times primeσ)

definition bind-SE ( primeo primeσ)MON SE rArr ( primeo rArr ( primeo prime primeσ)MON SE) rArr ( primeo prime primeσ)MON SE

where bind-SE f g = (λσ case f σ of None rArr None| Some (out σ prime) rArr g out σ prime)

notation bind-SE (bindSE)syntax (xsymbols)

65

-bind-SE [pttrn( primeo primeσ)MON SE (primeo prime primeσ)MON SE ] rArr ( primeo prime primeσ)MON SE

((2 - larr - -) [5 8 8 ]8 )translations

x larr f g CONST bind-SE f ( x g)

definition unit-SE primeo rArr ( primeo primeσ)MON SE ((return -) 8 )where unit-SE e = (λσ Some(eσ))notation unit-SE (unitSE)

definition failSE ( primeo primeσ)MON SE

where failSE = (λσ None)notation failSE (failSE)

definition assert-SE ( primeσ rArr bool) rArr (bool primeσ)MON SE

where assert-SE P = (λσ if P σ then Some(Trueσ) else None)notation assert-SE (assertSE)

definition assume-SE ( primeσ rArr bool) rArr (unit primeσ)MON SE

where assume-SE P = (λσ if existσ P σ then Some(() SOME σ P σ) else None)notation assume-SE (assumeSE)

definition if-SE [ primeσ rArr bool ( primeα primeσ)MON SE ( primeα primeσ)MON SE ] rArr ( primeα primeσ)MON SE

where if-SE c E F = (λσ if c σ then E σ else F σ)notation if-SE (if SE)

The standard monad theorems about unit and associativity

lemma bind-left-unit (x larr return a k) = kapply (simp add unit-SE-def bind-SE-def )

done

lemma bind-right-unit (x larr m return x ) = mapply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ)apply ( simp-all)

done

lemma bind-assoc (y larr (x larr m k) h) = (x larr m (y larr k h))apply (simp add unit-SE-def bind-SE-def )apply (rule ext)apply (case-tac m σ simp-all)apply (case-tac a simp-all)

done

In order to express test-sequences also on the object-level and to make our theory

66

amenable to formal reasoning over test-sequences we represent them as lists of input andgeneralize the bind-operator of the state-exception monad accordingly The approach isstraightforward but comes with a price we have to encapsulate all input and output datainto one type Assume that we have a typed interface to a module with the operationsop1 op2 opn with the inputs ι1 ι2 ιn (outputs are treated analogously) Thenwe can encode for this interface the general input - type

datatype in = op1 ι1 | | ιn

Obviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends

In order to express test-sequences also on the object-level and to make our theoryamenable to formal reasoning over test-sequences we represent them as lists of inputand generalize the bind-operator of the state-exception monad accordingly Thus thenotion of test-sequence is mapped to the notion of a computation a semantic notionat times we will use reifications of computations i e a data-type in order to makecomputation amenable to case-splitting and meta-theoretic reasoning To this end wehave to encapsulate all input and output data into one type Assume that we have atyped interface to a module with the operations op1 op2 opn with the inputs ι1ι2 ιn (outputs are treated analogously) Then we can encode for this interface thegeneral input - type

datatype in = op1 ι1 | | ιnObviously we loose some type-safety in this approach we have to express that in tracesonly corresponding input and output belonging to the same operation will occur thisform of side-conditions have to be expressed inside HOL From the user perspective thiswill not make much difference since junk-data resulting from too weak typing can beruled out by adopted front-ends

Note that the subsequent notion of a test-sequence allows the io stepping function(and the special case of a program under test) to stop execution within the sequencesuch premature terminations are characterized by an output list which is shorter thanthe input list Note that our primary notion of multiple execution ignores failure andreports failure steps only by missing results

fun mbind primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE

where mbind [] iostep σ = Some([] σ) |mbind (aH ) iostep σ =

(case iostep a σ ofNone rArr Some([] σ)

| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr Some([out ]σ prime)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))

67

As mentioned this definition is fail-safe in case of an exception the current state ismaintained no result is reported An alternative is the fail-strict variant mbind prime definedbelow

lemma mbind-unit [simp] mbind [] f = (return [])by(rule ext simp add unit-SE-def )

lemma mbind-nofailure [simp] mbind S f σ 6= Noneapply (rule-tac x=σ in spec)apply (induct S )apply (auto simpunit-SE-def )apply (case-tac f a x )

apply ( auto)apply (erule-tac x=b in allE )apply (erule exE )apply (erule exE )apply (simp)

done

The fail-strict version of mbind prime looks as follows

fun mbind prime primeι list rArr ( primeι rArr ( primeo primeσ) MON SE) rArr ( primeo list primeσ) MON SE

where mbind prime [] iostep σ = Some([] σ) |mbind prime (aH ) iostep σ =

(case iostep a σ ofNone rArr None

| Some (out σ prime) rArr (case mbind H iostep σ prime ofNone rArr None (lowast failminusstrict lowast)| Some(outsσ primeprime) rArr Some(outoutsσ primeprime)))

mbindrsquo as failure strict operator can be seen as a foldr on bindmdashif the types wouldmatch

definition try-SE ( primeo primeσ) MON SE rArr ( primeo option primeσ) MON SE

where try-SE ioprog = (λσ case ioprog σ ofNone rArr Some(None σ)| Some(outs σ prime) rArr Some(Some outs σ prime))

In contrast mbind as a failure safe operator can roughly be seen as a foldr on bind -try m1 try m2 try m3 Note that the rough equivalence only holds for certainpredicates in the sequence - length equivalence modulo None for example However ifa conditional is added the equivalence can be made precise

lemma mbind-try (x larr mbind (aS ) F M x ) =(a primelarr try-SE (F a)

if a prime = Nonethen (M [])

68

else (x larr mbind S F M (the a prime x )))apply (rule ext)apply (simp add bind-SE-def try-SE-def )apply (case-tac F a x )

apply (auto)apply (simp add bind-SE-def try-SE-def )apply (case-tac mbind S F b)

apply (auto)done

On this basis a symbolic evaluation scheme can be established that reduces mbind -code to try-SE -code and If-cascades

definition alt-SE [( primeo primeσ)MON SE ( primeo primeσ)MON SE ] rArr ( primeo primeσ)MON SE (infixluSE 10 )where (f uSE g) = (λ σ case f σ of None rArr g σ

| Some H rArr Some H )

definition malt-SE ( primeo primeσ)MON SE list rArr ( primeo primeσ)MON SE

where malt-SE S = foldr alt-SE S failSE

notation malt-SE (d

SE)

lemma malt-SE-mt [simp]d

SE [] = failSE

by(simp add malt-SE-def )

lemma malt-SE-cons [simp]d

SE (a S ) = (a uSE (d

SE S ))by(simp add malt-SE-def )

State-Backtrack Monads

This subsection is still rudimentary and as such an interesting formal analogue to theprevious monad definitions It is doubtful that it is interesting for testing and as acomputational structure at all Clearly more relevant is ldquosequencerdquo instead of ldquosetrdquowhich would rephrase Isabellersquos internal tactic concept

type-synonym ( primeo primeσ) MON SB = primeσ rArr ( primeo times primeσ) set

definition bind-SB ( primeo primeσ)MON SB rArr ( primeo rArr ( primeo prime primeσ)MON SB) rArr ( primeo prime primeσ)MON SB

where bind-SB f g σ =⋃

((λ(out σ) (g out σ)) lsquo (f σ))notation bind-SB (bindSB)

definition unit-SB primeo rArr ( primeo primeσ)MON SB ((returns -) 8 )where unit-SB e = (λσ (eσ))notation unit-SB (unitSB)

69

syntax (xsymbols) -bind-SB [pttrn( primeo primeσ)MON SB(primeo prime primeσ)MON SB] rArr

( primeo prime primeσ)MON SB

((2 - = - -) [5 8 8 ]8 )translations

x = f g CONST bind-SB f ( x g)

lemma bind-left-unit-SB (x = returns a m) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )

done

lemma bind-right-unit-SB (x = m returns x ) = mapply (rule ext)apply (simp add unit-SB-def bind-SB-def )

done

lemma bind-assoc-SB (y = (x = m k) h) = (x = m (y = k h))apply (rule ext)apply (simp add unit-SB-def bind-SB-def split-def )

done

State Backtrack Exception Monad

The following combination of the previous two Monad-Constructions allows for the se-mantic foundation of a simple generic assertion language in the style of Schirmerrsquos Simpl-Language or Rustan Leinorsquos Boogie-PL language The key is to use the exceptionalelement None for violations of the assert-statement

type-synonym ( primeo primeσ) MON SBE = primeσ rArr (( primeo times primeσ) set) option

definition bind-SBE ( primeo primeσ)MON SBE rArr ( primeo rArr ( primeo prime primeσ)MON SBE) rArr( primeo prime primeσ)MON SBE

where bind-SBE f g = (λσ case f σ of None rArr None| Some S rArr (let S prime = (λ(out σ prime) g out σ prime) lsquo S

in if None isin S prime then Noneelse Some(

⋃(the lsquo S prime))))

syntax (xsymbols) -bind-SBE [pttrn( primeo primeσ)MON SBE (primeo prime primeσ)MON SBE ] rArr

( primeo prime primeσ)MON SBE

((2 - equiv - -) [5 8 8 ]8 )translations

x equiv f g CONST bind-SBE f ( x g)

definition unit-SBE primeo rArr ( primeo primeσ)MON SBE ((returning -) 8 )where unit-SBE e = (λσ Some((eσ)))

70

definition assert-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE

where assert-SBE e = (λσ if e σ then Some((()σ))else None)

notation assert-SBE (assertSBE)

definition assume-SBE ( primeσ rArr bool) rArr (unit primeσ)MON SBE

where assume-SBE e = (λσ if e σ then Some((()σ))else Some )

notation assume-SBE (assumeSBE)

definition havoc-SBE (unit primeσ)MON SBE

where havoc-SBE = (λσ Some(x True))notation havoc-SBE (havocSBE)

lemma bind-left-unit-SBE (x equiv returning a m) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )

done

lemma bind-right-unit-SBE (x equiv m returning x ) = mapply (rule ext)apply (simp add unit-SBE-def bind-SBE-def )apply (case-tac m x )

apply (simp-all add Let-def )apply (rule HOLccontr)apply (simp add Set image-iff )

done

lemmas aux = trans[OF HOLneq-commuteOF Optionnot-None-eq ]

lemma bind-assoc-SBE (y equiv (x equiv m k) h) = (x equiv m (y equiv k h))proof (rule ext simp add unit-SBE-def bind-SBE-def

case-tac m x simp-all add Let-def Set image-iff safe)case goal1 then show case

by(rule-tac x=(a b) in bexI simp-all)next

case goal2 then show caseapply (rule-tac x=(aa b) in bexI simp-all add split-def )apply (erule-tac x=(aab) in ballE )apply (auto simp aux image-def split-def intro rev-bexI )

donenext

case goal3 then show case

71


case goal4 then show caseapply (erule-tac Q=None = X in contrapos-pp)apply (erule-tac x=(aab) and P=λ x None 6= split (λout k) x in ballE )apply (auto simp aux image-def split-def intro rev-bexI )

donenext

case goal5 then show caseapply simp apply ((erule-tac x=(abba) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )

done

nextcase goal6 then show case

apply simp apply ((erule-tac x=(ab) in ballE )+)apply (simp-all add aux (erule exE )+ simp add split-def )apply (erule rev-bexI case-tac Noneisin(λp h(snd p))lsquoy auto simpsplit-def )

doneqed

512 Valid Test Sequences in the State Exception Monad

This is still an unstructured merge of executable monad concepts and specification ori-ented high-level properties initiating test procedures

definition valid-SE primeσ rArr (bool primeσ) MON SE rArr bool (infix |= 15 )where (σ |= m) = (m σ 6= None and fst(the (m σ)))

This notation consideres failures as validmdasha definition inspired by IO conformanceNote that it is not possible to define this concept once and for all in a Hindley-Milnertype-system For the moment we present it only for the state-exception monad althoughfor the same definition this notion is applicable to other monads as well

lemma syntax-test σ |= (os larr (mbind ιs ioprog) return(length ιs = length os))

oops

lemma valid-true[simp] (σ |= (s larr return x return (P s))) = P xby(simp add valid-SE-def unit-SE-def bind-SE-def )

Recall mbind unit for the base case

lemma valid-failure ioprog a σ = None =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =

72

(σ |= (M []))by(simp add valid-SE-def unit-SE-def bind-SE-def )

lemma valid-failure prime A σ = None =rArr not(σ |= ((s larr A M s)))by(simp add valid-SE-def unit-SE-def bind-SE-def )

lemma valid-successElemM σ = Some(f σσ) =rArr (σ |= M ) = f σ

by(simp add valid-SE-def unit-SE-def bind-SE-def )

lemma valid-success ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog M s)) =(σ prime |= (s larr mbind S ioprog M (bs)))

apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime auto)

done

lemma valid-success primeprime ioprog a σ = Some(bσ prime) =rArr(σ |= (s larr mbind (aS ) ioprog return (P s))) =(σ prime |= (s larr mbind S ioprog return (P (bs))))

apply (simp add valid-SE-def unit-SE-def bind-SE-def )apply (cases mbind S ioprog σ prime)apply (simp-all)apply (auto)

done

lemma valid-success prime A σ = Some(bσ prime) =rArr (σ |= ((s larr A M s))) = (σ prime |= (M b))by(simp add valid-SE-def unit-SE-def bind-SE-def )

lemma valid-both (σ |= (s larr mbind (aS ) ioprog return (P s))) =(case ioprog a σ of

None rArr (σ |= (return (P [])))| Some(bσ prime) rArr (σ prime |= (s larr mbind S ioprog return (P (bs)))))

apply (case-tac ioprog a σ)apply (simp-all add valid-failure valid-success primeprime split prod splits)

done

lemma valid-propagate-1 [simp] (σ |= (return P)) = (P)by(auto simp valid-SE-def unit-SE-def )

lemma valid-propagate-2 σ |= ((s larr A M s)) =rArr exist v σ prime the(A σ) = (v σ prime) and σ prime|= (M v)

73

apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)

done

lemma valid-propagate-2 prime σ |= ((s larr A M s)) =rArr exist a (A σ) = Some a and (snd a)|= (M (fst a))

apply (auto simp valid-SE-def unit-SE-def bind-SE-def )apply (cases A σ)apply (simp-all)apply (simp-all split prod splits)apply (drule-tac x=A σ and f =the in arg-cong)apply (simp)apply (rule-tac x=fst aa in exI )apply (rule-tac x=snd aa in exI )apply (auto)

done

lemma valid-propagate-2 primeprime σ |= ((s larr A M s)) =rArr exist v σ prime A σ = Some(v σ prime) and σ prime|= (M v)


done

lemma valid-propoagate-3 [simp] (σ0 |= (λσ Some (f σ σ))) = (f σ0)by(simp add valid-SE-def )

lemma valid-propoagate-3 prime[simp] not(σ0 |= (λσ None))by(simp add valid-SE-def )

74

lemma assert-disch1 P σ =rArr (σ |= (x larr assertSE P M x )) = (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def )

lemma assert-disch2 not P σ =rArr not (σ |= (x larr assertSE P M s))by(auto simp bind-SE-def assert-SE-def valid-SE-def )

lemma assert-disch3 not P σ =rArr not (σ |= (assertSE P))by(auto simp bind-SE-def assert-SE-def valid-SE-def )

lemma assert-D (σ |= (x larr assertSE P M x )) =rArr P σ and (σ |= (M True))by(auto simp bind-SE-def assert-SE-def valid-SE-def split HOLsplit-if-asm)

lemma assume-D (σ |= (x larr assumeSE P M x )) =rArr exist σ (P σ and σ |= (M ()))apply (auto simp bind-SE-def assume-SE-def valid-SE-def split HOLsplit-if-asm)apply (rule-tac x=Eps P in exI )apply (auto)apply (rule-tac x=True in exI rule-tac x=b in exI )apply (subst Hilbert-ChoicesomeI )

apply (assumption)apply (simp)

apply (subst Hilbert-ChoicesomeI assumption)apply (simp)

done

These two rule prove that the SE Monad in connection with the notion of valid se-quence is actually sufficient for a representation of a Boogie-like language The SBEmonad with explicit sets of statesmdashto be shown belowmdashis strictly speaking not neces-sary (and will therefore be discontinued in the development)

lemma if-SE-D1 P σ =rArr (σ |= if SE P B1 B2) = (σ |= B1)by(auto simp if-SE-def valid-SE-def )

lemma if-SE-D2 not P σ =rArr (σ |= if SE P B1 B2) = (σ |= B2)by(auto simp if-SE-def valid-SE-def )

lemma if-SE-split-asm (σ |= if SE P B1 B2) = ((P σ and (σ |= B1)) or (not P σ and (σ|= B2)))

by(cases P σauto simp if-SE-D1 if-SE-D2 )

lemma if-SE-split (σ |= if SE P B1 B2) = ((P σ minusrarr (σ |= B1)) and (not P σ minusrarr (σ|= B2)))

by(cases P σ auto simp if-SE-D1 if-SE-D2 )

lemma [code] (σ |= m) = (case (m σ) of None rArr False | (Some (x y)) rArr x )apply (simp add valid-SE-def )

75

apply (cases m σ = None)apply (simp-all)apply (insert not-None-eq)apply (auto)

done

513 Valid Test Sequences in the State Exception Backtrack Monad


definition valid-SBE primeσ rArr ( primea primeσ) MON SBE rArr bool (infix |=SBE 15 )where σ |=SBE m equiv (m σ 6= None)

This notation considers all non-failures as valid

lemma assume-assert (σ |=SBE ( - equiv assumeSBE P assertSBE Q)) = (P σ minusrarr Qσ)

by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )

lemma assert-intro Q σ =rArr σ |=SBE (assertSBE Q)by(simp add valid-SBE-def assume-SBE-def assert-SBE-def bind-SBE-def )

end

76

Bibliography

[1] American National Standard for Information Technology ndash Role Based Access Con-trol ANSI New York Feb 2004 ANSI INCITS 359-2004

[2] C A Ardagna S D C di Vimercati S Foresti T W Grandison S Jajodia andP Samarati Access control for smarter healthcare using policy spaces Computersamp Security 2010 ISSN 0167-4048 doi 101016jcose201007001

[3] S Barker The next 700 access control models or a unifying meta-model InProceedings of the 14th ACM symposium on Access control models and technologiesSACMAT rsquo09 pages 187ndash196 New York NY USA 2009 ACM Press ISBN 978-1-60558-537-6 doi 10114515422071542238

[4] M Y Becker Information governance in nhsrsquos npfit A case for policy specificationInternational Journal of Medical Informatics 76(5-6)432ndash437 2007 ISSN 1386-5056 doi 101016jijmedinf200609008

[5] D E Bell Looking back at the bell-la padula model pages 337ndash351 Los AlamitosCA USA 2005 pub-ieee ISBN 1063-9527 doi 101109CSAC200537

[6] D E Bell and L J LaPadula Secure computer systems A mathematical modelvolume II In Journal of Computer Security 4 pages 229ndash263 1996 An electronicreconstruction of Secure Computer Systems Mathematical Foundations 1973

[7] E Bertino P A Bonatti and E Ferrari Trbac A temporal role-based accesscontrol model ACM Trans Inf Syst Secur 4(3)191ndash233 2001 ISSN 1094-9224doi 101145501978501979

[8] A D Brucker and H Petritsch Extending access control models with break-glassIn B Carminati and J Joshi editors ACM symposium on access control modelsand technologies (SACMAT) pages 197ndash206 ACM Press New York NY USA2009 ISBN 978-1-60558-537-6 doi 10114515422071542239 URL httpwwwbruckerchbibliographyabstractbruckerea-extending-2009

[9] A D Brucker and B Wolff On theorem prover-based testing Formal As-pects of Computing 25(5)683ndash721 2013 ISSN 0934-5043 doi 101007s00165-012-0222-y URL httpwwwbruckerchbibliographyabstractbruckerea-theorem-prover-2012

[10] A D Brucker L Brugger P Kearney and B Wolff An approach to modu-lar and testable security models of real-world health-care applications In ACM

77

symposium on access control models and technologies (SACMAT) pages 133ndash142 New York NY USA 2011 ACM Press ISBN 978-1-4503-0688-1 doi10114519984411998461 URL httpwwwbruckerchbibliographyabstractbruckerea-model-based-2011

[11] A D Brucker L Brugger and B Wolff HOL-TestGenFW an environmentfor specification-based firewall conformance testing In Z Liu J Woodcockand H Zhu editors International Colloquium on Theoretical Aspects of Comput-ing (ICTAC) number 8049 in Lecture Notes in Computer Science pages 112ndash121 Springer-Verlag Heidelberg 2013 ISBN 978-3-642-39717-2 doi 101007978-3-642-39718-9 7 URL httpwwwbruckerchbibliographyabstractbruckerea-hol-testgen-fw-2013

[12] A D Brucker L Brugger and B Wolff Formal firewall conformance testing Anapplication of test and proof techniques Software Testing Verification amp Reliability(STVR) 2014 doi 101002stvr1544 URL httpwwwbruckerchbibliographyabstractbruckerea-formal-fw-testing-2014

[13] L Brugger A Framework for Modelling and Testing of Security Policies PhDthesis ETH Zurich 2012 URL httpwwwbruckerchbibliographyabstractbruegger-generation-2012 ETH Dissertation No 20513

[14] A Ferreira D Chadwick P Farinha G Zhao R Chilro R Cruz-Correia andL Antunes How to securely break into rbac the btg-rbac model In AnnualComputer Security Applications Conference (ACSAC) 2009

[15] N Li J Byun and E Bertino A critique of the ansi standard on role-based accesscontrol Security Privacy IEEE 5(6)41ndash49 nov-dec 2007 ISSN 1540-7993 doi101109MSP2007158

[16] M Moyer and M Abamad Generalized role-based access control DistributedComputing Systems 2001 21st International Conference on pages 391ndash398 Apr2001 doi 101109ICDSC2001918969

[17] OASIS eXtensible Access Control Markup Language (XACML) version 20 2005URL httpdocsoasis-openorgxacml20XACML-20-OS-NORMATIVEzip

[18] A Samuel A Ghafoor and E Bertino Context-aware adaptation of access-controlpolicies Internet Computing IEEE 12(1)51ndash54 2008 ISSN 1089-7801 doi101109MIC20086

[19] R Sandhu V Bhamidipati and Q Munawer The arbac97 model for role-basedadministration of roles ACM Transactions on Information and System Security 2(1)105ndash135 1999 ISSN 1094-9224 doi 101145300830300839

[20] R S Sandhu E J Coyne H L Feinstein and C E Youman Role-based accesscontrol models Computer 29(2)38ndash47 1996 ISSN 0018-9162 URL httpitegmuedulistjournalscomputerpdf veri94rbac(org)pdf

78

[21] R S Sandhu D F Ferraiolo and D R Kuhn The nist model for role-basedaccess control towards a unified standard In ACM Workshop on Role-Based AccessControl pages 47ndash63 2000 doi 101145344287344301

[22] J Wainer A Kumar and P Barthelmess Dw-rbac A formal security model ofdelegation and revocation in workflow systems Inf Syst 32(3)365ndash384 2007ISSN 0306-4379 doi httpdxdoiorg101016jis200511008

79

Introduction

The Unified Policy Framework (UPF)

The Core of the Unified Policy Framework (UPF)

Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies

The Core Policy Combinators Allow and Deny Everything

Common Instances

Domain Range and Restrictions

Sequential Composition

Flattening

Policy Composition

Parallel Composition

Parallel Combinators Foundations

Combinators for Transition Policies

Range Splitting

Distributivity of the parallel combinators

Properties on Policies

Basic Properties

Combined Data-Policy Refinement

Equivalence of Policies

Policy Transformations

Elementary Operators

Distributivity of the Transformation

Policy Transformation for Testing

Putting Everything Together UPF

Example

Secure Service Specification

Datatypes for Modelling Users and Roles

Modelling Health Records and the Web Service API

Modelling Access Control

The State Transitions and Output Function

Combine All Parts

Instantiating Our Secure Service Example

Access Control Configuration

The Initial System State

Basic Properties

Conclusion and Related Work

Related Work

Conclusion Future Work

Appendix

Basic Monad Theory for Sequential Computations

General Framework for Monad-based Sequence-Test

Valid Test Sequences in the State Exception Monad

Valid Test Sequences in the State Exception Backtrack Monad

Contents

1 Introduction 5

2 The Unified Policy Framework (UPF) 721 The Core of the Unified Policy Framework (UPF) 7

211 Foundation 7

212 Policy Constructors 8

213 Override Operators 9

214 Coercion Operators 11

22 Elementary Policies 14

221 The Core Policy Combinators Allow and Deny Everything 14

222 Common Instances 15

223 Domain Range and Restrictions 17

23 Sequential Composition 21

231 Flattening 21

232 Policy Composition 24

24 Parallel Composition 25

241 Parallel Combinators Foundations 26

242 Combinators for Transition Policies 29

243 Range Splitting 29

244 Distributivity of the parallel combinators 30

25 Properties on Policies 32

251 Basic Properties 32

252 Combined Data-Policy Refinement 34

253 Equivalence of Policies 34

26 Policy Transformations 35

261 Elementary Operators 36

262 Distributivity of the Transformation 40

27 Policy Transformation for Testing 44

28 Putting Everything Together UPF 46

3 Example 4931 Secure Service Specification 49

311 Datatypes for Modelling Users and Roles 49

312 Modelling Health Records and the Web Service API 50

313 Modelling Access Control 53

314 The State Transitions and Output Function 57

3






4

1 Introduction









5



theoryUPFCore

importsMonads

begin

211 Foundation







7















8

empty CONST empty
















oplus100 )

translationspoplus

q q ++ p

9



by simp


p = pby simp


(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp





)


oplusA 100 )

translationspoplus

A q p ++-A q








A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus



10




)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix










4

1 Introduction









5



theoryUPFCore

importsMonads

begin

211 Foundation







7















8

empty CONST empty
















oplus100 )

translationspoplus

q q ++ p

9



by simp


p = pby simp


(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp





)


oplusA 100 )

translationspoplus

A q p ++-A q








A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus



10




)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





1 Introduction









5



theoryUPFCore

importsMonads

begin

211 Foundation







7















8

empty CONST empty
















oplus100 )

translationspoplus

q q ++ p

9



by simp


p = pby simp


(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp





)


oplusA 100 )

translationspoplus

A q p ++-A q








A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus



10




)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







theoryUPFCore

importsMonads

begin

211 Foundation







7















8

empty CONST empty
















oplus100 )

translationspoplus

q q ++ p

9



by simp


p = pby simp


(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp





)


oplusA 100 )

translationspoplus

A q p ++-A q








A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus



10




)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix



















8

empty CONST empty
















oplus100 )

translationspoplus

q q ++ p

9



by simp


p = pby simp


(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp





)


oplusA 100 )

translationspoplus

A q p ++-A q








A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus



10




)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





empty CONST empty
















oplus100 )

translationspoplus

q q ++ p

9



by simp


p = pby simp


(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp





)


oplusA 100 )

translationspoplus

A q p ++-A q








A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus



10




)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







by simp


p = pby simp


(p2oplus

p3 ) = (p1oplus

p2 )oplus

p3by simp





)


oplusA 100 )

translationspoplus

A q p ++-A q








A (p2oplus

A p3 ) = (p1oplus

A p2 )oplus



10




)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix








)


oplusD 100 )

translationspoplus

D q p ++-D q





done


D (p2oplus

D p3 ) = (p1oplus

D p2 )oplus


done







11



done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







done





done









12



done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







done














13






importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix










importsUPFCore

begin









syntax (xsymbols)

14


Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






Dp f AllD f









done




definition

15







lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix











lemma AIoplus

empty = AI

apply simpdone

lemma Af foplus








16





















17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix

























17






done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix










done


done


done


18








m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix












m1 0 =m1 0

oplusm2 0


l1 0 ) m =l2 0 m


l1 0 ) m =l2 0 m


l1 0 ) m =l1 0 m


e1 0 (m 7rarr u1 0 ) =(e2 0





done




19


done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






done




done



done




done


20

done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





done



end




begin


231 Flattening




done


21


done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






done



done



done



apply (case-tac x )

22


done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






done



done




done



done

23






| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix










| perp rArr perp)


done









24










end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix














end




begin



25










| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix














| perp rArr perp))



done



done


otimesorA p2 )))


done

26






| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix










| perp rArr perp))



done



done


otimesorD p2 )))


done



1 55 )where p1

otimes1 p2 equiv




27




done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix








done



done


2 55 )where p1

otimes2 p2 equiv




|perp rArrperp))



done



done


1I 55 )where p

otimes1I q = (p



1I empty = empty

28


done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






done



done


2I 55 )wherep

otimes2I q = (p




done



done




otimesM 60 )

where p1otimes




otimesS 60 )

wherep1

otimesS p2 = (p1


243 Range Splitting


29


otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






otimesnabla 100 )




| perp rArr perp



otimesnabla p = (


oplus((p Deny)

otimesorA (Dp g))))




done




1 F ) o f ) =(((N

otimes1 F1 ) o f )

oplus((N







1 F ) o f )) =((g o-f ((N

otimes1 F1 ) o f ))

oplus(g o-f ((N





30



2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







2 F ) o f ) =(((N

otimes2 F1 ) o f )

oplus((N







2 F ) o f )) =((r o-f ((N

otimes2 F1 ) o f ))

oplus(r o-f ((N








oplus(g o-f ((N








oplus(g o-f ((N






31

done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





done




theoryAnalysis


begin





Comparing Policies








32















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix



















33

















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





















34






done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix










done

Miscellaneous



A q = poplus






done

end


theoryNormalisation

35


begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






begin






oplusy)) l empty













36






done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix










done


done


done


done


done


done


done

37


done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






done


done


done


done


done




qed





38



qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







qedqed





done








qed

39










otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix














otimesL 54 ) where





otimes2L 55 ) where

xotimes


L y) (opotimes

2) d r)


done




oplusP2 )) o f )) =


(g o-f ((p N P2 ) o f ))))))

40




done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix








done



done



by simp



done



done


done




otimesL P2 ) (op

otimes1) r d)) x ))



otimes1 p) d)))

41





qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix









qed



otimesL P2 ) (op




otimes2 p) d)))





qed






otimesorA p) d)))




42


qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






qedqed






otimesorD p) d)))





qed



1 B) o (λx (x x ))) = dom B




2 B) o (λx (x x ))) = dom B




(λ x (x x ))) = dom B

43









begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix













begin








44

done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





done


done


done



done



done



45








done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix












done



done


done

end


theoryUPF

imports

46


begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






begin



47

3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





3 Example




theoryService

importsUPF

begin



Users









49







Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix











Health Records



The Web Service API






50











51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix















51







52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix











52




Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix








Sealed Envelopes








| x rArr perp)




| x rArr perp)




53

| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





| x rArr perp)


oplusdeleteEntrySE

oplusreadEntrySE

oplusAU













addLRPolicyoplus

LR-Policy

oplusAU






54





















55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix

























55

















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





















oplusaddLRFunPolicy


oplusAU

Modelling Core RBAC




56





State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix









State Transition















57




Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix








Output


















58



o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







o (λx (x x )))



end



importsService

begin









59










by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix














by (simp)









60










end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix














end

61


41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






41 Related Work





63

5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





5 Appendix


theoryMonads

importsMain

begin












65















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix



















done


done


done


66











67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix















67





done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix









done












68



apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







apply (auto)done






notation malt-SE (d

SE)


SE [] = failSE












69



((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







((2 - = - -) [5 8 8 ]8 )translations



done


done


done













70










done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix














done



done






donenext


71



donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







donenext


done



doneqed






oops




72







done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix











done



done





done



73


done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






done



done



done



74








done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix












done









75


done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix






done








end

76

Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





Bibliography











77












78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix
















78



79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix







79

Introduction



Foundation

Policy Constructors

Override Operators

Coercion Operators

Elementary Policies


Common Instances



Flattening

Policy Composition




Range Splitting



Basic Properties








Example






Combine All Parts




Basic Properties


Related Work


Appendix





The Uni ed Policy Framework (UPF) · The Uni ed Policy Framework (UPF) Achim D. Brucker Lukas...

Documents

Transcript of The Uni ed Policy Framework (UPF) · The Uni ed Policy Framework (UPF) Achim D. Brucker Lukas...